IPv6 and Firewall



  • Using (at least a March version of) 2.1.1  multiple sites.

    Im trying to make sense of a few things and Im finally playing with this a bit.

    I have IPv6 at all my sites now via 6to4.  Tunnels are provided by the ISP at each site.  (via 6to4 on the WAN interface page)

    If I attempt to log into my other boxes using their IPv6 address I can successfully do so without any firewall rules allowing IPv6 on the WAN.  Including from my Verizon Jetpack.

    In order to block this from happening I have to create a block rule in the firewall.  Is this because I have "allow IPv6" checked on the advanced tab?

    Its like this for all my sites.



  • Did a ping test from my home here to my remote office.

    Started with absolutely no IPv6 WAN rules.

    c:>ping -t 2002:adf4:641a::

    Reply from 2002:adf4:641a::: time=41ms
    Reply from 2002:adf4:641a::: time=40ms
    Reply from 2002:adf4:641a::: time=40ms
    Reply from 2002:adf4:641a::: time=40ms
    Reply from 2002:adf4:641a::: time=38ms
    Reply from 2002:adf4:641a::: time=39ms
    Reply from 2002:adf4:641a::: time=39ms
    Reply from 2002:adf4:641a::: time=39ms
    Reply from 2002:adf4:641a::: time=41ms
    Reply from 2002:adf4:641a::: time=41ms
    Reply from 2002:adf4:641a::: time=45ms
    Reply from 2002:adf4:641a::: time=41ms
    Reply from 2002:adf4:641a::: time=40ms
    Reply from 2002:adf4:641a::: time=39ms
    Reply from 2002:adf4:641a::: time=40ms
    Reply from 2002:adf4:641a::: time=40ms

    Added an IPv6 Block rule here.  (cleared states)
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Added an ICMP allow rule for IPv6 in the WAN rules here above the block rule.

    Reply from 2002:adf4:641a::: time=40ms
    Reply from 2002:adf4:641a::: time=40ms
    Reply from 2002:adf4:641a::: time=40ms
    Reply from 2002:adf4:641a::: time=44ms
    Reply from 2002:adf4:641a::: time=40ms
    Reply from 2002:adf4:641a::: time=41ms
    Reply from 2002:adf4:641a::: time=40ms
    Reply from 2002:adf4:641a::: time=39ms
    Reply from 2002:adf4:641a::: time=41ms
    Reply from 2002:adf4:641a::: time=38ms
    Reply from 2002:adf4:641a::: time=42ms
    Reply from 2002:adf4:641a::: time=40ms
    Reply from 2002:adf4:641a::: time=39ms
    Reply from 2002:adf4:641a::: time=41ms
    Reply from 2002:adf4:641a::: time=41ms
    Reply from 2002:adf4:641a::: time=41ms
    Reply from 2002:adf4:641a::: time=41ms
    Reply from 2002:adf4:641a::: time=39ms
    Reply from 2002:adf4:641a::: time=42ms

    Is there a default deny option for IPv6 that needs to be turned on?



  • Checking "Allow IPv6" only removes the block all inet6 rules. There aren't any rules permitting IPv6 other than what's user-configured. Your allowing v6 would be on the tunnel, assuming WAN is your Internet connection with v4 only that has the 6to4 tunnel. In that case, your WAN only sees v4 traffic, and your tunnel rules would allow or deny v6 traffic inbound on the tunnel.



  • Lan is set to track WAN.

    If I disable all the v6 rules on the WAN rules page I can get to the firewall no problem, including GUI and ping.

    Once I add the block rule for v6 I lose that ability and have to add the rules to allow access.

    Since the rules I add to the WAN interface for v6 affect its operation I have to believe Im doing things right. But seems the interface is not treating the two protocols equally…  Just trying to understand.






  • @cmb:

    Checking "Allow IPv6" only removes the block all inet6 rules.

    Understood!

    Your allowing v6 would be on the tunnel, assuming WAN is your Internet connection with v4 only that has the 6to4 tunnel. In that case, your WAN only sees v4 traffic, and your tunnel rules would allow or deny v6 traffic inbound on the tunnel.

    But my tunnel is part of the WAN page as you can see above.  So there are no "tunnel rules" to be had.  In fact I must built the rules on the WAN tab for them to be effective.

    There aren't any rules permitting IPv6 other than what's user-configured.

    I can guarantee that Ive made no rules to allow any IPv6 traffic of any kind from the WAN or any Tunnel side as Ive been working on this. In fact I reproduced it on my lab machine tonight.  The rules page I posted the shot of above is how I have things set up now. But without any of the v6 rules it readily passes the traffic.

    I tried this also using DHCP6 on another machine and did not have the same findings.


Log in to reply