Making IPv6 clients pingable from outside world



  • I'm running pfSense 2.2.4.

    I seem to have IPv6 working (from Comcast), however, my IPv6 clients are not pingable from the outside world.

    What's the recommended firewall rule to enable this, and where should it be added?

    Also, would be nice to also have traceroute6 working from the outside world, is that covered under the same rule or does it need another?

    Thanks!

    Josh



  • Add a rule on your WAN interface allowing IPv6 ICMP Echo request from * (or if you only want a specific address range, then specify that) to LAN Network (or whatever host(s)/network(s) you want to be ping-able from the internet).



  • Thanks, it worked!

    Is there a similar rule that will work to fix incoming traceroute6?

    Outgoing traceroute6 already works fine.

    Josh


  • LAYER 8 Netgate

    ICMP is a lot more important to IPv6.  It relies on ICMPv6 for things like MTU discovery.

    Is there a generally-accepted subset of ICMPv6 types that should be allowed into a typical outside WAN IPv6 interface and passed to all inside IPv6 hosts?

    echo request, toobig?

    any?

    My gut would say destination unreachable, packet too big, time exceeded, parameter problem, and echo request.


  • Banned

    This is what's in default ruleset:

    
    # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
    pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
    pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
    pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
    pass in {$log['pass']} quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
    pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
    
    

    That said, just allow any and move on. This ICMP blocking madness does really nothing useful for security, just breaks things. Certainly much more with IPv6.



  • I do strongly disagree with you: https://en.wikipedia.org/wiki/ICMP_tunnel
    http://code.gerade.org/hans/

    You thould think about every open port in your network carefully. (Yes, I allowed ICMP in my network, but only with a DPI-Filter).


  • Banned

    @Fehler21:

    I do strongly disagree with you: https://en.wikipedia.org/wiki/ICMP_tunnel

    Yaaawn.



  • I have seen people using this, trying to circumvent our firewall.
    And if someone asks a rather basic question a little bit more information should be provided than "ALLOW ALL".

    Btw. why not allowing all incoming traffic??? In a perfect world, the clients should be perfectly secured itself, right ;). (All services should only listen to the local network addresses etc.)


  • Banned

    Well, enjoy breaking your IPv6 by blocking ICMP. Not really sure what to say.l


Log in to reply