Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Making IPv6 clients pingable from outside world

    IPv6
    5
    9
    2.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Krellan
      last edited by

      I'm running pfSense 2.2.4.

      I seem to have IPv6 working (from Comcast), however, my IPv6 clients are not pingable from the outside world.

      What's the recommended firewall rule to enable this, and where should it be added?

      Also, would be nice to also have traceroute6 working from the outside world, is that covered under the same rule or does it need another?

      Thanks!

      Josh

      1 Reply Last reply Reply Quote 0
      • MikeV7896M
        MikeV7896
        last edited by

        Add a rule on your WAN interface allowing IPv6 ICMP Echo request from * (or if you only want a specific address range, then specify that) to LAN Network (or whatever host(s)/network(s) you want to be ping-able from the internet).

        The S in IOT stands for Security

        1 Reply Last reply Reply Quote 0
        • K
          Krellan
          last edited by

          Thanks, it worked!

          Is there a similar rule that will work to fix incoming traceroute6?

          Outgoing traceroute6 already works fine.

          Josh

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            ICMP is a lot more important to IPv6.  It relies on ICMPv6 for things like MTU discovery.

            Is there a generally-accepted subset of ICMPv6 types that should be allowed into a typical outside WAN IPv6 interface and passed to all inside IPv6 hosts?

            echo request, toobig?

            any?

            My gut would say destination unreachable, packet too big, time exceeded, parameter problem, and echo request.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              This is what's in default ruleset:

              
              # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
              pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
              pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
              pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
              pass in {$log['pass']} quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
              pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
              
              

              That said, just allow any and move on. This ICMP blocking madness does really nothing useful for security, just breaks things. Certainly much more with IPv6.

              1 Reply Last reply Reply Quote 0
              • F
                Fehler21
                last edited by

                I do strongly disagree with you: https://en.wikipedia.org/wiki/ICMP_tunnel
                http://code.gerade.org/hans/

                You thould think about every open port in your network carefully. (Yes, I allowed ICMP in my network, but only with a DPI-Filter).

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by

                  @Fehler21:

                  I do strongly disagree with you: https://en.wikipedia.org/wiki/ICMP_tunnel

                  Yaaawn.

                  1 Reply Last reply Reply Quote 0
                  • F
                    Fehler21
                    last edited by

                    I have seen people using this, trying to circumvent our firewall.
                    And if someone asks a rather basic question a little bit more information should be provided than "ALLOW ALL".

                    Btw. why not allowing all incoming traffic??? In a perfect world, the clients should be perfectly secured itself, right ;). (All services should only listen to the local network addresses etc.)

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned
                      last edited by

                      Well, enjoy breaking your IPv6 by blocking ICMP. Not really sure what to say.l

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.