Reply
Highlighted
Posts: 40
Registered: ‎09-05-2014
Accepted Solution

LRT224 IPv6 ICMPv6 Rules

Hello everyone!

 

I'm a bit new to Ipv6, but my ISP has just deployed native IPv6 addresses and I'm trying to use them.

 

I've been having a little problem, though. I have a LRT224, and how do I create a IPv6 access rule?

 

I've noticed the default firewall settings are dropping ICMPv6 packets from my ipv6 hosts behind the firewall. 

 

I went to firewall -> Access rules -> IPv6 and tried to create a rule. But when I try to add a new service I only get protocols IPv6, TCP or UDP. But what I want is to let it pass ICMPv6 through. I saw it has a preset rule to let the Ping service go through, but AFAIK for IPv6 to work properly I have to other ICMPv6 traffic to go through, not only Ping.

 

And trying to create an IPv6 protocol service does not work, it only lets me type the name of the service but it greys out the port numbers.

 

So it all boils down to the following: How do I let ICMPv6 traffic through this firewall? Wthout it my IPv6 connection seems broken and there are some site I can't access, probably because without ICMPv6 PMTUD is being broken.

 

Thanks!

Posts: 40
Registered: ‎09-05-2014

Re: LRT224 IPv6 ICMPv6 Rules

No one?? Plzzz?? Chadster / Moderator / someone from Belkin / Linksys??

Expert
Posts: 14,379
Registered: ‎01-18-2013

Re: LRT224 IPv6 ICMPv6 Rules

I think if you enable Ping on the WAN then the whole ICMP protocol will be allowed through.

 

Regardless ICMP for IPv6 is largely unimplemented on the rest of the Internet due to the fact that it's almost impossible to get an end to end packet size on today ISP networks to remove packet fragmentation. Most are instead just setting a small MTU like the standard 1280 MTU which all IPv6 network must support.


Smiley Wink Please remember to Kudo those that help you.

Linksys
Communities Technical Support
Posts: 40
Registered: ‎09-05-2014

Re: LRT224 IPv6 ICMPv6 Rules

Hi Chadster,

 

can you confirm that statement "I think if you enable Ping on the WAN then the whole ICMP protocol will be allowed through" for me, please? Based on my tests I can only see ICMPv6 ping going through, all other messages are still filtered out and it seems I just have nowhere to decide what ICMPv6 messages are allowed.

 

However I did solve my problems setting the lowest possible MTU value (1280) and letting ICMPv6 ping go through. Since in this network there are only network clients (and no servers), doing that solves the problem of some outside server sending back a "packet too big" and it getting filtered and my client computers getting a "request timeout" error, as well as letting other IPv6 hosts check the existence of one of my IPv6 devices.

 

Just in case anoyone else is reading this and having this sort of problem, for this router the way is to set the 1280 MTU under the "Router Advertisement" settings, not the WAN MTU.

 

On the other hand, Chadster, my question still remains: Since this is a business-grade device and the future is IPv6, is there no other way for me let other ICMPv6 messages go through this firewall? Should I have any IPv6 servers I think that could really become a problem.

 

Thanks!

Expert
Posts: 14,379
Registered: ‎01-18-2013

Re: LRT224 IPv6 ICMPv6 Rules

I did some pcaps for ICMPv6 with the LRT IPv6 Firewall enabled and added an Allow rule for ICMP\PING.

 

The pcaps taken from a client computer definitely got all ICMPv6 request coming from the WAN side.

 

You can test by going to http://ipv6-test.com/

The ICMPv6 results should show good.


Smiley Wink Please remember to Kudo those that help you.

Linksys
Communities Technical Support
Posts: 40
Registered: ‎09-05-2014

Re: LRT224 IPv6 ICMPv6 Rules

Hi Chadster;

Sorry for the delay.

Yes, I tested using the site you said, and I do get ICMP good and my connectivity is just fine with 1280 MTU.

I'm still not happy, though, with the fact I don't get to choose what icmpv6 messages go through and those who don't. Are you positive it's allowing *all* icmpv6 messages?

Just as a reference, here are the messages the RFC says that should and should not be allowed: https://datatracker.ietf.org/doc/rfc4890/?include_text=1

Based on that, when you said you could pass "all" icmpv6 messages you mean you could pass absolutely everything or just the essential or recommended ones? Because if everything is being forwarded that is a serious problem too, since just as the RFC says, letting everything go through poses a serious security risk.

In any case, do you have a list / document / something that lists which icmpv6 messages are being allowed? Because on the interface itself it says "Ping ICMP 255/255", which sort of doesn't make sense, since ping is ICMP 128/129.

Thanks!
Posts: 40
Registered: ‎09-05-2014

Re: LRT224 IPv6 ICMPv6 Rules

Hello??
Posts: 40
Registered: ‎09-05-2014

Re: LRT224 IPv6 ICMPv6 Rules

Hello?? Someone??
Posts: 40
Registered: ‎09-05-2014

Re: LRT224 IPv6 ICMPv6 Rules

Hello?? Someone from Linksys / Belkin / whatever??

Expert
Posts: 14,379
Registered: ‎01-18-2013

Re: LRT224 IPv6 ICMPv6 Rules

Sorry what more answers are you looking for?


Smiley Wink Please remember to Kudo those that help you.

Linksys
Communities Technical Support