07-03-2017 07:34 AM
I'm a bit new to Ipv6, but my ISP has just deployed native IPv6 addresses and I'm trying to use them.
I've been having a little problem, though. I have a LRT224, and how do I create a IPv6 access rule?
I've noticed the default firewall settings are dropping ICMPv6 packets from my ipv6 hosts behind the firewall.
I went to firewall -> Access rules -> IPv6 and tried to create a rule. But when I try to add a new service I only get protocols IPv6, TCP or UDP. But what I want is to let it pass ICMPv6 through. I saw it has a preset rule to let the Ping service go through, but AFAIK for IPv6 to work properly I have to other ICMPv6 traffic to go through, not only Ping.
And trying to create an IPv6 protocol service does not work, it only lets me type the name of the service but it greys out the port numbers.
So it all boils down to the following: How do I let ICMPv6 traffic through this firewall? Wthout it my IPv6 connection seems broken and there are some site I can't access, probably because without ICMPv6 PMTUD is being broken.
Solved! Go to Solution.
07-05-2017 07:12 PM
I think if you enable Ping on the WAN then the whole ICMP protocol will be allowed through.
Regardless ICMP for IPv6 is largely unimplemented on the rest of the Internet due to the fact that it's almost impossible to get an end to end packet size on today ISP networks to remove packet fragmentation. Most are instead just setting a small MTU like the standard 1280 MTU which all IPv6 network must support.
07-08-2017 03:19 PM
can you confirm that statement "I think if you enable Ping on the WAN then the whole ICMP protocol will be allowed through" for me, please? Based on my tests I can only see ICMPv6 ping going through, all other messages are still filtered out and it seems I just have nowhere to decide what ICMPv6 messages are allowed.
However I did solve my problems setting the lowest possible MTU value (1280) and letting ICMPv6 ping go through. Since in this network there are only network clients (and no servers), doing that solves the problem of some outside server sending back a "packet too big" and it getting filtered and my client computers getting a "request timeout" error, as well as letting other IPv6 hosts check the existence of one of my IPv6 devices.
Just in case anoyone else is reading this and having this sort of problem, for this router the way is to set the 1280 MTU under the "Router Advertisement" settings, not the WAN MTU.
On the other hand, Chadster, my question still remains: Since this is a business-grade device and the future is IPv6, is there no other way for me let other ICMPv6 messages go through this firewall? Should I have any IPv6 servers I think that could really become a problem.
07-08-2017 08:55 PM
I did some pcaps for ICMPv6 with the LRT IPv6 Firewall enabled and added an Allow rule for ICMP\PING.
The pcaps taken from a client computer definitely got all ICMPv6 request coming from the WAN side.
You can test by going to http://ipv6-test.com/
The ICMPv6 results should show good.
07-15-2017 07:53 PM