New Member
Posts: 3
Registered: ‎10-10-2017

Filtered ICMP on ipv6-test.com

ipv6-test.com (not to be confused with test-ipv6.com !) reports that

 

"Your router or firewall is filtering ICMPv6 messages sent to your computer. An IPv6 host that cannot receive ICMP messages may encounter problems like some web pages loading partially or not at all."

 

I'm a residental Comcast customer.  On WANv6_Local I have:

 

rule 30 {                                                              
            action accept                                                      
            description "Allow IPv6 icmp"                                      
            protocol ipv6-icmp                                                 
        }

 

I'm not an expert at this stuff.  Two questions:

 

-Should I have unfiltered ICMPv6?  I read that some interactions with some domains (like Google) don't work well if ICMP traffic is filtered.

-What do I need to do to have unfiltered ICMPv6?

 

Thank you!

 

 

New Member
Posts: 34
Registered: ‎11-01-2016
Kudos: 3
Solutions: 2

Re: Filtered ICMP on ipv6-test.com

I think that's normal, the ICMP filtering is in the windows firewall.

New Member
Posts: 3
Registered: ‎10-10-2017

Re: Filtered ICMP on ipv6-test.com

[ Edited ]

Thanks for your reply.  I believe I turned that off.  I enabled "File and Print Shareing (Echo Request ICMPv6-In) with "Allow the connection" for both "Domain" and "Private,Public" on my Windows 10 computer.  Perhaps I didn't do that correctly?

 

It's also showing as filtered on a fairly stock Linux PC as well.

 

Thanks for your help!

New Member
Posts: 34
Registered: ‎11-01-2016
Kudos: 3
Solutions: 2

Re: Filtered ICMP on ipv6-test.com

[ Edited ]

I have the same rule as you (under IPV6WAN_Local) and extending the scope of windows firewall rule "File and Printer Sharing (Echo Request - ICMPv6-In)" to "Any IP Address" returns a 19/20 on that site...otherwise, it's 17/20.  

 

Edit:  That rule is also assigned to IPV6WAN_IN.

Highlighted
Senior Member
Posts: 3,325
Registered: ‎08-06-2015
Kudos: 1426
Solutions: 190

Re: Filtered ICMP on ipv6-test.com


@LrngToFly wrote:

ipv6-test.com (not to be confused with test-ipv6.com !) reports that

 

"Your router or firewall is filtering ICMPv6 messages sent to your computer. An IPv6 host that cannot receive ICMP messages may encounter problems like some web pages loading partially or not at all."

 

I'm a residental Comcast customer.  On WANv6_Local I have:

 

rule 30 {                                                              
            action accept                                                      
            description "Allow IPv6 icmp"                                      
            protocol ipv6-icmp                                                 
        }

  


You need to allow ICMP to both your router and your network.

 

In other words you need to duplicate your WANv6_Local Rule 30 to your WANv6_In (or whatever it is named) policy.

 

 

New Member
Posts: 3
Registered: ‎10-10-2017

Re: Filtered ICMP on ipv6-test.com

Thanks- that was it.  My very first edit via the CLI.

 

Still hardly know what I'm doing...  Man Happy

 

 

New Member
Posts: 16
Registered: ‎08-30-2017
Kudos: 1

Re: Filtered ICMP on ipv6-test.com

so i'm a little confused then.

 

If ICMPv6 is so important to IPV6, then why on earth does every example out there not say to have a rule to allow ICMPv6 on the WAN6_IN?

Veteran Member
Posts: 7,817
Registered: ‎03-24-2016
Kudos: 2037
Solutions: 899

Re: Filtered ICMP on ipv6-test.com

The allow established/related rule might already do the trick.

If your internal PC reaches out to some IPv6 site, which sends back an ICMP response in return, this might be allowed in as related traffic.

 

Ask yourself the question: is allowing ICMPv6_IN smart ?   Your internal network contains 2^64 addresses.

Pinging them from remote one by one will trigger 2^64 IPv6 neigbour discovery processes on the ER.  

New Member
Posts: 16
Registered: ‎08-30-2017
Kudos: 1

Re: Filtered ICMP on ipv6-test.com

ah, you're right - I didn't think about the most basic #1 rule that's there, for whatever reason... Guess i'm also still too green for networking at times.

And no, I hear you, that's not smart I don't think.
Senior Member
Posts: 3,325
Registered: ‎08-06-2015
Kudos: 1426
Solutions: 190

Re: Filtered ICMP on ipv6-test.com


@16again wrote:

The allow established/related rule might already do the trick.

If your internal PC reaches out to some IPv6 site, which sends back an ICMP response in return, this might be allowed in as related traffic.

 

 


Actually the establish/related rule on its own may not be sufficient.

 

The need for ICMPv6 to be initiated in either direction is a fundamental requirement for IPv6.

 

However for those concerned more-specific rules may be created rather than allowing all ICMPv6.  Note that in this case there would be different sets of rules for routers than there would be for hosts/networks.

 

RFC 4890 offers a discussion and set of recommendations for configuring firewalls to accommodate ICMPv6 requirements.

 

One can also implement rate-limiting to help reduce impact of brute-force probes.

 

 

 

New Member
Posts: 15
Registered: ‎01-23-2016
Kudos: 2

Re: Filtered ICMP on ipv6-test.com

Are there recommendations that we should add to the firewall that'll satisfy RFC in the Controller GUI?