OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: Claypenguin on April 13, 2020, 08:44:05 am

Title: Question about automatic ipv6-icmp floating rule
Post by: Claypenguin on April 13, 2020, 08:44:05 am

Hello all,

I have a question about the automatically generated ipv6-icmp floating rule. In my understanding this rule should allow all ipv6-icmp traffic on all interfaces, because it's an ipv6 requirement, right? But unless I'm adding another rule on WAN-in that allows ipv6-icmp traffic, ipv6-icmp to my devices is being filtered.

Am I missing something here?

Cheers

https://imgur.com/QlqJihR

Title: Re: Question about automatic ipv6-icmp floating rule
Post by: marjohn56 on April 13, 2020, 10:00:37 am

Although ICMP is a requirement and is/can be used for certain management functions its a bit hard to force people to leave the firewall totally open for all ICMP v6 traffic, if Opnsense did that there would be a lot of grief! I have an allow all ICMPv6 rule, but my GeoIP rule takes priority and blocks most regions... just in case.


You have the choice by adding an allow all rule or tailor it to suit your needs. You'll find Windows firewall also blocks unsolicited inbound ICMPv6 packets, take it up with Microsoft and see how far you get. :)

Title: Re: Question about automatic ipv6-icmp floating rule
Post by: Claypenguin on April 13, 2020, 10:12:44 am

I've noticed the Windows thing  :D

So regarding the automatic rule, what exactly does it do then?

Edit:

For anyone interested, I've looked at little bit more into this and apparently the automatic rules are only for icmp6-types unreach, toobig, neighbrsol and neighbradv. I've manually added the rules to my firewall that are recommended as per RFC4890 https://tools.ietf.org/html/rfc4890#section-4.3.1

Title: Re: Question about automatic ipv6-icmp floating rule
Post by: IsaacFL on April 14, 2020, 07:38:26 pm

For the WAN interface, you only need a rule passing in icmp Echo Request.  All of the other types of icmp, will be handled by the stateful part of the fire wall.

For example, you should only see an Echo Response (Type 129) coming in after a local host sent out an Echo Request (Type 128).  The stateful firewall will automatically allow the response in.

You would not want to allow an unsolicited Echo Response to pass into the firewall.

This is also true if you allow icmpv4 on the WAN interface.

Title: Re: Question about automatic ipv6-icmp floating rule
Post by: matusp on August 08, 2020, 06:34:44 pm

Hello IsaacFL,
tried setting an inbound rule on WAN allowing all ICMPv6 messages for test purposes, but it still does not earn me a full score on https://ipv6-test.com/
Understand this would not be the most secure approach.
Can you suggest the rules to be set?
Thanks!
Matus

Title: Re: Question about automatic ipv6-icmp floating rule
Post by: IsaacFL on August 14, 2020, 03:27:17 am

Here are my WAN rules that allow it to work.  I create an Alias, NET_IPV6_PREFIX that I set to my allocated prefix. In my case it is a /56.  Third rule from bottom is the one that will allow icmp into your network.