OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: Ed V. on November 12, 2021, 06:22:39 pm
-
Did some search-engine queries and only found posts /topics related to the 20.x series.
From the screencaptures, it looks like options have changed...
How do I go about creating the needed WAN and/or Floating rule to allow:
ICMPv6
Type 1 All
Type 2 All
Type 3 Code 0 or Code 1
Type 4 Code 0, Code 1 or Code 2
to pass through the WAN interface.
I see the automatic floating rules containing:
fe80::/10and
ff02::/16but these are for link-local and not "Public".
The only relevant options I seem to have in the IPv6 > ICMP drop-down is either "Any" (seems a tad excessive) or "Echo Request" (maybe - per the RFC this is a Type 128 with a Type 129 response packet), the others being "Echo Reply", "Destination Unreachable" and "Source Quench (deprecated)". None of which are wise to open inbound in my opinion.
Testing via ipv6-test.com seems to indicate that my OpnSense 21.7.5 firewall is not set up to handle the needed IPv6 ICMP traffic, but doggone if I can spot how to enable the RFC "musts" and "shoulds".
Have I completely missed something?
If so, help pointing me to the correct docs is appreciated.
If not, any other help with less-than-obvious-to-me documented features or configuration options would also be appreciated.
-
IPv6-test.com you need the service-request type. However, if you are using windows as the host machine you'll also need to tweek the firewall on that too. I have a HyperV instance running on my Server which has the firewall disabled and I can get 19/20, I lose a point as there's no reverse dns. On my main PC, I only score 17/20 due to windows own firewall blocking ICMPv6.
-
ipv6-test.com fails (15/20) on Windows, Linux, OpenBSD, ChromeOS and Android, so I highly suspect it's not OS related (I could be wrong - wouldn't be the first time an OS decided to "help protect" me...).
Just for grins, I fully disabled Windows firewall and I still score 15/20 on that box.
-
I have a rule on the WAN interface to allow in icmpv6 (Echo Request) to each of the subnets. See Attachment.
I did separate rules just to keep track of the labels.
On the internal subnets I have a rule allowing all icmp out.
You only need the Echo Request icmpv6, because the stateful firewall will allow any icmp responses back in, from my understanding.
I am then able to pass the ipv6 test 10/10. Assuming your local OS isn't blocking icmp (ie Windows).
-
Here is a test I have used to verify the needed icmpv6 works:
http://icmpcheckv6.popcount.org/ (http://icmpcheckv6.popcount.org/)
Same for ipv4:
http://icmpcheck.popcount.org/ (http://icmpcheck.popcount.org/)
-
To go from 17/20 to 19/20 on ipv6-test.com I had to do the following.
First make a rule on WAN to allow ICMPv6 Echo Requests. Screenshot provided.
Then I had to edit the windows firewall and remove the Local Subnet from the scope. By default when allowing ICMP on the windows firewall, it limits the scope to only computers on the local subnet. Removing this allows an external system to get a ping response in combination with the firewall rule that we added to WAN.
After those two changes I now score 19/20. The only thing missing for me on the ipv6-test website is the hostname.
-
Use http://test-ipv6.com/, i you get 10/10 there, no need to change anything you Ipv6 will work fine.
https://ipv6-test.com/ takes points off for no ping response and rDNS neither of which are needed or a working IPv6 connection.
Ping is only really required if you are going to be talking with teredo clients, which teredo is deprecated anyways.
What https://ipv6-test.com/ doesn't seem to test or is PMTUD issues, where as http://test-ipv6.com/ does.
And rDNS, just isn't needed, epically on a home system.
-
For the windows firewall, I enable the existing rule, "Virtual Machine Monitoring (Echo Request - ICMPv6-In)".
With that and a rule in OPNsense to allow ICMP echo requests, I get 20/20.