Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
Question about automatic ipv6-icmp floating rule
« previous
next »
Print
Pages: [
1
]
Author
Topic: Question about automatic ipv6-icmp floating rule (Read 8915 times)
Claypenguin
Newbie
Posts: 3
Karma: 1
Question about automatic ipv6-icmp floating rule
«
on:
April 13, 2020, 08:44:05 am »
Hello all,
I have a question about the automatically generated ipv6-icmp floating rule. In my understanding this rule should allow all ipv6-icmp traffic on all interfaces, because it's an ipv6 requirement, right? But unless I'm adding another rule on WAN-in that allows ipv6-icmp traffic, ipv6-icmp to my devices is being filtered.
Am I missing something here?
Cheers
https://imgur.com/QlqJihR
Logged
marjohn56
Hero Member
Posts: 1701
Karma: 179
Re: Question about automatic ipv6-icmp floating rule
«
Reply #1 on:
April 13, 2020, 10:00:37 am »
Although ICMP is a requirement and is/can be used for certain management functions its a bit hard to force people to leave the firewall totally open for all ICMP v6 traffic, if Opnsense did that there would be a lot of grief! I have an allow all ICMPv6 rule, but my GeoIP rule takes priority and blocks most regions... just in case.
You have the choice by adding an allow all rule or tailor it to suit your needs. You'll find Windows firewall also blocks unsolicited inbound ICMPv6 packets, take it up with Microsoft and see how far you get.
Logged
OPNsense 24.7
-
Qotom Q355G4
- ISP -
Squirrel 1Gbps
.
Team Rebellion Member
- If we've helped you remember to applaud
Claypenguin
Newbie
Posts: 3
Karma: 1
Re: Question about automatic ipv6-icmp floating rule
«
Reply #2 on:
April 13, 2020, 10:12:44 am »
I've noticed the Windows thing
So regarding the automatic rule, what exactly does it do then?
Edit:
For anyone interested, I've looked at little bit more into this and apparently the automatic rules are only for icmp6-types unreach, toobig, neighbrsol and neighbradv. I've manually added the rules to my firewall that are recommended as per RFC4890
https://tools.ietf.org/html/rfc4890#section-4.3.1
«
Last Edit: April 14, 2020, 10:33:26 am by Claypenguin
»
Logged
IsaacFL
Full Member
Posts: 217
Karma: 8
Re: Question about automatic ipv6-icmp floating rule
«
Reply #3 on:
April 14, 2020, 07:38:26 pm »
For the WAN interface, you only need a rule passing in icmp Echo Request. All of the other types of icmp, will be handled by the stateful part of the fire wall.
For example, you should only see an Echo Response (Type 129) coming in after a local host sent out an Echo Request (Type 128). The stateful firewall will automatically allow the response in.
You would not want to allow an unsolicited Echo Response to pass into the firewall.
This is also true if you allow icmpv4 on the WAN interface.
Logged
matusp
Newbie
Posts: 1
Karma: 0
Re: Question about automatic ipv6-icmp floating rule
«
Reply #4 on:
August 08, 2020, 06:34:44 pm »
Hello IsaacFL,
tried setting an inbound rule on WAN allowing all ICMPv6 messages for test purposes, but it still does not earn me a full score on
https://ipv6-test.com/
Understand this would not be the most secure approach.
Can you suggest the rules to be set?
Thanks!
Matus
«
Last Edit: August 09, 2020, 07:14:57 pm by matusp
»
Logged
IsaacFL
Full Member
Posts: 217
Karma: 8
Re: Question about automatic ipv6-icmp floating rule
«
Reply #5 on:
August 14, 2020, 03:27:17 am »
Here are my WAN rules that allow it to work. I create an Alias, NET_IPV6_PREFIX that I set to my allocated prefix. In my case it is a /56. Third rule from bottom is the one that will allow icmp into your network.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
Question about automatic ipv6-icmp floating rule