Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
ICMPv6 /RFC4890 4.3.1 & 4.3.2
« previous
next »
Print
Pages: [
1
]
Author
Topic: ICMPv6 /RFC4890 4.3.1 & 4.3.2 (Read 4612 times)
Ed V.
Newbie
Posts: 20
Karma: 1
ICMPv6 /RFC4890 4.3.1 & 4.3.2
«
on:
November 12, 2021, 06:22:39 pm »
Did some search-engine queries and only found posts /topics related to the 20.x series.
From the screencaptures, it looks like options have changed...
How do I go about creating the needed WAN and/or Floating rule to allow:
ICMPv6
Type 1 All
Type 2 All
Type 3 Code 0 or Code 1
Type 4 Code 0, Code 1 or Code 2
to pass through the WAN interface.
I see the automatic floating rules containing:
Code:
[Select]
fe80::/10
and
Code:
[Select]
ff02::/16
but these are for link-local and not "Public".
The only relevant options I seem to have in the IPv6 > ICMP drop-down is either "Any" (seems a tad excessive) or "Echo Request" (maybe - per the RFC this is a Type 128 with a Type 129 response packet), the others being "Echo Reply", "Destination Unreachable" and "Source Quench (deprecated)". None of which are wise to open inbound in my opinion.
Testing via ipv6-test.com seems to indicate that my OpnSense 21.7.5 firewall is not set up to handle the needed IPv6 ICMP traffic, but doggone if I can spot how to enable the RFC "musts" and "shoulds".
Have I completely missed something?
If so, help pointing me to the correct docs is appreciated.
If not, any other help with less-than-obvious-to-me documented features or configuration options would also be appreciated.
Logged
marjohn56
Hero Member
Posts: 1701
Karma: 179
Re: ICMPv6 /RFC4890 4.3.1 & 4.3.2
«
Reply #1 on:
November 13, 2021, 03:11:05 am »
IPv6-test.com you need the service-request type. However, if you are using windows as the host machine you'll also need to tweek the firewall on that too. I have a HyperV instance running on my Server which has the firewall disabled and I can get 19/20, I lose a point as there's no reverse dns. On my main PC, I only score 17/20 due to windows own firewall blocking ICMPv6.
Logged
OPNsense 24.7
-
Qotom Q355G4
- ISP -
Squirrel 1Gbps
.
Team Rebellion Member
- If we've helped you remember to applaud
Ed V.
Newbie
Posts: 20
Karma: 1
Re: ICMPv6 /RFC4890 4.3.1 & 4.3.2
«
Reply #2 on:
November 13, 2021, 03:10:20 pm »
ipv6-test.com fails (15/20) on Windows, Linux, OpenBSD, ChromeOS and Android, so I highly suspect it's not OS related (I could be wrong - wouldn't be the first time an OS decided to "help protect" me...).
Just for grins, I fully disabled Windows firewall and I still score 15/20 on that box.
Logged
IsaacFL
Full Member
Posts: 217
Karma: 8
Re: ICMPv6 /RFC4890 4.3.1 & 4.3.2
«
Reply #3 on:
November 13, 2021, 06:38:25 pm »
I have a rule on the WAN interface to allow in icmpv6 (Echo Request) to each of the subnets. See Attachment.
I did separate rules just to keep track of the labels.
On the internal subnets I have a rule allowing all icmp out.
You only need the Echo Request icmpv6, because the stateful firewall will allow any icmp responses back in, from my understanding.
I am then able to pass the ipv6 test 10/10. Assuming your local OS isn't blocking icmp (ie Windows).
Logged
IsaacFL
Full Member
Posts: 217
Karma: 8
Re: ICMPv6 /RFC4890 4.3.1 & 4.3.2
«
Reply #4 on:
November 13, 2021, 06:44:04 pm »
Here is a test I have used to verify the needed icmpv6 works:
http://icmpcheckv6.popcount.org/
Same for ipv4:
http://icmpcheck.popcount.org/
Logged
opnfwb
Sr. Member
Posts: 331
Karma: 47
Re: ICMPv6 /RFC4890 4.3.1 & 4.3.2
«
Reply #5 on:
November 13, 2021, 07:37:18 pm »
To go from 17/20 to 19/20 on ipv6-test.com I had to do the following.
First make a rule on WAN to allow ICMPv6 Echo Requests. Screenshot provided.
Then I had to edit the windows firewall and remove the Local Subnet from the scope. By default when allowing ICMP on the windows firewall, it limits the scope to only computers on the local subnet. Removing this allows an external system to get a ping response in combination with the firewall rule that we added to WAN.
After those two changes I now score 19/20. The only thing missing for me on the ipv6-test website is the hostname.
Logged
Napsterbater
Newbie
Posts: 33
Karma: 2
Re: ICMPv6 /RFC4890 4.3.1 & 4.3.2
«
Reply #6 on:
November 13, 2021, 08:31:44 pm »
Use
http://test-ipv6.com/
, i you get 10/10 there, no need to change anything you Ipv6 will work fine.
https://ipv6-test.com/
takes points off for no ping response and rDNS neither of which are needed or a working IPv6 connection.
Ping is only really required if you are going to be talking with teredo clients, which teredo is deprecated anyways.
What
https://ipv6-test.com/
doesn't seem to test or is PMTUD issues, where as
http://test-ipv6.com/
does.
And rDNS, just isn't needed, epically on a home system.
Logged
bimmerdriver
Full Member
Posts: 159
Karma: 14
Re: ICMPv6 /RFC4890 4.3.1 & 4.3.2
«
Reply #7 on:
November 13, 2021, 11:12:20 pm »
For the windows firewall, I enable the existing rule, "Virtual Machine Monitoring (Echo Request - ICMPv6-In)".
With that and a rule in OPNsense to allow ICMP echo requests, I get 20/20.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
ICMPv6 /RFC4890 4.3.1 & 4.3.2