Incoming ipv6 echo requests to LAN blocked?

[Morac]

I have Comcast which has native ipv6 and like to use https://ipv6-test.com/ to test it. I used to get a 19/20 score with the only “issue” being I didn’t have a reverse DNS entry.

In the recent Merlin firmwares after resetting the settings, I now get a 17/20 with a big red warning stating:

Your router or firewall is filtering ICMPv6 messages sent to your computer. An IPv6 host that cannot receive ICMP messages may encounter problems like some web pages loading partially or not at all.

I do have the IPv6 firewall enabled and the “respond to ICMP Echo requests from wan” disabled, but that appears to only be for IPv4 pings as I can ping the WAN IPv6 address, just not my LAN IPv6 addresses.

Changing either or both of those settings doesn’t do anything for IPv6 pings at https://ipv6-test.com/pingtest/

Is there a setting that controls IPv6 echo requests?

 

[Deleted member 22229]

Known issue. Asus for some reason are blocking ICMPv6 echo requests this started a few firmware's ago. This has also made it to Merlin firmware as well.

 

[Morac]

Ah okay thanks. Do they block any other ICMPv6 traffic or just echo requests?

I think blocking echo requests is “okay” though it violates to RFC, but blocking other ICMPv6 traffic could be problematic.

For what it‘s worth pinging did work at https://tools.keycdn.com/ipv6-ping.

 

[Deleted member 22229]

I am sure what they did really didn't break anything and there must be more to it. IPv6 works excellent for me here despite what ever they changed.

 

[RMerlin]

Double check which IP you are pinging. IPv6 is routed not NATed, therefore the ping may very well be blocked by your computer rather than your router.

 

[Deleted member 22229]

I have a firewall rule in windows10 that allows ICMPv6 echo requests. This changed when Asus stated using the 386 code base. All the 384 code base still allowed the request so they indeed changed something.

 

[MrC99]

This was already answered when you asked about it here: http://www.snbforums.com/threads/alpha-386-2.70020/post-670956

It's not being blocked, it's being rate limited. That's probably just confusing the web test. Try removing that firewall rule and running the test again.

Removing the rule may not help as it appears to be re-created (eg on wan down/up). I've found adding a specific rule to the forward chain to permit ipv6-icmp echo-request from the testing host to be easier to manage.

 

[ColinTaylor]

Looks like it was a bug that's been fixed here: https://github.com/RMerl/asuswrt-merlin.ng/commit/0d466b73575e9576ea154413386bd713f25afb27

 

[Morac]

Looks like it was a bug that's been fixed here: https://github.com/RMerl/asuswrt-merlin.ng/commit/0d466b73575e9576ea154413386bd713f25afb27

That code doesn’t seem to make any sense.

The line that was changed to accept one echo request IPv6 ICMP packet per second, instead of drop one echo request IPv6 ICMP packet per second (which makes sense), but the for loop immediately below the changed line already added a rule to always accept echo request IPv6 ICMP packets since type 128 is in the allowed array.

Unless I’m misreading the code, it looks like if the limit rule doesn’t match (packets come in faster than once a second), the packet would just be accepted anyway.

As such the orignal code would drop one echo request packet every second. The new code will accept all echo request packets, I.e. the rate limit won’t do anything.

 

[RMerlin]

The original code was broken because whoever implemented the limit rule had the logic backward - the jump to logdrop would happen when NOT being flooded.

I only did a quick fix for the logic of that specific rule. I will need more time to do a more in-depth study of the chain logic to fully address ICMPv6 handling in that chain. Since my ISP does not support IPv6, I can't just log into my router and review the existing rules, I need to go through the entire function to analyze its flow.

 

[Krydos]

Since my ISP does not support IPv6

Yeah, that sucks. My last isp didn't support ipv6 either. I called them asking them about it and after talking to like 3 different customer support people who had no idea what I was talking about this guy finally just said that they would need to send a technician to my home to set it up for me. I was like 95% sure he was just blowing me off because he had no idea what I was talking about either. I was so relieved to see that ipv6 just works on my new isp without having to explain what it is to a bunch of customer service people on the phone.

I can't just log into my router and review the existing rules, I need to go through the entire function to analyze its flow.

This result on https://ipv6-test.com/ lead me to this thread. I have an Asus RT-AC68U running the latest version of merlin on an isp that supports ipv6 natively. If you want to take a look at my routing tables to get this fixed let me know. I can ping ipv6 between computers on my lan, I can ping out ipv6 through the router, but I can't ping in to an ipv6 through my router. I'd be happy to help if you want.

 

[RMerlin]

ICMPv6 firewall filtering was fixed in 386.2_2. It was an invalid rule that Asus had added that was configured backward (it allowed floods but blocked slow paced pings).

 

[john9527]

but I can't ping in to an ipv6 through my router.

If you are running on Windows, it's likely the 'your firewall' part and not the router (Windows firewall blocks IPv6 ping by default). Look for
File and Printer Sharing (Echo request - ICPMV6-In) Check both Public and Private profiles, and you may need to change the Scope setting for the allowed remote addresses.

 

[Krydos]

If you are running on Windows, it's likely the 'your firewall' part and not the router (Windows firewall blocks IPv6 ping by default). Look for
File and Printer Sharing (Echo request - ICPMV6-In) Check both Public and Private profiles, and you may need to change the Scope setting for the allowed remote addresses.

Ahh, yep. I incorrectly assumed that if windows responded to ipv6 pings from the same /64 it would respond to pings from any ipv6 address. Disabling the windows firewall allows me to get 20/20 on that ipv6 test. Thanks. (At least this thread has a resolution for anyone who searches and finds it like I did.)

 

[GHammer]

For me, on the latest Win 10 Pro, I selected the following rule and set active and 'Private'

Core Networking Diagnostics - ICMP Echo Request (ICMPv6-In)

There are two identical in description, but only the first one needed activated and made to work on Private networks on my machine.