RT-AC86U IPv6 ICMP filtered

[relgames]

Hi everyone,

I have RT-AC86U with stock firmware 3.0.0.4.386_51255
My ISP provides native IPv6 which I enabled.

ICMP packets are blocked from WAN to LAN when Enable IPv6 Firewall is set to Yes - I tested it multiple times with several devices on LAN, using https://ipv6-test.com and also ping6 from Amazon EC2 VM.
When I set IPv6 Firewall to No, pings start to work.

I tried comparing iptables rules with firewall on and off, I didn't find any difference.
I'm not seeing ICMP in Firewall UI, only OTHER:

Is there a way to keep IPv6 firewall on but enable ICMP from WAN to LAN?

 

[dave14305]

Can you ssh into the router and post the output of these 2 commands before and after running the test again, with the IPv6 firewall enabled?

ip6tables -nvL FORWARD
ip6tables -nvL ICMP_V6

 

[relgames]

Here is the output before ping from WAN:

relgames@RT-AC86U-BDB0:/tmp/home/root# ip6tables -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
97348   38M ACCEPT     all      *      *       ::/0                 ::/0                 state RELATED,ESTABLISHED
11983 3321K OVPNSF     all      *      *       ::/0                 ::/0
 9270 3086K ACCEPT     all      br0    eth0    ::/0                 ::/0
    0     0 ACCEPT     all      br0    br0     ::/0                 ::/0
  553 49099 DROP       all      *      *       ::/0                 ::/0                 state INVALID
    0     0 ACCEPT     59       *      *       ::/0                 ::/0                 length 40
   25  2600 ICMP_V6    icmpv6    *      *       ::/0                 ::/0
 2160  186K OVPNCF     all      *      *       ::/0                 ::/0
 2160  186K DROP       all      *      *       ::/0                 ::/0
relgames@RT-AC86U-BDB0:/tmp/home/root# ip6tables -nvL ICMP_V6
Chain ICMP_V6 (2 references)
 pkts bytes target     prot opt in     out     source               destination
   28  2912 RETURN     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 128 limit: avg 1/sec burst 5
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 1
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 2
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 3
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 4
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 129
    0     0 DROP       all      *      *       ::/0                 ::/0
relgames@RT-AC86U-BDB0:/tmp/home/root#

Running ping6 on EC2 VM:

ping6 2a02:[censored]:2705
PING 2a02:[censored]:2705) 56 data bytes
^C
--- 2a02:[censored]:2705 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8179ms

And commands again:

relgames@RT-AC86U-BDB0:/tmp/home/root# ip6tables -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
99502   39M ACCEPT     all      *      *       ::/0                 ::/0                 state RELATED,ESTABLISHED
12101 3355K OVPNSF     all      *      *       ::/0                 ::/0
 9374 3119K ACCEPT     all      br0    eth0    ::/0                 ::/0
    0     0 ACCEPT     all      br0    br0     ::/0                 ::/0
  558 49399 DROP       all      *      *       ::/0                 ::/0                 state INVALID
    0     0 ACCEPT     59       *      *       ::/0                 ::/0                 length 40
   34  3536 ICMP_V6    icmpv6    *      *       ::/0                 ::/0
 2169  187K OVPNCF     all      *      *       ::/0                 ::/0
 2169  187K DROP       all      *      *       ::/0                 ::/0
relgames@RT-AC86U-BDB0:/tmp/home/root# ip6tables -nvL ICMP_V6
Chain ICMP_V6 (2 references)
 pkts bytes target     prot opt in     out     source               destination
   37  3848 RETURN     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 128 limit: avg 1/sec burst 5
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 1
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 2
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 3
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 4
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 129
    0     0 DROP       all      *      *       ::/0                 ::/0

 

[dave14305]

You can see the counter increased by 9 (28 to 37) which matches the ping packet count. So that seems to work OK.

 

[ColinTaylor]

You can see the counter increased by 9 (28 to 37) which matches the ping packet count. So that seems to work OK.

I think it's a bug in the logic. Looking at other "limit" rules in the firewall, there's a match if the packet rate does not exceed the limit. So instead of jumping to RETURN (where it is subsequently dropped) it should be ACCEPT.

The same logic is in Merlin.

Here is the IPv4 DoS protection rules by way of a comparison:

-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN

   limit
       This module matches at a limited rate using a token bucket
       filter.  A rule using this extension will match until this limit
       is reached.  It can be used in combination with the LOG target to
       give limited logging, for example.

       xt_limit has no negation support - you will have to use -m
       hashlimit !  --hashlimit rate in this case whilst omitting
       --hashlimit-mode.

       --limit rate[/second|/minute|/hour|/day]
              Maximum average matching rate: specified as a number, with
              an optional `/second', `/minute', `/hour', or `/day'
              suffix; the default is 3/hour.

       --limit-burst number
              Maximum initial number of packets to match: this number
              gets recharged by one every time the limit specified above
              is not reached, up to this number; the default is 5.

@RMerlin ?

 

[dave14305]

if you turn off DoS protection it should not add the limit option.

 

[relgames]

if you turn off DoS protection it should not add the limit option.

Thanks a lot, it did it: when I turned off DoS protection, pings started to work, with IPv6 Firewall still enabled.