Incoming ipv6 echo requests to LAN blocked?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Morac

Senior Member
I have Comcast which has native ipv6 and like to use https://ipv6-test.com/ to test it. I used to get a 19/20 score with the only “issue” being I didn’t have a reverse DNS entry.

In the recent Merlin firmwares after resetting the settings, I now get a 17/20 with a big red warning stating:
Your router or firewall is filtering ICMPv6 messages sent to your computer. An IPv6 host that cannot receive ICMP messages may encounter problems like some web pages loading partially or not at all.

I do have the IPv6 firewall enabled and the “respond to ICMP Echo requests from wan” disabled, but that appears to only be for IPv4 pings as I can ping the WAN IPv6 address, just not my LAN IPv6 addresses.

Changing either or both of those settings doesn’t do anything for IPv6 pings at https://ipv6-test.com/pingtest/

Is there a setting that controls IPv6 echo requests?
 

det721

Part of the Furniture
Known issue. Asus for some reason are blocking ICMPv6 echo requests this started a few firmware's ago. This has also made it to Merlin firmware as well.
 

Morac

Senior Member
Ah okay thanks. Do they block any other ICMPv6 traffic or just echo requests?

I think blocking echo requests is “okay” though it violates to RFC, but blocking other ICMPv6 traffic could be problematic.

For what it‘s worth pinging did work at https://tools.keycdn.com/ipv6-ping.
 

det721

Part of the Furniture
I am sure what they did really didn't break anything and there must be more to it. IPv6 works excellent for me here despite what ever they changed.
 

RMerlin

Asuswrt-Merlin dev
Double check which IP you are pinging. IPv6 is routed not NATed, therefore the ping may very well be blocked by your computer rather than your router.
 

det721

Part of the Furniture
I have a firewall rule in windows10 that allows ICMPv6 echo requests. This changed when Asus stated using the 386 code base. All the 384 code base still allowed the request so they indeed changed something.
 

MrC99

New Around Here
This was already answered when you asked about it here: http://www.snbforums.com/threads/alpha-386-2.70020/post-670956

It's not being blocked, it's being rate limited. That's probably just confusing the web test. Try removing that firewall rule and running the test again.
Removing the rule may not help as it appears to be re-created (eg on wan down/up). I've found adding a specific rule to the forward chain to permit ipv6-icmp echo-request from the testing host to be easier to manage.
 

Morac

Senior Member

That code doesn’t seem to make any sense.

The line that was changed to accept one echo request IPv6 ICMP packet per second, instead of drop one echo request IPv6 ICMP packet per second (which makes sense), but the for loop immediately below the changed line already added a rule to always accept echo request IPv6 ICMP packets since type 128 is in the allowed array.

Unless I’m misreading the code, it looks like if the limit rule doesn’t match (packets come in faster than once a second), the packet would just be accepted anyway.

As such the orignal code would drop one echo request packet every second. The new code will accept all echo request packets, I.e. the rate limit won’t do anything.
 

RMerlin

Asuswrt-Merlin dev
The original code was broken because whoever implemented the limit rule had the logic backward - the jump to logdrop would happen when NOT being flooded.

I only did a quick fix for the logic of that specific rule. I will need more time to do a more in-depth study of the chain logic to fully address ICMPv6 handling in that chain. Since my ISP does not support IPv6, I can't just log into my router and review the existing rules, I need to go through the entire function to analyze its flow.
 

Krydos

New Around Here
Since my ISP does not support IPv6
Yeah, that sucks. My last isp didn't support ipv6 either. I called them asking them about it and after talking to like 3 different customer support people who had no idea what I was talking about this guy finally just said that they would need to send a technician to my home to set it up for me. I was like 95% sure he was just blowing me off because he had no idea what I was talking about either. I was so relieved to see that ipv6 just works on my new isp without having to explain what it is to a bunch of customer service people on the phone.

I can't just log into my router and review the existing rules, I need to go through the entire function to analyze its flow.

This result on https://ipv6-test.com/ lead me to this thread. I have an Asus RT-AC68U running the latest version of merlin on an isp that supports ipv6 natively. If you want to take a look at my routing tables to get this fixed let me know. I can ping ipv6 between computers on my lan, I can ping out ipv6 through the router, but I can't ping in to an ipv6 through my router. I'd be happy to help if you want.
 

RMerlin

Asuswrt-Merlin dev
ICMPv6 firewall filtering was fixed in 386.2_2. It was an invalid rule that Asus had added that was configured backward (it allowed floods but blocked slow paced pings).
 

john9527

Part of the Furniture
but I can't ping in to an ipv6 through my router.
If you are running on Windows, it's likely the 'your firewall' part and not the router (Windows firewall blocks IPv6 ping by default). Look for
File and Printer Sharing (Echo request - ICPMV6-In) Check both Public and Private profiles, and you may need to change the Scope setting for the allowed remote addresses.
 

Krydos

New Around Here
If you are running on Windows, it's likely the 'your firewall' part and not the router (Windows firewall blocks IPv6 ping by default). Look for
File and Printer Sharing (Echo request - ICPMV6-In) Check both Public and Private profiles, and you may need to change the Scope setting for the allowed remote addresses.
Ahh, yep. I incorrectly assumed that if windows responded to ipv6 pings from the same /64 it would respond to pings from any ipv6 address. Disabling the windows firewall allows me to get 20/20 on that ipv6 test. Thanks. (At least this thread has a resolution for anyone who searches and finds it like I did.)
 

GHammer

Senior Member
For me, on the latest Win 10 Pro, I selected the following rule and set active and 'Private'

Core Networking Diagnostics - ICMP Echo Request (ICMPv6-In)

There are two identical in description, but only the first one needed activated and made to work on Private networks on my machine.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top