IPV6 Ping from internet

[rockyd]

Is IPV6 Ping from internet blocked?

Various "is site up" sites indicate it is.
Using
https://www.uptrends.com/tools/ipv6-ping-test
for my website https://www.reservoirweather.com/
says it fails.

I believe I may need to make a firewall rule to allow it is that correct?

[Lantis]

You are hosting this site from behind your router? So you have successfully made a firewall rule to allow access to it (and it looks like it is working)?

If so, then yes the piece you are missing is a port opening rule for ICMP protocol.
The GUI doesn't cater for this (currently). Accepting ICMP pings is not needed, however if it is desired...

I have created a patch you can apply.
https://github.com/ericpaulbishop/gargo ... df2aebbe33

Alternatively you can manually create a firewall rule in /etc/config/firewall like so

Code: Select all

config rule 'portopen_rule_enabled_number_0'
	option name 'AllowICMPWebserver'
	option src 'wan'
	option dest 'lan'
	option family 'ipv6'
	option target 'ACCEPT'
	option proto 'icmp'
	option dest_ip 'your_ipv6_address_here'

Number the rule appropriately if you have other rules already in there.

Cool site, by the way

[rockyd]

Thanks for the reply

I have created a patch you can apply.
https://github.com/ericpaulbishop/gargo ... df2aebbe33

No idea, how to do that.

Alternatively you can manually create a firewall rule in /etc/config/firewall like so

Looks like I will be doing this, I had to fiddle with firewall regarding Tor awhile back.

Number the rule appropriately if you have other rules already in there.

I hope I work out what that means.

Cool site, by the way

Thanks

[Lantis]

I will release a minor update on my site within a week if you’re happy to wait.

[rockyd]

Ok not having much luck with working out where to put it in the firewall file.
I edited the rule you provided above with my server ipv6 address. After a few goes putting it in other places in the file. I eventually realised it should probably go with "portopen_rule_enabled_" rules, tried putting it last and first.

I have 4 rules in the section "portopen_rule_enabled_" 2 for port 80 and 2 for 443. I tried putting it at the end of those, and on top of those, renumbering the rules accordingly.

I even tried an alternative ping tester

https://tools.keycdn.com/ipv6-ping

[Lantis]

If you shared your config I could try to spot if you have done it correctly.
Assuming you have, did you restart the firewall after placing the rule in the file?

Code: Select all

/usr/lib/gargoyle/restart_firewall.sh

You can also verify the rule was placed into iptables

Code: Select all

ip6tables -t filter -nvL

The rule will be under zone_wan_forward.

The final bit is whether your server is dropping icmp echoes as well.


I verified this on my own network last night and was successful.

[rockyd]

If you shared your config I could try to spot if you have done it correctly.

The firewall file?

Assuming you have, did you restart the firewall after placing the rule in the file?

I was rebooting the router, but I tried your command now.

The rule will be under zone_wan_forward.

Seems to be there

Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
386 26595 forwarding_wan_rule all * * ::/0 ::/0 /* !fw3: Custom wan forwarding rule chain */
377 24968 ACCEPT ipv6-icmp * * ::/0 ::/0 ipv6-icmptype 128 limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
0 0 ACCEPT ipv6-icmp * * ::/0 ::/0 ipv6-icmptype 129 limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
0 0 ACCEPT ipv6-icmp * * ::/0 ::/0 ipv6-icmptype 1 limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
0 0 ACCEPT ipv6-icmp * * ::/0 ::/0 ipv6-icmptype 2 limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
0 0 ACCEPT ipv6-icmp * * ::/0 ::/0 ipv6-icmptype 3 limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
0 0 ACCEPT ipv6-icmp * * ::/0 ::/0 ipv6-icmptype 4 code 0 limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
0 0 ACCEPT ipv6-icmp * * ::/0 ::/0 ipv6-icmptype 4 code 1 limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
0 0 zone_lan_dest_ACCEPT esp * * ::/0 ::/0 /* !fw3: Allow-IPSec-ESP */
0 0 zone_lan_dest_ACCEPT udp * * ::/0 ::/0 udp dpt:500 /* !fw3: Allow-ISAKMP */
0 0 zone_lan_dest_ACCEPT tcp * * ::/0 My ipv6 server address tcp dpt:80 /* !fw3: HTTP */
0 0 zone_lan_dest_ACCEPT udp * * ::/0 My ipv6 server address udp dpt:80 /* !fw3: HTTP */
0 0 zone_lan_dest_ACCEPT tcp * * ::/0 My ipv6 server address tcp dpt:443 /* !fw3: HTTPS */
0 0 zone_lan_dest_ACCEPT udp * * ::/0 My ipv6 server address udp dpt:443 /* !fw3: HTTPS */
0 0 zone_lan_dest_ACCEPT ipv6-icmp * * ::/0 My ipv6 server address /* !fw3: AllowICMPWebserver */
9 1627 MINIUPNPD all * * ::/0 ::/0
9 1627 MINIUPNPD all * * ::/0 ::/0
9 1627 zone_wan_dest_REJECT all * * ::/0 ::/0 /* !fw3 */

The final bit is whether your server is dropping icmp echoes as well.

I think it is not being dropped on the server because I can ping it from other computers on the network and from Gargoyles diagnostics.

[Lantis]

Rules look fine.
The fact that they are showing zero packets and zero bytes means nothing is hitting those rules, even your port forwards for the web server.
Check again after hitting the web server from wan and attempting ping from wan and check numbers are increasing.
If the icmpv6 rule is counting up, it is being blocked by something between Gargoyle and webserver.

[Lantis]

Although now that I look at it closer this may have been completely unnecessary.
There is already a rule for allowing ipv6 pings to be forwarded, and yours is showing packets hitting it. So I may end up reverting this change.

So I would again check the local device.

[rockyd]

You are right. I have had to make a Windows Firewall rule to allow icmpv6. Now ping from the internet works.
I thought since I could ping from other computer in the network that would not be a problem.
Thanks for your help and apologies for wasting your time.