Enable "IPv6 SPI Firewall" WITHOUT blocking ICMPv6

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Enable "IPv6 SPI Firewall" WITHOUT blocking ICMPv6
Enable "IPv6 SPI Firewall" WITHOUT blocking ICMPv6
2020-07-03 00:29:51
Model: Archer VR2800  
Hardware Version: V1
Firmware Version: 0.3.0 0.9.1 v006c.0 Build 170809 Rel.42095n

My question is how can I keep IPv6 SPI Firewall (in order to have increased security) WITHOUT blocking ICMPv6 (required for IPv6 to work properly)?

 

ICMP is needed in an IPv6 network for it to work properly: it's not meant to be blocked.

 

By searching about this issue in the internet, I strongly believe I won't get an answer that solves the issue. In tplink forums, I've found similar issues getting an answer like "there's no way to do it" or "no option for this is available at the moment". In another famous manufacturer's forum, it was even worse, as ICMPv6 was always blocked even with firewall disabled, and no firmware was available to fix the issue.

 

But it's a genuine issue, and I expect to receive a real answer that fixes this issue (i see no other way than a firmware release that can fix it, OR some magic setting (which i'm not aware of)).

 

MAYBE it's as easy as creating some rule in IPv6 Firewall but honestly, I'm lost in this one, and the rules seem to not have a allow/block toggle or a ICMP protocol type. (Does anyone know how to create a rule there?)

 

 

I mean, there's no use to have IPv6 SPI Firewall enabled if it blocks an essential part of IPv6 network.

 

 

Below are images to illustrate the issue (note the Windows PC used in the test doesn't have any firewall enabled, and I've repeated the tests several times in order to conclude the problem is caused at least by IPv6 SPI Firewall )

 

This is the setting I'm talking about:

 

 

 

 

IPv6 SPI Firewall enabled:

 

 

 

 

IPv6 SPI Firewall disabled:
 

 

  2      
  2      
#1
Options
5 Reply
Re:Enable "IPv6 SPI Firewall" WITHOUT blocking ICMPv6
2020-07-18 16:56:05

@ElectrifiedMan 

Not looking like an answer is forthcoming on this.

  1  
  1  
#2
Options
Re:Enable "IPv6 SPI Firewall" WITHOUT blocking ICMPv6
2021-05-17 12:53:08

@ElectrifiedMan Are there any updates on this?

  0  
  0  
#3
Options
Re:Enable "IPv6 SPI Firewall" WITHOUT blocking ICMPv6
2021-07-19 13:07:47

@ElectrifiedMan I found this post after setting up ipv6 on my network, and testing with https://ipv6-test.com/ which gave exactly the same message for me.

 

I'd also like to know the answer to this question.  I wonder what the IPV6 Statefull Packet Inspection firewall on the TP-Link consumer grade router/gateways does.

  0  
  0  
#4
Options
Re:Enable "IPv6 SPI Firewall" WITHOUT blocking ICMPv6
2021-07-27 17:41:55

The Archer VR600 has a UI to enable or disable ICMP ping to the router. This is in Advanced Settings > System Tools > Administration under the ICMP Ping heading, with check boxes to allow Remote and/or Local.

 

I have tested whether this works for IPv6 addresses using https://www.ipaddressguide.com/ping6 - It does allow pinging the router's WAN ipv6 address from outside, but not global ipv6 addresses of hosts on the inside.

 

Being able to allow ICMP traffic through the SPI would be useful.

  0  
  0  
#5
Options
Re:Enable "IPv6 SPI Firewall" WITHOUT blocking ICMPv6
2021-08-05 18:13:12
I've been running IPv6 in my network for a couple of weeks now and haven't really had any problems. I don't know if the ICMPv6 block is causing network traffic to fail over to IPv4 or if this isn't the issue that ipv6-test.com is making it out to be. ICMPv6 is clearly important behind the firewall - distributing gateway and DNS addresses requires it. How essential is it to get through the firewall? RFC 4890 (https://datatracker.ietf.org/doc/html/rfc4890) gives guidance of how firewalls should be configured for ICMPv6 traffic, and a more readable account is at https://firehol.org/guides/icmpv6-recommendations/ With the IPv6 stateful firewall enabled I am still able to get ping6 responses to external hosts (e.g. ping6 google.com) so it isn't completely blocked.
  0  
  0  
#6
Options