ER605 doesn't block ping from WAN when using IPv6
Hi, it appears that both the router and the devices behind it can be pinged from outside when using IPv6, the firewall ACL do not allow to block ICMPv6 traffic, is this a bug? how can i solve it? thanks
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @Daves_
Thanks for posting in our business forum.
If you are making such a comment, please add the pictures of your config. It would not waste another day to get a reply.
Daves_ wrote
Hi, it appears that both the router and the devices behind it can be pinged from outside when using IPv6, the firewall ACL do not allow to block ICMPv6 traffic, is this a bug? how can i solve it? thanks
Do you have a screenshot of your ACL?
Have you done a verification about your ACL is correct?
Supposedly, in IPv6, this is expected.
- Copy Link
- Report Inappropriate Content
Hi @Daves_
Thanks for posting in our business forum.
If you are making such a comment, please add the pictures of your config. It would not waste another day to get a reply.
Daves_ wrote
Hi, it appears that both the router and the devices behind it can be pinged from outside when using IPv6, the firewall ACL do not allow to block ICMPv6 traffic, is this a bug? how can i solve it? thanks
Do you have a screenshot of your ACL?
Have you done a verification about your ACL is correct?
Supposedly, in IPv6, this is expected.
- Copy Link
- Report Inappropriate Content
It appears that the behavior has changed, i can no longer ping internal devices from outside, but i can still ping the ER605, only on IPv6 though.
here's my setup:
Server behind ER605: IPv4 (10.0.0.2) IPv6 (2a07:7e81:XXXX:XXXX:XXXX:XXXX:XXXX:8183)
ER605: IPv4(195.XX.XX.77) IPv6 (2a07:7e83:XXXX:XXXX:XXXX:XXXX:XXXX:a57d) LAN Facing IPv6 (2a07:7e81:XXXX:XXXX:XXXX:XXXX:XXXX:7ecc)
There are 5 VLANs, of which only 1 (called LAN, ID:5) has IPv6 access.
There are 3 IPv4 Port Forwardings toward the server for RDP, HTTP and HTTPS.
Here are my Firewall ACLs
Yellow Rules are the ones that block inter-vlan routing between the different VLANS, The Red Rule is to allow access to the ER605 Web UI only from the LAN network, The Green Rule is to block access to the Web UI from any network that isn't LAN, while the blue rules are to allow HTTP and HTTPS traffic to reach the Server over ipv6.
The "IP_GROUP_LAN_ACTUAL" is an IPv4 Group that contains the subnet 10.0.0.0/24, while the "Server" group contains the Server's IPv6.
I should clarify that IPv4 ICMP blocking is working as intended.
here are a few pings executed from OUTSIDE my network.
(Sorry for italian in screenshots)
Pinging my router's public IPv4 Address:
4 Packets Transmitted, 100% Lost, as intended.
Pinging Server's IPv6:
4 Packets Transmitted, 100% Lost, as intended.
Pinging Router's WAN IPv6:
4 Packets Transmitted, 4 Received, 0% Lost, I'd like this to be blocked ideally.
Pinging Router's LAN Facing IPv6:
4 Packets Transmitted, 100% Lost, as intended.
- Copy Link
- Report Inappropriate Content
Hi @Daves_
Thanks for posting in our business forum.
Daves_ wrote
It appears that the behavior has changed, i can no longer ping internal devices from outside, but i can still ping the ER605, only on IPv6 though.
here's my setup:
Server behind ER605: IPv4 (10.0.0.2) IPv6 (2a07:7e81:XXXX:XXXX:XXXX:XXXX:XXXX:8183)
ER605: IPv4(195.XX.XX.77) IPv6 (2a07:7e83:XXXX:XXXX:XXXX:XXXX:XXXX:a57d) LAN Facing IPv6 (2a07:7e81:XXXX:XXXX:XXXX:XXXX:XXXX:7ecc)
There are 5 VLANs, of which only 1 (called LAN, ID:5) has IPv6 access.
There are 3 IPv4 Port Forwardings toward the server for RDP, HTTP and HTTPS.
Here are my Firewall ACLs
Yellow Rules are the ones that block inter-vlan routing between the different VLANS, The Red Rule is to allow access to the ER605 Web UI only from the LAN network, The Green Rule is to block access to the Web UI from any network that isn't LAN, while the blue rules are to allow HTTP and HTTPS traffic to reach the Server over ipv6.
The "IP_GROUP_LAN_ACTUAL" is an IPv4 Group that contains the subnet 10.0.0.0/24, while the "Server" group contains the Server's IPv6.
I should clarify that IPv4 ICMP blocking is working as intended.
here are a few pings executed from OUTSIDE my network.
(Sorry for italian in screenshots)
Pinging my router's public IPv4 Address:
4 Packets Transmitted, 100% Lost, as intended.
Pinging Server's IPv6:
4 Packets Transmitted, 100% Lost, as intended.
Pinging Router's WAN IPv6:
4 Packets Transmitted, 4 Received, 0% Lost, I'd like this to be blocked ideally.
Pinging Router's LAN Facing IPv6:
4 Packets Transmitted, 100% Lost, as intended.
If you don't wanna ping to IPv6 WAN, set up the ACL and block the access then.
- Copy Link
- Report Inappropriate Content
@Clive_A The problem is though, that the router does not allow me to block ICMPv6, When ICMP_ALL is selected in an ACL, only IPv4 can be chosen
- Copy Link
- Report Inappropriate Content
You should not block all ICMP on IPv6. I am not sure if you are allowed to block PING only in the router but other ICMP features are useful to IPv6.
Check out shouldiblockicmp dot com.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 757
Replies: 5
Voters 0
No one has voted for it yet.