OpenWrt Forum Archive

Topic: ICMP Filtered, how to fix it?

The content of this topic has been archived on 5 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
mrgenie
27 Oct 2016, 12:28

I followed the script written down here:
https://wiki.openwrt.org/doc/howto/ipv6.nat6

and it works on my E3000 test environment.
Now I applied exactly the same on the Rpi3, but here I get some warning from the test website:
http://ipv6-test.com/
it says:

Your router or firewall is filtering ICMPv6 messages sent to your computer. An IPv6 host that cannot receive ICMP messages may encounter problems like some web pages loading partially or not at all.

which is right. Google says I'm not using IPv6 at all.
I noticed windows tells me IPv4 and IPv6 have internet connection.
I also noticed some websites indeed work and some not, as written in the warning.

I must point out I can ping -6 google.com and all the other sites I've tried.

So what's wrong with the script for my specific case?

The LAN is on eth1
and the WAN is on eth0
so on eth0 I have "wan" and "wan6" and in the script I use "wan6" to set the ip6tables.

This is the log of the script:

root@OpenWrt:~# logread | grep NAT6
Mon Oct 24 19:14:18 2016 user.notice NAT6: Probing IPv6 route
Mon Oct 24 19:14:19 2016 user.notice NAT6: Setting up NAT6
Mon Oct 24 19:14:19 2016 user.notice NAT6: Added IPv6 masquerading rule to the firewall (Src: dd00:1:1:69::/64 - Dst: eth0)
Mon Oct 24 19:14:19 2016 user.notice NAT6: Added fe80::1 to routing table as gateway on eth0 for outgoing connections
Mon Oct 24 19:14:19 2016 user.notice NAT6: Accepting router advertisements on eth0 even if forwarding is enabled (required for temporary addresses)
Mon Oct 24 19:14:19 2016 user.notice NAT6: Using temporary addresses for outgoing connections on interface eth0

No indication something is wrong. Yet it is.

These are the current settings:

root@OpenWrt:~# ip6tables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             ID:66773300
input_rule  all      anywhere             anywhere             ID:66773300 /* user chain for input */
ACCEPT     all      anywhere             anywhere             ID:66773300 ctstate RELATED,ESTABLISHED
syn_flood  tcp      anywhere             anywhere             ID:66773300 tcp flags:FIN,SYN,RST,ACK/SYN
zone_lan_input  all      anywhere             anywhere             ID:66773300
zone_wan_input  all      anywhere             anywhere             ID:66773300

Chain FORWARD (policy DROP)
target     prot opt source               destination
forwarding_rule  all      anywhere             anywhere             ID:66773300 /* user chain for forwarding */
ACCEPT     all      anywhere             anywhere             ID:66773300 ctstate RELATED,ESTABLISHED
zone_lan_forward  all      anywhere             anywhere             ID:66773300
zone_wan_forward  all      anywhere             anywhere             ID:66773300
reject     all      anywhere             anywhere             ID:66773300

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             ID:66773300
output_rule  all      anywhere             anywhere             ID:66773300 /* user chain for output */
ACCEPT     all      anywhere             anywhere             ID:66773300 ctstate RELATED,ESTABLISHED
zone_lan_output  all      anywhere             anywhere             ID:66773300
zone_wan_output  all      anywhere             anywhere             ID:66773300

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination

Chain input_lan_rule (1 references)
target     prot opt source               destination

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_wan_rule (1 references)
target     prot opt source               destination

Chain output_lan_rule (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination

Chain output_wan_rule (1 references)
target     prot opt source               destination

Chain reject (3 references)
target     prot opt source               destination
REJECT     tcp      anywhere             anywhere             ID:66773300 reject-with tcp-reset
REJECT     all      anywhere             anywhere             ID:66773300 reject-with icmp6-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination
RETURN     tcp      anywhere             anywhere             ID:66773300 tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP       all      anywhere             anywhere             ID:66773300

Chain zone_lan_dest_ACCEPT (4 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             ID:66773300

Chain zone_lan_forward (1 references)
target     prot opt source               destination
forwarding_lan_rule  all      anywhere             anywhere             ID:66773300 /* user chain for forwarding */
zone_wan_dest_ACCEPT  all      anywhere             anywhere             ID:66773300 /* forwarding lan -> wan */
zone_lan_dest_ACCEPT  all      anywhere             anywhere             ID:66773300

Chain zone_lan_input (1 references)
target     prot opt source               destination
input_lan_rule  all      anywhere             anywhere             ID:66773300 /* user chain for input */
zone_lan_src_ACCEPT  all      anywhere             anywhere             ID:66773300

Chain zone_lan_output (1 references)
target     prot opt source               destination
output_lan_rule  all      anywhere             anywhere             ID:66773300 /* user chain for output */
zone_lan_dest_ACCEPT  all      anywhere             anywhere             ID:66773300

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             ID:66773300

Chain zone_wan_dest_ACCEPT (2 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             ID:66773300

Chain zone_wan_dest_REJECT (1 references)
target     prot opt source               destination
reject     all      anywhere             anywhere             ID:66773300

Chain zone_wan_forward (1 references)
target     prot opt source               destination
forwarding_wan_rule  all      anywhere             anywhere             ID:66773300 /* user chain for forwarding */
zone_lan_dest_ACCEPT  esp      anywhere             anywhere             ID:66773300 /* @rule[6] */
zone_lan_dest_ACCEPT  udp      anywhere             anywhere             ID:66773300 udp dpt:isakmp /* @rule[7] */
zone_wan_dest_REJECT  all      anywhere             anywhere             ID:66773300

Chain zone_wan_input (1 references)
target     prot opt source               destination
input_wan_rule  all      anywhere             anywhere             ID:66773300 /* user chain for input */
ACCEPT     udp      fc00::/6             fc00::/6             ID:66773300 udp dpt:dhcpv6-client /* Allow-DHCPv6 */
ACCEPT     ipv6-icmp    fe80::/10            anywhere             ID:66773300 ipv6-icmptype 130 code 0 /* Allow-MLD */
ACCEPT     ipv6-icmp    fe80::/10            anywhere             ID:66773300 ipv6-icmptype 131 code 0 /* Allow-MLD */
ACCEPT     ipv6-icmp    fe80::/10            anywhere             ID:66773300 ipv6-icmptype 132 code 0 /* Allow-MLD */
ACCEPT     ipv6-icmp    fe80::/10            anywhere             ID:66773300 ipv6-icmptype 143 code 0 /* Allow-MLD */
ACCEPT     ipv6-icmp    anywhere             anywhere             ID:66773300 ipv6-icmp echo-request limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ID:66773300 ipv6-icmp echo-reply limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ID:66773300 ipv6-icmp destination-unreachable limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ID:66773300 ipv6-icmp packet-too-big limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ID:66773300 ipv6-icmp time-exceeded limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ID:66773300 ipv6-icmp bad-header limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ID:66773300 ipv6-icmp unknown-header-type limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ID:66773300 ipv6-icmp router-solicitation limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ID:66773300 ipv6-icmp neighbour-solicitation limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ID:66773300 ipv6-icmp router-advertisement limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ID:66773300 ipv6-icmp neighbour-advertisement limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
zone_wan_src_REJECT  all      anywhere             anywhere             ID:66773300

Chain zone_wan_output (1 references)
target     prot opt source               destination
output_wan_rule  all      anywhere             anywhere             ID:66773300 /* user chain for output */
zone_wan_dest_ACCEPT  all      anywhere             anywhere             ID:66773300

Chain zone_wan_src_REJECT (1 references)
target     prot opt source               destination
reject     all      anywhere             anywhere             ID:66773300

The script itself says"
WAN6_INTERFACE=$(uci get "network.$WAN6_NAME.ifname")  results in eth0
WAN6_GATEWAY=$(route -A inet6 -e | grep "$WAN6_INTERFACE" | awk '/::\/0/{print $2; exit}') results in fe80::1
LAN_ULA_PREFIX=$(uci get network.globals.ula_prefix) results in dd00:1:1:69::/64

since I'm masquerading I wonder why it complains the ICMPv6 packets aren't getting through. Shouldn't that be done automatically by kmod-ipt-nat6?

Post #2
silentcreek
27 Oct 2016, 13:58

Hi,

first of all, while filtering ICMPv6 is not recommended, it usually doesn't completely break things either (there are, of course, exceptions, and in general it makes fault detection harder). I have ICMPv6 messages filtered as well and have no issues connecting to IPv6 hosts.

To me, the question would be, to which hosts you cannot connect or get an unreliable connection. Then you can analyze that. Using your browser to see if it connects to the internet via IPv4 or 6 is not very reliable bacuse even in situations in which IPv6 works, it may fall back to IPv4 if it assumes your IPv4 connection is faster. You could use linux command line tools like wget and add the argument '-6' to see if your IPv6 connection works. Nevertheless, most "view your IP address" tools or sites, correctly showed the IPv6 address of my router when using NAT6.

One thing you might try is to disable the firewall option "Drop invalid packages". In a recent commit to LEDE, I read that it might be better to disable it by default as it may filter ICMPv6 messages before your firewall rules to allow them are applied.

Regards,

Timo

Post #3
mrgenie
27 Oct 2016, 19:52

Hi Timo,

thank you for your reply.

I use this website http://ipv6-test.com/  which says everything ok except ICMP are filtered.

I haven't found any ipv6 sites that don't work. I tested ipv6.google.com and a few others and they all work.

But with exactly this setup, a 100% copy of settings on my E3000 openWRT I get all green at ipv6-test
and ICMP is not filtered.

But on the E3000 I use older sources. So my guesses are

either some of the more recent commits breaks something.

or the USB-ETH adapter is maybe not 100% supported? Could that be the case?

Or Rpi3 generally is bugged?

Anyway, I'm now recompiling and going to setup the v6brouter, maybe it's a better solution.

I did get it to work with the old compile I used for NAT6 but the connection was playing Ping-Pong

So I thought I try that from scratch.

a few packages don't compile though. I use IGNORE_ERRORS=1 to bypass them.

ebtables/kmod-ipt-nat6  actually all I need is compiled without errors though. So it should be working right.
The "Drop invalid packages" and literally every other setting I already tried. I really tried everything.

I literally told the firewall even:"forward everything" "input everything" kinda like opening the gates of hell if a hacker knew smile (Don't worry, the test case I'm working on is not connected to the rest of the network)

Anyway, it all seems to be working.
I just don't like it if not everything is "green" on the ipv6-test.com while everything is green on the E3000 running openWRT.

And although it should work without ICMP, I read verification and control packages are done over the ICMP protocoll and can slow internet experience if it's not working.

so I rather have everything setup the way it's intended to work.

Anyway, thanks, your comments are always helpful!

Post #4
mazilo
28 Oct 2016, 01:56
mrgenie wrote:

Hi Timo,

thank you for your reply.

I use this website http://ipv6-test.com/  which says everything ok except ICMP are filtered.

Is it bad to have ICMP filtered?

The discussion might have continued from here.