Firewall policie OUTSIDE-LOCAL blocks whole ipv6 traffic

ha1r · February 14, 2021, 2:46pm

Hi,
if I apply the following firewall policie with the command

set interfaces ethernet eth0 firewall local ipv6-name OUTSIDE-LOCALv6

the ipv6 traffic of all devices behind the vyos router is blocked. I have the same policie for ipv4(with nat) which is working just fine.

ipv6-name OUTSIDE-LOCALv6 {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 200 {
action accept
icmpv6 {
type echo-request
}
protocol icmpv6Preformatted text
state {
new enable
}
}
rule 300 {
action accept
description “Wireguard VPN”
destination {
port 51820
}
protocol udp
}
}

If this policie is enabeld, the vyos router and devices behind it can’t ping ipv6 adresses outside the LAN.

Dmitry · February 14, 2021, 5:12pm

Hello @ha1r, I think you need to modify your rule or add a new one to accepting all icmpv6.

set firewall ipv6-name OUTSIDE-LOCALv6 rule 400 action 'accept'
set firewall ipv6-name OUTSIDE-LOCALv6 rule 400 protocol 'icmpv6'

It looks like your uplink loses icmpv6 connection.

system · February 16, 2021, 5:12pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.