Hello,
I’m new to VyOS (coming from pfSense) and am now setting up VyOS 1.3.2 on a bare-metal server that I will use as a home router/firewall.
I’ve set up IPv6 network using DHCPv6 prefix delegation, and am working on configuring firewall rules for IPv6.
Struggling to understand some state filtering firewall rule behaviour that I’m seeing.
I have the following firewall config to filter IPv6 packets sent from WAN to the router.
ipv6-name WAN-LOCAL-6 {
default-action drop
enable-default-log
rule 5 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
log enable
protocol ipv6-icmp
state {
new enable
}
}
rule 25 {
action accept
hop-limit {
eq 255
}
icmpv6 {
type 134
}
log enable
protocol icmpv6
}
rule 30 {
action accept
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
Somehow the “state {new enable}” in rule 20 doesn’t seem to work and is breaking the IPv6 networking (e.g. I can’t even ping6 google.com from the VyOS machine).
In the firewall logs I see that ICMPv6 packets TYPE 135 and 136 (Neighbor Solicitation and Advertisement) are being dropped by the default action.
If the state of these ICMPv6 packets is not new (but established or related), I would expect them to be accepted by rule 5, but clearly it’s not happening because the packets are being dropped.
If I remove the “state {new enable}” from rule 20, IPv6 networking starts to work, and all the ICMPv6 packets are being accepted by rule 20, I can visit IPv6 addresses, etc.
What am I missing here? Does stateful filtering not work with the ICMPv6 protocol?