IPv6 ICMP blocked by firewall?

[arantius]

Datacenter, node, all VMs/CTs: Firewall>Options>Firewall is "Yes". All my intended firewall rules are in place.

Datacenter, node, VM: Firewall rule includes in/accept/icmp at all levels.

VM: real (TCP) services work as intended, over IPv4 and IPv6. Ping to that VM's IPv4: works as intended. Ping to that VM's IPv6: nothing, never any response.

At the node level, enable log_level_in and see e.g.:

0 6 PVEFW-HOST-IN 20/Jan/2025:10:43:12 -0500 policy DROP: IN=vmbr0 PHYSIN=eno1 MAC=00:...:dd SRC=2600:...:2575 DST=2607:...::2 LEN=64 TC=0 FLOWLBL=106118 HOPLIMIT=54 PROTO=ICMPV6 TYPE=128 CODE=0 ID=8665 SEQ=6

The proxmox firewall is dropping my incoming pings as best I can tell. Indeed type 128 is echo request, and I'm getting policy DROP. But my firewall rules say "accept ICMP" everywhere I can set that. How do I allow ping to the IPv6 address(es) of my nodes? (In the UI specifying "icmp6" or "icmpv6" as the protocol says "invalid value" and disables the Add button.)

 

[shanreich]

ICMP indeed only entails the ICMP protocol for IPv4. In the protocol dropdown of the firewall rules the respective entry is called ipv6-icmp. I just tried adding a rule for that and it worked for me.

 

[arantius]

So easy, thank you! Apparently the UI's protocol box does a prefix match, not a substring match. Typing "ic" matches "icmp" but not "ipv6-icmp". And I had failed to ever notice the latter.

Adding allow "ipv6-icmp" to data center did nothing for my pings. Adding it at node level affects whether the host node answers. Adding it to the VM affects whether that VM answers. (Separately: I'm still unclear how these various levels of firewall rules are supposed to interact. But that's a separate thread, if/when I decide to ask about that.)