IPv6 ICMP blocked by firewall?

A

arantius

New Member
Dec 12, 2024
3
1
3
Datacenter, node, all VMs/CTs: Firewall>Options>Firewall is "Yes". All my intended firewall rules are in place.

Datacenter, node, VM: Firewall rule includes in/accept/icmp at all levels.

VM: real (TCP) services work as intended, over IPv4 and IPv6. Ping to that VM's IPv4: works as intended. Ping to that VM's IPv6: nothing, never any response.

At the node level, enable log_level_in and see e.g.:

Code: 
0 6 PVEFW-HOST-IN 20/Jan/2025:10:43:12 -0500 policy DROP: IN=vmbr0 PHYSIN=eno1 MAC=00:...:dd SRC=2600:...:2575 DST=2607:...::2 LEN=64 TC=0 FLOWLBL=106118 HOPLIMIT=54 PROTO=ICMPV6 TYPE=128 CODE=0 ID=8665 SEQ=6

The proxmox firewall is dropping my incoming pings as best I can tell. Indeed type 128 is echo request, and I'm getting policy DROP. But my firewall rules say "accept ICMP" everywhere I can set that. How do I allow ping to the IPv6 address(es) of my nodes? (In the UI specifying "icmp6" or "icmpv6" as the protocol says "invalid value" and disables the Add button.)
 
ICMP indeed only entails the ICMP protocol for IPv4. In the protocol dropdown of the firewall rules the respective entry is called ipv6-icmp. I just tried adding a rule for that and it worked for me.
 
So easy, thank you! Apparently the UI's protocol box does a prefix match, not a substring match. Typing "ic" matches "icmp" but not "ipv6-icmp". And I had failed to ever notice the latter.

Adding allow "ipv6-icmp" to data center did nothing for my pings. Adding it at node level affects whether the host node answers. Adding it to the VM affects whether that VM answers. (Separately: I'm still unclear how these various levels of firewall rules are supposed to interact. But that's a separate thread, if/when I decide to ask about that.)
 
I'm noticing the same issue here. IPv4 ICMP works fine, but IPv6 ICMP is being dropped by the firewall.

I've found if I leave the ICMP type field empty, this allows IPv6 pings to work successfully.

But if I have type 128 (echo-request) selected for the (IPv6) ICMP type field, the firewall drops pings again.

I have ACCEPT configured for output, so it's not an issue of the reply not being able to get back out.

While I'm honestly perfectly fine with allowing all ICMP types through the firewall, I'm more or less just generally curious as to why this isn't working at this point.
 
  • Like
Reactions: falken42
Thanks for the quick fix! While it definitely looks like there was a bug there with the mixup between dport and icmp-type, I'm not sure that patch is relevant to my case as I'm not using the Macro field in the edit rule dialog here. I could also just be misunderstanding your changes though.
 
You must log in or register to reply here.
Top Bottom