The firewall appears to prevent ICMPv6 Packet to Big which breaks PMTU

I’ve been running some tests using ICSI Netalyzr and from the results it would appear, with the firewall enabled, I am unable to send or receive ICMPv6 Packet to Big (ICMPv6 Type 2) messages, which breaks PMTU.

With the firewall installed, even if it’s disabled, I get the response seen in the image. If I remove the firewall entirely, all IPv6 tests pass.

I have tried the firewall in different modes from a default installation through to custom policy mode with alerts on very high. I also played around with both Global and Application rules, for example allowing IP In/OUT for IP any and specifically ICMPv6, but the only alerts generated and logged are for link local multicasts.

I’d appreciate anyone with IPv6 installed and enabled (with a valid ipv6 internet connection) trying the test and reporting back.


Edit: Performed some additional tests against my router by setting the ipv6 MTU to a smaller size than the default, which should generate a Packet to big message. Unfortunately, the firewall is not generating any alerts or log entries for ICMPv6, the packets just fail.

I’ll see what’s happening in wireshark next.

[attachment deleted by admin]

Now; I’m just curious here; Did you enable “IPv6 Filtering”? then run Stealth Ports Wizard or Edit Global Rules Accordingly ?

Hi Jacob. ipv6 filtering is enabled and global rules were edited manually. In an attempt to capture any information, I created a single rule to Allow IP IN/OUT with logging. The multicasts I mentioned in the earlier post were the only icmpv6 entries.

I did some tests with wireshark and it seems to confirm that CIS is not recognising the packets.

Internet Protocol Version 6, Src: 2001:470:****:823::1 (2001:470:****:823::1), Dst: 2001:470:****:823:a432:f1a8:169f:7222 (2001:470:****:823:a432:f1a8:169f:7222) 0110 .... = Version: 6 [0110 .... = This field makes the filter "ip.version == 6" possible: 6] .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... 0000 00.. .... .... .... .... .... = Differentiated Services Field: Default (0x00000000) .... .... ..0. .... .... .... .... .... = ECN-Capable Transport (ECT): Not set .... .... ...0 .... .... .... .... .... = ECN-CE: Not set .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 1240 Next header: ICMPv6 (0x3a) Hop limit: 64 Source: 2001:470:****:823::1 (2001:470:****:823::1) Destination: 2001:470:****:823:a432:f1a8:169f:7222 (2001:470:****:823:a432:f1a8:169f:7222) Internet Control Message Protocol v6 Type: 2 (Too big) Code: 0 (Unknown) Checksum: 0xe645 [correct] MTU: 1440

There are only two log entries for icmpv6 using the tunnel address as opposed to the link local, one for ping -6 which was me testing connectivity and the other for a router advertisement.

As I mentioned earlier, because the firewall is failing to allow these message types through, attempting to reach an ipv6 site via the browser will fail, if the ipv6 mtu on the system is larger than the allowed size for the underlying network.

Edit: It also appears that Neighbour Solicitation and Neighbour Advertisements are not being recognised either.