• Filered ICMP6 issue...

    From Michiel van der Vlist@2:280/5555 to All on Sun Aug 12 16:01:19 2018
    Hello All,

    Two weeks ago my ISP dumped a firmware update on my router. There may or may not be a connection, but I now get ony 18/20 from http://ipv6-test.com/. The comment is that my router or firewall is filtering ICMPV6.

    Before I start complaining to my ISP, I would like to make sure that it is not due to some change on the part of ipv6-test.com.

    Wilfred says he has the same message, but I would like some more comfirmation. Does anyone NOT get the "filtered ICMPV6" message from ipv6-test.com?


    Cheers, Michiel

    --- GoldED+/W32-MSVC 1.1.5-b20170303
    * Origin: he.net certified sage (2:280/5555)
  • From Markus Reschke@2:240/1661 to Michiel van der Vlist on Sun Aug 12 16:41:56 2018
    Hello Michiel!

    Aug 12 16:01 2018, Michiel van der Vlist wrote to All:

    MvdV> Before I start complaining to my ISP, I would like to make sure
    MvdV> that it is not due to some change on the part of ipv6-test.com.

    MvdV> Wilfred says he has the same message, but I would like some more
    MvdV> comfirmation. Does anyone NOT get the "filtered ICMPV6" message
    MvdV> from ipv6-test.com?

    I get 20/20 with a RFC4890 based ICMP filter set.

    ciao,
    Markus

    ---
    * Origin: *** theca tabellaria *** (2:240/1661)
  • From Björn Felten@2:203/2 to Michiel van der Vlist on Sun Aug 12 17:26:27 2018
    MvdV> Does anyone NOT get the "filtered ICMPV6" message from ipv6-test.com?

    I don't. I get the usual 20/20 vision.



    ..

    --- Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.9.1.16) Gecko/20101125
    * Origin: news://eljaco.se (2:203/2)
  • From Tommi Koivula@2:221/6 to Michiel van der Vlist on Sun Aug 12 18:26:22 2018

    12 Aug 18 16:01:18, you wrote to All:

    Two weeks ago my ISP dumped a firmware update on my router.

    My ISP has no access to any of my routers.

    There may or may not be a connection, but I now get ony 18/20 from http://ipv6-test.com/. The comment is that my router or firewall is filtering ICMPV6.

    Before I start complaining to my ISP, I would like to make sure that it is not due to some change on the part of ipv6-test.com.

    Wilfred says he has the same message, but I would like some more comfirmation. Does anyone NOT get the "filtered ICMPV6" message from ipv6-test.com?

    ICMP Reachable

    20 / 20

    'Tommi

    ---
    * Origin: 2001:470:1f15:cb0:f1d0:2:221:6 (2:221/6)
  • From Michiel van der Vlist@2:280/5555 to Markus Reschke on Sun Aug 12 22:12:45 2018
    Hello Markus,

    On Sunday August 12 2018 16:41, you wrote to me:

    MvdV>> Before I start complaining to my ISP, I would like to make sure
    MvdV>> that it is not due to some change on the part of ipv6-test.com.

    MvdV>> Wilfred says he has the same message, but I would like some
    MvdV>> more comfirmation. Does anyone NOT get the "filtered ICMPV6"
    MvdV>> message from ipv6-test.com?

    I get 20/20 with a RFC4890 based ICMP filter set.

    That confirms the problem is on my end. Thank you.

    I just found the button to completely disable the IPv6 firewall. I get 20/20 with the IPv6 firewall disabled. I should have thought about that before, but I was stuck with a setting somewehere else that said "block ICMP". That did not make any difference...

    I am a bit reluctant to complain with the ISP because their "standard" solution seems to be to send a new modem/router. That will almost certainly make me lose Dual Stack. This particular model is the only one configured for Dual Stack and it is being fased out. The newer models are configured IOv4 only for existing customers and DS-Lite for new customers...


    Cheers, Michiel

    --- GoldED+/W32-MSVC 1.1.5-b20170303
    * Origin: he.net certified sage (2:280/5555)
  • From Michiel van der Vlist@2:280/5555 to Björn Felten on Sun Aug 12 22:19:13 2018
    Hello Bj”rn,

    On Sunday August 12 2018 17:26, you wrote to me:

    MvdV>> Does anyone NOT get the "filtered ICMPV6" message from
    MvdV>> ipv6-test.com?

    I don't. I get the usual 20/20 vision.

    Thanks.


    Cheers, Michiel

    --- GoldED+/W32-MSVC 1.1.5-b20170303
    * Origin: he.net certified sage (2:280/5555)
  • From Michiel van der Vlist@2:280/5555 to Tommi Koivula on Sun Aug 12 22:19:29 2018
    Hello Tommi,

    On Sunday August 12 2018 18:26, you wrote to me:

    Two weeks ago my ISP dumped a firmware update on my router.

    My ISP has no access to any of my routers.

    I was not exactly acurate. It is their router actually.

    I would like to have my own router, one that I and I alone control, but having their router is the only way to have dual stack at the moment. For customers with their own router it is IPv4 only. :(

    Before I start complaining to my ISP, I would like to make sure
    that it is not due to some change on the part of ipv6-test.com.

    The reason I do not want to make too much noise it that the situation regarding my modem is a tad irregular. It is my modem because I bought it on "Marktplaats", the local equivalent of E-Bay and I paid for it. EUR 25. But.. it is their modem because they issue "free" modems to customers on a loan basis. These modems are not supposed to be offered on the market to begin with.

    I managed to register it in November 2016 with a registration code I had from a previous modem. A procedure that is no longer possible.

    So I have a modem that I am not really supposed to have...

    Miracles often disappear when they attract too much attention...

    Wilfred says he has the same message, but I would like some more
    comfirmation. Does anyone NOT get the "filtered ICMPV6" message
    from ipv6-test.com?

    I think Wilfred has a problem too...

    ICMP Reachable

    20 / 20

    Thanks.


    Cheers, Michiel

    --- GoldED+/W32-MSVC 1.1.5-b20170303
    * Origin: he.net certified sage (2:280/5555)
  • From Wilfred van Velzen@2:280/464 to Michiel van der Vlist on Sun Aug 12 22:53:00 2018
    Hi Michiel,

    On 2018-08-12 22:19:29, you wrote to Tommi Koivula:

    Wilfred says he has the same message, but I would like some more
    comfirmation. Does anyone NOT get the "filtered ICMPV6" message
    from ipv6-test.com?

    MvdV> I think Wilfred has a problem too...

    My ipv6 connection seems to be working fine. Only ipv6-test.com says I have a problem. I'm not really bothered...

    Bye, Wilfred.

    --- FMail-lnx64 2.1.0.18-B20170815
    * Origin: FMail development HQ (2:280/464)
  • From Michiel van der Vlist@2:280/5555.1 to Wilfred van Velzen on Mon Aug 13 00:09:41 2018
    Hello Wilfred,

    On Sunday August 12 2018 22:53, you wrote to me:

    MvdV>> I think Wilfred has a problem too...

    My ipv6 connection seems to be working fine. Only ipv6-test.com says I have a problem. I'm not really bothered...

    I see no problems either. Everything /seems/ to be working. But the error message from ipv6-test.com does bother me. Until I know more, I am not prepaired to just ignore it. Yet...


    Cheers, Michiel

    --- GoldED+/W32-MSVC 1.1.5-b20130111
    * Origin: Michiel's laptop (2:280/5555.1)
  • From Tony Langdon@3:633/410 to Michiel van der Vlist on Mon Aug 13 08:55:00 2018
    On 08-12-18 16:01, Michiel van der Vlist wrote to All <=-

    Hello All,

    Two weeks ago my ISP dumped a firmware update on my router. There may
    or may not be a connection, but I now get ony 18/20 from http://ipv6-test.com/. The comment is that my router or firewall is filtering ICMPV6.

    I get the same result, even though I explicitly allow ICMP messages to my router.


    ... This tagline is bi-lingual. English and Australian.
    === MultiMail/Win v0.51
    --- SBBSecho 3.03-Linux
    * Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)
  • From Michiel van der Vlist@2:280/5555 to Tony Langdon on Mon Aug 13 22:41:42 2018
    Hello Tony,

    On Monday August 13 2018 08:55, you wrote to me:

    Two weeks ago my ISP dumped a firmware update on my router. There
    may or may not be a connection, but I now get ony 18/20 from
    http://ipv6-test.com/. The comment is that my router or firewall is
    filtering ICMPV6.

    I get the same result, even though I explicitly allow ICMP messages to
    my router.

    Have you tried to determine if it is indeed the router and not the local firewall on the system doing the test?


    Cheers, Michiel

    --- GoldED+/W32-MSVC 1.1.5-b20170303
    * Origin: he.net certified sage (2:280/5555)
  • From Tony Langdon@3:633/410 to Michiel van der Vlist on Tue Aug 14 22:25:00 2018
    On 08-13-18 22:41, Michiel van der Vlist wrote to Tony Langdon <=-

    Have you tried to determine if it is indeed the router and not the
    local firewall on the system doing the test?

    Good point. I am using Windows Firewall.


    ... The word 'meaningful' when used today is nearly always meaningless.
    === MultiMail/Win v0.51
    --- SBBSecho 3.03-Linux
    * Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)
  • From Benny Pedersen@2:230/0 to Markus Reschke on Tue Aug 14 13:47:58 2018
    Hello Markus!

    12 Aug 2018 16:41, Markus Reschke wrote to Michiel van der Vlist:

    I get 20/20 with a RFC4890 based ICMP filter set.

    not all isps knows that rfcs in detail

    or modem and or router firmware does not care of it

    i am happy with shorewall


    Regards Benny

    ... there can only be one way of life, and it works :)

    --- Msged/LNX 6.1.2 (Linux/4.18.0-gentoo (x86_64))
    * Origin: I will always keep a PC running CPM 3.0 (2:230/0)
  • From Markus Reschke@2:240/1661 to Benny Pedersen on Tue Aug 14 18:52:52 2018
    Hi Benny!

    Aug 14 13:47 2018, Benny Pedersen wrote to Markus Reschke:

    I get 20/20 with a RFC4890 based ICMP filter set.

    not all isps knows that rfcs in detail

    Everyone dealing with firewalls/ACLs should know that RFC or its existence at least. Its the essential rule set for making IPv6 work.

    or modem and or router firmware does not care of it

    The vendors of the small plastic routers are trying to motivate you to buy a new box every two years. A lot of those plastic boxes supporting IPv6 still don't have a proper IPv6 firewall. The sad thing is that the box' firmware (typically linux) has full IPv6 support, just the web UI lacks the option for configuring all the IPv6 goodness.

    i am happy with shorewall

    Nearly all open source firewalls/routers are far ahead of commercial plastic boxes.

    ciao,
    Markus

    ---
    * Origin: *** theca tabellaria *** (2:240/1661)
  • From Michiel van der Vlist@2:280/5555 to Tony Langdon on Tue Aug 14 22:22:38 2018
    Hello Tony,

    On Tuesday August 14 2018 22:25, you wrote to me:

    Have you tried to determine if it is indeed the router and not
    the local firewall on the system doing the test?

    Good point. I am using Windows Firewall.

    In the advanced setting of the Windows firewall I have the following settings for IPv6:

    - Allow PING
    - Allow Packet too large

    The rest is blocked. It may be too strict for RFC4890, but is is good enough for http://ipv6-test.com.


    What settings do you have?


    Cheers, Michiel

    --- GoldED+/W32-MSVC 1.1.5-b20170303
    * Origin: he.net certified sage (2:280/5555)
  • From Michiel van der Vlist@2:280/5555 to Markus Reschke on Tue Aug 14 22:32:50 2018
    Hello Markus,

    On Tuesday August 14 2018 18:52, you wrote to Benny Pedersen:

    Nearly all open source firewalls/routers are far ahead of commercial plastic boxes.

    Unfortunately here in The Netherlands some ISPs still saddle us with "Zwangsrouter". At least that is my present situation when I want native IPv6.


    Cheers, Michiel

    --- GoldED+/W32-MSVC 1.1.5-b20170303
    * Origin: he.net certified sage (2:280/5555)
  • From Tony Langdon@3:633/410 to Michiel van der Vlist on Wed Aug 15 08:06:00 2018
    On 08-14-18 22:22, Michiel van der Vlist wrote to Tony Langdon <=-

    In the advanced setting of the Windows firewall I have the following settings for IPv6:

    - Allow PING
    - Allow Packet too large

    The rest is blocked. It may be too strict for RFC4890, but is is good enough for http://ipv6-test.com.

    I temporarily turned Windows Firewall off, no change. :(


    What settings do you have?

    I allow all core networking features.


    ... Beware of geeks bearing GIFs.
    === MultiMail/Win v0.51
    --- SBBSecho 3.03-Linux
    * Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)
  • From Tony Langdon@3:633/410 to Benny Pedersen on Wed Aug 15 08:21:00 2018
    On 08-14-18 13:47, Benny Pedersen wrote to Markus Reschke <=-

    i am happy with shorewall

    Good choice, I used it many years ago, was very impressed. Easy to configure and worked well.


    ... Morality consists in suspecting other people of not being legally married. === MultiMail/Win v0.51
    --- SBBSecho 3.03-Linux
    * Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)
  • From Michiel van der Vlist@2:280/5555.1 to Tony Langdon on Wed Aug 15 01:05:30 2018
    Hello Tony,

    On Wednesday August 15 2018 08:06, you wrote to me:

    The rest is blocked. It may be too strict for RFC4890, but is is
    good enough for http://ipv6-test.com.

    I temporarily turned Windows Firewall off, no change. :(

    So it is your router that is the problem?

    Cheers, Michiel

    --- GoldED+/W32-MSVC 1.1.5-b20130111
    * Origin: Michiel's laptop (2:280/5555.1)
  • From Benny Pedersen@2:230/0 to Michiel van der Vlist on Tue Aug 14 23:47:58 2018
    Hello Michiel!

    14 Aug 2018 22:22, Michiel van der Vlist wrote to Tony Langdon:

    MvdV> - Allow PING

    this could drain your internet to the knees, you must make sure to reatelimit that allows

    MvdV> - Allow Packet too large

    insecure imho

    MvdV> The rest is blocked. It may be too strict for RFC4890, but is is
    MvdV> good enough for http://ipv6-test.com.

    if you make rfc4890 right, there is no need for test sites

    MvdV> What settings do you have?

    not using windows firewalls


    Regards Benny

    ... there can only be one way of life, and it works :)

    --- Msged/LNX 6.1.2 (Linux/4.18.0-gentoo (x86_64))
    * Origin: I will always keep a PC running CPM 3.0 (2:230/0)
  • From Markus Reschke@2:240/1661 to Benny Pedersen on Wed Aug 15 03:07:44 2018
    Hi Benny!

    Aug 14 23:47 2018, Benny Pedersen wrote to Michiel van der Vlist:

    MvdV>> - Allow PING

    this could drain your internet to the knees, you must make sure to reatelimit that allows

    +1 :)

    MvdV>> - Allow Packet too large

    insecure imho

    It's necessary for Path MTU Discovery. But there also an additional method not based on ICMP. Anyway, in IPv6 routers don't perform packet fragmentation as in IPv4. So the endpoints have to take care about the MTU via Path MTU Discovery.

    ciao,
    Markus

    ---
    * Origin: *** theca tabellaria *** (2:240/1661)
  • From Tony Langdon@3:633/410 to Michiel van der Vlist on Wed Aug 15 11:41:00 2018
    On 08-15-18 01:05, Michiel van der Vlist wrote to Tony Langdon <=-

    Hello Tony,

    On Wednesday August 15 2018 08:06, you wrote to me:

    The rest is blocked. It may be too strict for RFC4890, but is is
    good enough for http://ipv6-test.com.

    I temporarily turned Windows Firewall off, no change. :(

    So it is your router that is the problem?

    Looks like it. :( Unfortunately, that's not going to be easy to test, and ipv6test.com doesn't provide any more detail.




    ... If silly had wings, this place would be an airport!
    === MultiMail/Win v0.51
    --- SBBSecho 3.03-Linux
    * Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)
  • From Janne Johansson@2:221/6 to Benny Pedersen on Wed Aug 15 10:18:38 2018
    On 2018-08-15 01:47, Benny Pedersen : Michiel van der Vlist wrote:
     MvdV> - Allow Packet too large

    insecure imho

    Seems a little bit unsubstantiated with such a blanket statement.
    Care to add facts?

    ---
    * Origin: - nntp://news.fidonet.fi - Lake Ylo - Finland - (2:221/6)
  • From Richard Menedetter@2:310/31 to Benny Pedersen on Wed Aug 15 16:21:34 2018
    Hi Benny!

    14 Aug 2018 23:47, from Benny Pedersen -> Michiel van der Vlist:

    MvdV>> - Allow Packet too large
    insecure imho

    This is needed for path MTU discovery.

    CU, Ricsi

    ... You can have my sword when you pry it from my dead hands!
    --- GoldED+/LNX
    * Origin: I'm not tense, just terribly alert! (2:310/31)