NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
malacath
Apr 29, 2017Aspirant
Netgear R7000 IPv6 ICMP Filtered
When going to http://ipv6-test.com/ The test only gives my 17/20 The reason is that ICMP is filtered which according to that site is a bad thing. I know it is definately the router doing ...
- Apr 29, 2017
malacath wrote:Is this website correct?
Yes.
Is filtering ICMP really a problem?
Will it cause problems when websites start going ipv6 only?
It can be a problem. IPv6 relies on something calling PMTUD (Path MTU Discovery) to work. Blocking ICMPv6 prevents PMTUD from working. Unfortunately, unblocking ICMPv6 has a downside. It can expose your devices to a certain kind of DoS attack (atomic fragment attack). This puts you in a "Damned if you do. Damned if you don't." situation. There is work ongoing in the IETF (the standards group for TCP/IP Protocols) to figure out how to fix this.
In the meantime, you may find that things will work even without ICMPv6. Consider yourself lucky.
TheEther
Apr 29, 2017Guru
malacath wrote:
Is this website correct?
Yes.
Is filtering ICMP really a problem?
Will it cause problems when websites start going ipv6 only?
It can be a problem. IPv6 relies on something calling PMTUD (Path MTU Discovery) to work. Blocking ICMPv6 prevents PMTUD from working. Unfortunately, unblocking ICMPv6 has a downside. It can expose your devices to a certain kind of DoS attack (atomic fragment attack). This puts you in a "Damned if you do. Damned if you don't." situation. There is work ongoing in the IETF (the standards group for TCP/IP Protocols) to figure out how to fix this.
In the meantime, you may find that things will work even without ICMPv6. Consider yourself lucky.
- malacathMay 01, 2017Aspirant
Thanks for the info.
Sounds like it's nothing to worry about for now?
- TheEtherMay 02, 2017Guru
You may be lucky and everything works. Or you may find that certain destinations are unreachable.
- janthony6May 25, 2017Guide
Who is your service provider? My ICMP wasn't working. Turns out it was due to ATT's RG. Even in passthrough/DMZ+ mode, their RG blocks protocol 41 and cripples IPV6. If you bypass their RG using a VLAN switch, you can have your router's WAN directly connected to the ONT. Using this method with proper 6RD settings makes it work. ICMP is reachable now. I get 19/20 now. The only reason I'm not getting 20/20 is due to the lack of RDNS for ATT.