NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
malacath
Apr 29, 2017Aspirant
Netgear R7000 IPv6 ICMP Filtered
When going to http://ipv6-test.com/ The test only gives my 17/20 The reason is that ICMP is filtered which according to that site is a bad thing. I know it is definately the router doing ...
- Apr 29, 2017
malacath wrote:Is this website correct?
Yes.
Is filtering ICMP really a problem?
Will it cause problems when websites start going ipv6 only?
It can be a problem. IPv6 relies on something calling PMTUD (Path MTU Discovery) to work. Blocking ICMPv6 prevents PMTUD from working. Unfortunately, unblocking ICMPv6 has a downside. It can expose your devices to a certain kind of DoS attack (atomic fragment attack). This puts you in a "Damned if you do. Damned if you don't." situation. There is work ongoing in the IETF (the standards group for TCP/IP Protocols) to figure out how to fix this.
In the meantime, you may find that things will work even without ICMPv6. Consider yourself lucky.
TheEther
Apr 29, 2017Guru
malacath wrote:
Is this website correct?
Yes.
Is filtering ICMP really a problem?
Will it cause problems when websites start going ipv6 only?
It can be a problem. IPv6 relies on something calling PMTUD (Path MTU Discovery) to work. Blocking ICMPv6 prevents PMTUD from working. Unfortunately, unblocking ICMPv6 has a downside. It can expose your devices to a certain kind of DoS attack (atomic fragment attack). This puts you in a "Damned if you do. Damned if you don't." situation. There is work ongoing in the IETF (the standards group for TCP/IP Protocols) to figure out how to fix this.
In the meantime, you may find that things will work even without ICMPv6. Consider yourself lucky.
malacath
May 01, 2017Aspirant
Thanks for the info.
Sounds like it's nothing to worry about for now?
- TheEtherMay 02, 2017Guru
You may be lucky and everything works. Or you may find that certain destinations are unreachable.
- janthony6May 25, 2017Guide
Who is your service provider? My ICMP wasn't working. Turns out it was due to ATT's RG. Even in passthrough/DMZ+ mode, their RG blocks protocol 41 and cripples IPV6. If you bypass their RG using a VLAN switch, you can have your router's WAN directly connected to the ONT. Using this method with proper 6RD settings makes it work. ICMP is reachable now. I get 19/20 now. The only reason I'm not getting 20/20 is due to the lack of RDNS for ATT.