[Firehol-support] IPv6 help! (and sorry for bounces)

Phil Whineray phil at firehol.org
Tue Dec 29 09:44:18 GMT 2015

Hi Rich

On Mon, Dec 28, 2015 at 10:37:39PM +0100, Arthur Fabre wrote:
> I've had similar issues in the past, and if I recall correctly IPv6 uses multicast (ff02::/16) for neighbour solicitation (ARP in ipv4 world, ie figuring out what MAC address "has" a given IP) - I had to add ff02‎::/16 as a dest address.
> In the end between link-local traffic, multicast, and other addresses, I gave up on using dest with ipv6.

These are certainly all confounding factors and trying without src/dst
would be a good starting point.

There are other things that can happen though - I had to do this on
my wireless router:

# disable multicast snooping to enable multicast forwarding for IPv6
echo "0" > /sys/devices/virtual/net/br-lan/bridge/multicast_snooping

I think this may be related to the ipv6neigh rule not allowing for
a type of packet pair that hosts+routers exchange to determine who
is cast to. It needs a proper investigation.

Right now, you might consider adding something like this to the top
of your config (before any normal interface definitions) to see if
it gets you going:


# Allow any old ICMPv6 message on the interface; should not be needed
# if ipv6error, ipv6neigh and ipv6router are correctly configured, but
# might help in the event of problems with autoconfiguration.

icmpv6_allow() {
       for iface in "$@"
               iptables -j ACCEPT -I INPUT 1 -i "$iface" -p icmpv6
               iptables -j ACCEPT -I OUTPUT 1 -o "$iface" -p icmpv6

icmpv6_allow $wan


More information about the Firehol-support mailing list