Hi all,
After struggeling a bit to get IPv6 to work I realised that in contrary to IPv4 you need to explicitly allow certain ICMPv6 types on wan side and lan side (I had router access blocked on most VLANs, which automatically includes ICMPs). I guess that would be a good idea to explicitly add a list of ICMPs to allow in [OpenWrt Wiki] IPv6 configuration ?
Ramon
Did you delete the rules?
No, i added a guest interface etc and set input to reject. Then did not realize i needed to allow them.
Yes i know, it is my own mistake, but my point is there is no mention of the importance on the wiki page. Not everybody is fully up to speed on it. People might even delete the existing wan rules thinking it will improve security or something...
Two sentences on the IPv6 page probably is enough already, something like "For IPv6 it is essential that certain ICMP messages can reach the router and clients, both from the wan and lan sides. This means that you may need forward rules and accept rules on the firewall, e. G. If you add a guest interface with input on reject".
Thx
G-2: The IPv6 CE router MUST implement ICMPv6 according to [RFC4443].
Your suggested verbiage already exists.
I do not have any specific ipv4 icmp rules and everything works fine. For sure not the same on IPv6. It relies heavily on ICMP.
And IMHO just mentioning a RFC is not the same as explaining. But maybr that is just in my crazy mind.
Not everybody knows all the RFC by heart...
Anyway nevermind i was just trying to help. Forget I mentioned it
No need to be like that.
If you suggest exactly were to place some verbiage, I'll be willing to edit the Wiki.
Since IPv4 and IPv6 both require this (despite your comment to the contrary) - it's difficult for me to understand what you mean or where best to place the verbiage. I never approached the understanding of IPv6 in comparison/contrast to IPv4 - so I never developed these ideas. Just let me know and I'll edit it. I do agree that it's more difficult to block ICMP with IPv6 - as in the past, we've developed software to gracefully fail with such errors in IPv4. As you noted with IPv6, these things usually provide little to no additional security.
i do not get why there only a echo request icmp rule on wan ipv4 by default?
Also I never enabled any rules on e.g. my guest firewall zone with input on reject and everything works fine. So please tell me which ICMPv4 i need to add to my wan and guest zones.
I think Ramon is calling out a legitimate documentation gap. I too recently created a couple of extra networks with reject policy and had to search forums to figure out why IPv6 wasn't functioning. Happy to help with that documentation later when I have access to how I set things up.
I already did and explained:
I meant "MSS Clamping"
If you don't limit to just ICMP - DHCPv4 Renewal on WAN is a major one you cannot just remove 
This is one example (the clamping) where IPv4 fails if it's not configured and needed. Another example is e.g. 6in4 tunnels, they expect ICMPv4 Echo Request IPv4 to work on WAN according to RFC - that would fail if these IPv4 rules were removed.
In any case, I'm also happy to help. Just let me know where the sentence would be good placed - and I don't mind either:
Wikis suggest imitating the LAN zone policy - if you set input rules to reject - I would surmise you know what you're doing and the consequences. I can also list things with IPv4 that would fail if you blocked input (e.g. IPv4 altogether if DHCP is blocked, also DNS resolution). Desprite being willing to add verbiage, I still don't understand how a user's improper firewall setting is the specific blame of IPv6 as opposed to the user who set it up. My only concern is that a potential Wiki reader will misunderstand the wording and unsfely open WAN. This is why I always offer to edit Wikis but ask the verbiage and location be supplied - when I don't understand the concept or reason for it.
Ah so you already explained, but explained the wrong thing? o_O
Anyway, I still dont know what ICMP message type, that being blocked by default on OpenWrt, are so vital that apparantly my IPv4 is broken.
Ah you just made my point again, e.g. on https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan , it explains in a lot of detail how to add a UDP DHCP firewall rule, but again no ICMP firewall rules.
Well the guest wlan page link I gave above does not. It puts input on reject.
Anyway im done arguing, this is my last reply. I think the documentation is inconsistent at best. You think all the information is there. Lets agree to disagree.
I do wish you a nice day.
You as well. I thought you asked for an example. My apologies if you thought it was an argument. I actually don't agree or disagree with anything you mentioned - as I didn't know it was considered an argument.
As I noted and others, I'm still willing to make the change (if I know where), or feel free to create a Wiki account - the how to is linked above.
Thank you for your kindness.