Business Community > Routers > [IPv6] Cannot open firewall from WAN to LAN
< Routers

[IPv6] Cannot open firewall from WAN to LAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

[IPv6] Cannot open firewall from WAN to LAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
[IPv6] Cannot open firewall from WAN to LAN
[IPv6] Cannot open firewall from WAN to LAN
2024-08-14 18:44:29
Tags: #IPv6 #ACL
Model: ER707-M2  
Hardware Version: V1
Firmware Version: 1.2.2 Build 20240324 Rel.42799

Hello.

 

I am facing an issue very similar to what is described on this thead : https://community.tp-link.com/en/business/forum/topic/638114

 

I have IPv6 connectivity from my ISP, I can reach IPv6 Internet without issue (LAN->WAN) and IPv6 networks between my networks (LAN->LAN) also.

 

But impossible to open the firewall for incoming traffic.

 

I tried to setup a wildcard ACL to allow all incoming IPv6 traffic without success.

 

I do see the incoming packet on the WAN side on the device connected just before it, however I never see the packet coming to my server (I tried with ICMPv6 and HTTPs, same issue with both)

 

I can´t explain why this is not working, is there any known issue about this ?

 

The rule I created (I don´t have any other active rule):

 

 

Thank you.

  0      
 
  0      
 
#1
Options
4 Reply
Re:[IPv6] Cannot open firewall from WAN to LAN
2024-08-15 01:47:59

Hi @K3dare 

Thanks for posting in our business forum.

I have a simple question, will you be able to ping the v6 address of the gateway? The public IP. Not the link-local.

If you could, then the access is not blocked. The rule is effective.

You should also check your firewall on the PC that's being accessed or pinged.

 

If you can paste screenshots to illustrate the verification, that'd be great.

Please mosaic your sensitive information. Here is a list of information considered sensitive:

1. Public IP address on your WAN if your WAN is.

2. Real MAC address of your device.

3. Your personal information including address, domain name, and credentials.

For troubleshooting purposes, when a WAN IP is needed, please leave some values visible for identification.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  2  
  2  
#2
Options
Re:[IPv6] Cannot open firewall from WAN to LAN
2024-08-15 10:07:25

  @Clive_A Hello, thank you for your fast message.

 

I cannot ping the WAN IPv4 of the gateway, even from the network device right in front of it (ESBCN-HEX1, that provide the RA on the WAN side and that is on the same subnet) so it looks like it's indeed blocked at this level.

 

On the final server there are no firewall configured (and it worked fine using the router we had before the Omada gateway)

 

Attached some screenshots from the test :

 

 

 

 

However as said before LAN to WAN and LAN to LAN is working fine, only WAN to LAN is impacted.

 

Thank you.

  0  
  0  
#3
Options
Re:[IPv6] Cannot open firewall from WAN to LAN
2024-08-15 10:57:29

I suspect I may have found the issue.

 

It looks like the connection state (in devices > the gateway > WAN port) is not really consistent.

 

It was in a disconnected state but I had working IPv6 connectivity LAN to WAN, only WAN to LAN would not work it looks like ?

 

I have setup DNS servers for the IPv6 connectivity (as the EX would not provide them via SLAAC/RRDNS) and now it go into connected state (before it would stay in a disconnected state and fail to pass to a connected state even though I had working LAN to WAN IPv6 connectivity)

 

Now I can ping IPv6 hosts inside my network from outside (like a VM from a cloud provider) but I cannot ping anything in my network from the HEX itself (so the first hop in front of the gateway), also nothing can ping my IPv6 WAN address (maybe there are specific rules for this ?)

 

I am not sure if it's really this or just a coincidence.

  0  
  0  
#4
Options
Re:[IPv6] Cannot open firewall from WAN to LAN
2024-08-16 03:11:15

Hi @K3dare 

Thanks for posting in our business forum.

K3dare wrote

I suspect I may have found the issue.

 

It looks like the connection state (in devices > the gateway > WAN port) is not really consistent.

 

It was in a disconnected state but I had working IPv6 connectivity LAN to WAN, only WAN to LAN would not work it looks like ?

 

I have setup DNS servers for the IPv6 connectivity (as the EX would not provide them via SLAAC/RRDNS) and now it go into connected state (before it would stay in a disconnected state and fail to pass to a connected state even though I had working LAN to WAN IPv6 connectivity)

 

Now I can ping IPv6 hosts inside my network from outside (like a VM from a cloud provider) but I cannot ping anything in my network from the HEX itself (so the first hop in front of the gateway), also nothing can ping my IPv6 WAN address (maybe there are specific rules for this ?)

 

I am not sure if it's really this or just a coincidence.

Not sure about your HEX device. As for now, it at least proves the v6 WAN IN is working.

For any devices that are not working, check their firewall. There is no other solution or suggestion that can be proposed.

 

About the router v6 address that you cannot ping, do you mean this?

 

For this problem, it would be strange.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#5
Options

Information

Helpful: 0

Views: 576

Replies: 4

Tags

IPv6 ACL
Related Articles
ER707-M2 - IPsec ports open to internet, firewall not restricting
336 0
 ER707-M2 now with IPv6 Firewall?
982 0
 IPv6 ACLs not working
408 0
 ER7212PC ipv6 firewall
932 0
IPV4 Firewall Lan to Wan rule blocks internal communication with DVR
601 0
Current status of IPv6 integration ER707-M2
726 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.