1

I have been messing with enabling LAN side ipv6 on my gateway. I was doing some performance testing that began with ipv6-test.com and their side by side ping test of ipv4 and ipv6.

I noticed both were timing out with 100% packet loss.

all it took was disabling this

enter image description here

in the routers firewall to allow ipv4 to to start properly pinging.

IPV6 timed out unless I disabled windows firewall. That was the only way I could get it working. I had assumed these were the associated rules, yet as you can see - both ipv4 and ipv6 are enabled.

enter image description here

if i go inside the ipv6 rule, it shows echo as being enabled

enter image description here

so this is where my networking acumen comes to a halt more or less.

Can someone point me to the hang-up? I havent added any non out of the box windows firewall rules afaik, so whatever is superseding or preventing is beyond me.

Scope tab shows as follows. Seems identical to its ipv4 counterpart which is allowing ipv6-test to ping ipv4 (presuming these are in fact the relevant rules but i believe they are)

enter image description here

Improve this question
3
  • What do you see in the 'Scope' tab?
    – grawity_u1686
    Commented Apr 20, 2020 at 6:46
  • so it appears changing local subnet to "Any" under the Remote IP Address tab, is enough to allow them. why is that not required with the ipv4 rule?
    – klepp0906
    Commented Apr 20, 2020 at 12:03
  • Ping via ICMP is Echo-Request [Type 8] and Echo-Reply [Type 0] and/or Extended Echo-Request [Type 42] and Extended Echo-Reply [Type 43]
    – JW0914
    Commented Apr 20, 2020 at 12:17

1 Answer 1

Reset to default
1

IPV6 timed out unless I disabled windows firewall. That was the only way I could get it working. I had assumed these were the associated rules, yet as you can see - both ipv4 and ipv6 are enabled.

By default, the rules allowing ICMP Echo are restricted to the "local subnet" – for all profiles. You must change this to "any" in the 'Scope' tab.

(Note: Built-in rules occassionally revert to the default scope settings after Windows upgrades. If that happens, you can use gpedit.msc to really make it stick.)

Nobody knows Microsoft's logic behind restricting ICMP Echo yet fully allowing RDP by default, but I guess it's related to the former only being necessary for file sharing (old SMB clients won't even try connecting to a host they cannot ping).

so it appears changing local subnet to "Any" under the Remote IP Address tab, is enough to allow them. why is that not required with the ipv4 rule?

In IPv4, the remote system isn't pinging your computer's address – it's usually pinging your router's address and the requests don't even reach Windows. (Your computer usually doesn't have an Internet-visible IPv4 address at all, whereas in IPv6 it does have its own. Which is the whole point of having IPv6.)

So you did actually make a similar change for IPv4, only it was in the router's settings:

Improve this answer
2
  • 1
    To build on this, to allow remote pings [ICMP Type 8 & 0 or archaic UDP] to a router's downstream devices a DNAT rule could be utilized on the router, however there are limited use cases for such a scenario & doing so should be cautiously evaluated due to the inherent security concerns. Even with IPv6, the router must still allow ICMP traffic to downstream devices through its firewall, something that should be cautiously evaluated on a device-by-device basis (there's little purpose to exposing most client devices directly to WAN due to the inherent security concerns arising as a result).
    – JW0914
    Commented Apr 20, 2020 at 12:33
  • yes, truthfully this was purely to understand how-to just in case. I wanted to see if i could get 20/20 on their test. I cannot as AT&T doesnt have rdns evidently so i was still stuck at 19/20. Turns out I also need to disable reflexive ACL in the routers firewall should i restart the ping it gets blocked again otherwise. Was hoping for a blanket allow/disallow but as noted, ipv4 is actually pinging the router whereas ipv6 is pinging the pc, so i have no choice but to alter the 1 rule as well as alter the gateways firewall.
    – klepp0906
    Commented Apr 20, 2020 at 12:58

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .