Hi,

I have a dual stack IPV4/IPV6 router/firewall (C892FSP-K9).

I configured IPV6. The thing is that IPV6 is not working as expected.

The router is behind a French box (Free) giving Internet access.

The symptom:

No incoming traffic is going through the router from internet (behind the box)???

To be precised, when I am between the box and the router, I can access my private network???

As soon as I do the following command, It works from internet, everywhere???

no ipv6 access-list ipv6in

I had permit icmp any host XXXX:XXXX:XXXX:C880::2 to the ipv6in access-list to be able to ping my router wan interface. It does not work even with the fact that this is the first rule???

I have configured filter on a wan interface Gi9 to protect my network. Here is the configuration:

interface GigabitEthernet9
 description Primary link Free
 ip address 192.168.10.100 255.255.255.0
 ip access-group 199 in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 ipv6 address XXXX:XXXX:XXXX:C880::2/64
 ipv6 address autoconfig default
 ipv6 enable
 ipv6 traffic-filter ipv6in in
!
interface Vlan1
 description home
 ip address 192.168.100.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ipv6 address XXXX:XXXX:XXXX:C881:FFFF:FFFF:FFFF:0/64
 ipv6 enable
 ipv6 nd prefix XXXX:XXXX:XXXX:C881::/64 infinite infinite
 ipv6 nd advertisement-interval
 ipv6 nd ra interval 100
!
interface Vlan2
 description management
 no ip address
 ipv6 address XXXX:XXXX:XXXX:C882:FFFF:FFFF:FFFF:0/64
 ipv6 enable
 ipv6 nd prefix XXXX:XXXX:XXXX:C882::/64 infinite infinite
 ipv6 nd advertisement-interval
 ipv6 nd ra interval 100
 ipv6 traffic-filter vlan2_in in
!
interface Vlan4
 description front-web
 ip address 192.168.104.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ipv6 address XXXX:XXXX:XXXX:C884:FFFF:FFFF:FFFF:0/65
 ipv6 enable
 ipv6 nd prefix XXXX:XXXX:XXXX:C884:8000::/65 infinite infinite
 ipv6 nd advertisement-interval
 ipv6 nd ra interval 100
!
ipv6 access-list ipv6in
 permit icmp any host XXXX:XXXX:XXXX:C880::2
 permit ipv6 host YYYY:YYYY:YYYY:D251:FFFF:FFFF:FFFF:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D252:FFFF:FFFF:FFFF:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D253:FFFF:FFFF:FFFF:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D254:FFFF:FFFF:FFFF:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D254:7FFF:FFFF:FFFF:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D255:FFFF:FFFF:FFFF:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D256:FFFF:FFFF:FFFF:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D257:FFFF:FFFF:FFFF:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D251:FFFF:FFFF:FFFE:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D251:FFFF:FFFF:FFFD:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D252:FFFF:FFFF:FFFC:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D251::1 any
 permit ipv6 host YYYY:YYYY:YYYY:D252::1 any
 permit ipv6 host YYYY:YYYY:YYYY:D251::100 any
 permit ipv6 host YYYY:YYYY:YYYY:D251:BA27:EBFF:FE89:8465 any
 deny ipv6 any host XXXX:XXXX:XXXX:C881:FFFF:FFFF:FFFF:0
 deny ipv6 any host XXXX:XXXX:XXXX:C882:FFFF:FFFF:FFFF:0
 deny ipv6 any host XXXX:XXXX:XXXX:C883:FFFF:FFFF:FFFF:0
 deny ipv6 any host XXXX:XXXX:XXXX:C884:FFFF:FFFF:FFFF:0
 deny ipv6 any host XXXX:XXXX:XXXX:C884:7FFF:FFFF:FFFF:0
 deny ipv6 any host XXXX:XXXX:XXXX:C885:FFFF:FFFF:FFFF:0
 deny ipv6 any host XXXX:XXXX:XXXX:C886:FFFF:FFFF:FFFF:0
 deny ipv6 any host XXXX:XXXX:XXXX:C887:FFFF:FFFF:FFFF:0
 deny ipv6 any host XXXX:XXXX:XXXX:C881:FFFF:FFFF:FFFE:0
 deny ipv6 any host XXXX:XXXX:XXXX:C881:FFFF:FFFF:FFFD:0
 deny ipv6 any host XXXX:XXXX:XXXX:C882:FFFF:FFFF:FFFC:0
 permit tcp any any established
 permit udp any eq domain any
 permit tcp any host XXXX:XXXX:XXXX:C884:8000::1 eq www
 permit tcp any host XXXX:XXXX:XXXX:C884:8000::1 eq 443
 permit tcp any host XXXX:XXXX:XXXX:C884:8000::1 range 1024 65535
 permit udp any host XXXX:XXXX:XXXX:C884:8000::1 range 1024 65535
 permit tcp any host XXXX:XXXX:XXXX:C881::100 eq 22 log
 sequence 1000 remark Permit good ICMPv6 message types
 remark Deny loopback address
 deny ipv6 host ::1 any
 remark Deny IPv4-compatible addresses
 deny ipv6 ::/96 any
 remark Deny IPv4-mapped addresses (obsolete)
 deny ipv6 ::FFFF:0.0.0.0/96 any
 remark Deny auto tunneled packets w/compatible addresses (RFC 4291)
 remark Deny other compatible addresses
 deny ipv6 ::224.0.0.0/100 any log
 deny ipv6 ::127.0.0.0/104 any log
 deny ipv6 ::/104 any log
 deny ipv6 ::255.0.0.0/104 any log
 remark Deny false 6to4 packets
 deny ipv6 2002:E000::/20 any log
 deny ipv6 2002:7F00::/24 any log
 deny ipv6 2002::/24 any log
 deny ipv6 2002:FF00::/24 any log
 deny ipv6 2002:A00::/24 any log
 deny ipv6 2002:AC10::/28 any log
 deny ipv6 2002:C0A8::/32 any log
 remark Permit good NDP messages since we deny and log at the end
 permit icmp FE80::/10 any nd-na
 permit icmp FE80::/10 any nd-ns
 remark Deny Link-Local communications
 deny ipv6 FE80::/10 any
 remark Deny Site-Local (deprecated)
 deny ipv6 FEC0::/10 any
 remark Deny Unique-Local packets
 deny ipv6 FC00::/7 any
 remark Deny multicast packets
 deny ipv6 FF00::/8 any
 remark Deny Documentation Address
 deny ipv6 2001:DB8::/32 any
 remark Deny 6Bone addresses (deprecated)
 deny ipv6 3FFE::/16 any
 remark Deny RH0 packets
 deny ipv6 any any routing-type 0 log
 remark Deny our own addresses coming inbound
!
ipv6 access-list ipv6out
 permit ipv6 any any

 DO you have any Idea on what is blocking the traffic?

Thanks

Vandman