If you come from an IPv4 background, you were probably taught to treat ICMP as “optional” or even something to block for security.
With IPv6, that mindset will break your network.
ICMPv6 is not just for ping — it is a core control plane protocol that IPv6 fundamentally depends on. Blocking it will cause broken connectivity, black-holed packets, failed PMTU discovery, and mysterious application timeouts.
Let’s look at why ICMPv6 matters, and how to allow it safely when forwarding traffic with nftables.
ICMPv6 Is Not Optional
In IPv4, many functions are handled by ARP, DHCP, or optional ICMP messages.
In IPv6, those responsibilities are merged into ICMPv6.
Blocking ICMPv6 is equivalent to blocking ARP in IPv4.
What ICMPv6 Does
ICMPv6 is required for:
1. Neighbor Discovery (NDP)
ICMPv6 replaces ARP entirely:
- Neighbor Solicitation (type 135)
- Neighbor Advertisement (type 136)
Without these, hosts cannot:
- Resolve MAC addresses
- Detect duplicate addresses
- Reach the default gateway
➡️ Result if blocked: No connectivity at all.
2. Router Discovery & SLAAC
IPv6 hosts learn:
- Default gateways
- On-link prefixes
- MTU
- DNS (via RDNSS)
Using:
- Router Solicitation (133)
- Router Advertisement (134)
➡️ Result if blocked: No automatic addressing, no routing.
3. Path MTU Discovery (PMTUD)
IPv6 routers never fragment packets.
Instead, they send:
- Packet Too Big (type 2)
If these messages are blocked:
- TCP stalls
- TLS handshakes fail
- Large transfers hang
➡️ Result if blocked: “Works sometimes” networking.
4. Error Reporting
Essential error signals:
- Destination Unreachable (type 1)
- Time Exceeded (type 3)
- Parameter Problem (type 4)
➡️ Result if blocked: Silent failures and debugging nightmares.
5. Multicast Control
ICMPv6 handles:
- Multicast Listener Discovery (MLD)
Used for:
- IPv6 multicast
- Many local network functions
“But Is ICMPv6 Dangerous?”
No — blindly blocking it is more dangerous.
Security best practice is:
- Allow required ICMPv6 types
- Drop invalid or unexpected traffic
- Apply stateful filtering
IPv6 security depends on correct filtering, not blanket denial.
Forwarding ICMPv6 with nftables
If your system routes or forwards IPv6 traffic (router, firewall, reverse proxy host), you must explicitly allow ICMPv6 in the forward path.
Below is a safe, minimal nftables example.
Recommended ICMPv6 Types to Allow
| Type | Name |
|---|---|
| 1 | Destination Unreachable |
| 2 | Packet Too Big |
| 3 | Time Exceeded |
| 4 | Parameter Problem |
| 128 | Echo Request |
| 129 | Echo Reply |
| 133 | Router Solicitation |
| 134 | Router Advertisement |
| 135 | Neighbor Solicitation |
| 136 | Neighbor Advertisement |
| 143 | MLDv2 Listener Report |
nftables Example: Forward ICMPv6 Correctly
table inet filter {
chain forward {
type filter hook forward priority 0;
policy drop;
# Allow established and related traffic
ct state { established, related } accept
# Allow essential ICMPv6
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable,
packet-too-big,
time-exceeded,
parameter-problem,
echo-request,
echo-reply,
nd-router-solicit,
nd-router-advert,
nd-neighbor-solicit,
nd-neighbor-advert,
mld-listener-report
} accept
# (Optional) Log dropped packets for debugging
# log prefix "nft forward drop: " flags all
}
}
This rule set:
- Keeps a default-deny policy
- Allows only necessary ICMPv6
- Preserves PMTUD and neighbor discovery
- Works cleanly with stateful forwarding
Common IPv6 Breakage Symptoms (and the Real Cause)
| Symptom | Root Cause |
|---|---|
| HTTPS hangs | Blocked Packet Too Big |
| Random timeouts | Broken PMTUD |
| No default route | Blocked Router Advertisements |
| “No route to host” | Blocked NDP |
| Containers unreachable | ICMPv6 filtered in forward chain |
If IPv6 behaves “flaky”, check ICMPv6 first.
Final Thoughts
ICMPv6 is:
- Not optional
- Not legacy
- Not unsafe by default
It is as fundamental to IPv6 as Ethernet framing itself.
If you run IPv6 — especially in routed or containerized environments — allowing ICMPv6 correctly is not a nice-to-have.
It is a hard requirement for a working network.