IPv6 connection issues when the ICMPv6 Protocol is blocked
Article Number: 000022092
Environment
Any RKE2 environment using the IPv6 protocol
Situation
IPv6 connection issues when the ICMPv6 Protocol is blocked
Resolution
When using IPv6 in an RKE2 or K3s cluster and network traffic is restricted due to security policies, please be aware that unlike IPv4, IPv6 relies heavily on the ICMPv6 protocol.
Firewall rules must allow critical ICMPv6 traffic. The following IPv6 CIDR ranges should be open:
- fe80::/10 - for link-local prefixes
- ff02::/16 - for multicast
This will ensure proper operation of IPv6 features such as neighbor discovery, path MTU discovery, and autoconfiguration.
For information on filterable ICMPv6 message types, see this link.
We recommend allowing all types for now, but once you've verified that your policy is working properly, you can consider further restricting traffic to specific ICMPv6 types. These types are specified here and here.