Share via

Windows Firewall Inbound "Block all connections" breaks IPv6 on Windows 11

Shaunm001 311 Reputation points
2025-07-01T19:11:22.56+00:00

We are in the process of rolling out Windows 11 to meet the October end-of-support deadline, and have run into an issue with Windows Firewall and IPv6. If "Inbound connections" state is set to "Block all connections" as it is in our environment, certain IPv6 services will stop functioning. For example, ICMPv6 echo requests will work but then begin to time out shortly after joining a network that is utilizing IPv6 addressing.

Here is a video demonstrating the behavior: https://applereit-my.sharepoint.com/:v:/p/smichelson/ER0pJ70VL6ZNjqJlZvtcDJMBkPwxl1N8ALDU7w9Oj7eHzw?nav=eyJyZWZlcnJhbEluZm8iOnsicmVmZXJyYWxBcHAiOiJPbmVEcml2ZUZvckJ1c2luZXNzIiwicmVmZXJyYWxBcHBQbGF0Zm9ybSI6IldlYiIsInJlZmVycmFsTW9kZSI6InZpZXciLCJyZWZlcnJhbFZpZXciOiJNeUZpbGVzTGlua0NvcHkifX0&e=o16SvP

This behavior is not observed on our Windows 10 machines, what is the difference on Windows 11 and how can we fix it? Our VPN application (OpenVPN) is unusable on Windows 11 as a result of this for any network utilizing IPv6 (home internet ISPs, mobile hotspots, etc).

Windows for home | Windows 11 | Internet and connectivity
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shaunm001 311 Reputation points
    2025-07-08T19:07:18.4833333+00:00

    Any other thoughts/suggestions on this? Users/enterprises who want to run the most secure Windows firewall configuration have been able to use the "Block all connections" setting for the last 10 years on Windows 10 without issue, we should be able to run the same secure configuration on Windows 11 without it crippling IPv6 capabilities.

    Was this answer helpful?

  2. Shaunm001 311 Reputation points
    2025-07-02T13:54:02.47+00:00

    Thanks for the quick and thorough reply, really appreciate that.

    Unfortunately, this does not resolve the issue. I did as you said, created a custom rule for ICMPv6 protocol and set to allow all ICMP types to/from all destinations on all profiles. Checking the Core Networking rules, they are all currently enabled by default. However we're still experiencing the same issue.

    My understanding of Windows Firewall settings is that if "Inbound connections" state is set to "Block all connections" then it does exactly that and ignores any existing firewall rules set to "Enabled." The only way to create exceptions is to choose the option to "Allow the connection if it is secure" and then only if "Override block rules" is also set (see screen shot below). So I would not expect the custom rule above or any of the default Core Networking rules to be applied since they are all in the "Alllow the connection" state (green checkmark) rather than "Allow the connection if it is secure" state (yellow padlock).

    Screenshot 2025-07-02 094045

    Was this answer helpful?

    0 comments
  3. Kai-H 18,195 Reputation points Microsoft External Staff Moderator
    2025-07-02T02:25:30.6266667+00:00

    Hello Shaunm001, 

    Welcome to the Microsoft Community. 

    This is a known issue that has affected some organizations migrating to Windows 11, especially in environments with strict firewall policies and IPv6-enabled networks. 

    What’s Happening? 

    • In Windows 11, the Windows Defender Firewall has updated behaviors and default rulesets, especially regarding IPv6 and ICMPv6. 
    • When you set the firewall profile to “Block all connections” for inbound connections, Windows 11 is stricter than Windows 10 in enforcing this, and some essential IPv6 traffic (including ICMPv6 and neighbor discovery) may be blocked unless explicitly allowed. 
    • ICMPv6 is crucial for IPv6 network functionality (neighbor discovery, router solicitation, etc). If blocked, IPv6 connectivity will break, and VPNs that rely on IPv6 will fail. 

    Why is Windows 11 Different? 

    • Windows 11 has reworked some firewall internals and, in some cases, does not include all the same default “allow” rules for IPv6 as Windows 10. 
    • Windows 10, by default, allowed some ICMPv6 traffic even when “block all” was set, but Windows 11 may not, depending on the exact ruleset and updates applied. 
    • Windows 11 may also be stricter about “Edge Traversal” and “Core Networking” rules, which can affect VPN and IPv6 traffic.   

    How to Fix 

    1. Create Explicit Allow Rules for ICMPv6 and VPN Traffic 

    You need to create custom inbound firewall rules to allow essential IPv6 traffic, even when “Block all” is set. 

    For ICMPv6: 

    • Open Windows Defender Firewall with Advanced Security. 
    • Go to Inbound Rules. 
    • Click New Rule. 
    • Rule Type: Custom 
    • Program: All programs 
    • Protocol type: ICMPv6 
    • Specific ICMP types: Echo Request, Echo Reply, Neighbor Solicitation, Neighbor Advertisement, Router Solicitation, Router Advertisement, and possibly others, depending on your environment. 
    • Remote IP: Any (or restrict as needed) 
    • Action: Allow the connection 
    • Profile: Apply to the relevant profile (Domain, Private, Public) 
    • Name: e.g., “Allow ICMPv6 Core Networking”    You may need to create several rules, or, for testing, allow all ICMPv6, then restrict to specific types as needed. 

    For VPN (OpenVPN, etc): 

    • Allow inbound traffic on the UDP/TCP port(s) your VPN uses, for both IPv4 and IPv6, and ensure Edge Traversal is enabled if needed. 

    2. Review and Enable Core Networking Rules 

    • In Windows Defender Firewall with Advanced Security, look for Core Networking rules, especially those for ICMPv6 and Neighbor Discovery. 
    • Enable any that are disabled. 

    3. Group Policy Deployment 

    • If you manage devices via Group Policy, you can push these rules to all Windows 11 endpoints. 
    • Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Inbound Rules 

    4. Test and Refine 

    • After applying, test IPv6 and VPN connectivity. 
    • Monitor for any other services affected, and further refine rules as needed. 

     

    References
    References

     

    Best regards, 

    Kai Ho | Microsoft Community Support Specialist Hello, 

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.