pfSense on PROXMOX with HomeAssistant

bearhntr

@gblenn

I will play with this after work (when I do not need Internet -- WFH here).

Then I gotta figure out why I am getting the ICMPv6 errors. I put the same RULE I had before in pfSense. I know Comcast will not do IPv6 Reverse DNS (as a residential customer) and still do not know why the browser is not doing IPv6. This has always worked.

bearhntr

@Gblenn @stephenw10 @Patch @jimp

Thanks again for all of your help....very much appreciated.

OK. I have put pfSense back on a stand-alone box (well the HP T620+ I had put {Proxmox on) and it is running as before. I have made a new backup and will look to put a new Proxmox install on the new HP Z240 I got for Proxmox and using all the notes from here.

Now I cannot figure out why the IPv6 test is failing - I used to get 18/20 on this test (only because COMCAST will not do an IPv6 Reverse DNS record for residential).

I have rules in pfSense for this. Odd that it is not working. But this also shows it was not tested. Maybe it is not me. :-)

stephenw10

Do you see it blocked in the firewall log? What rule is blocking it?

bearhntr

@stephenw10

I see nothing in the logs which would be blocking it. In face the Firewall logs do not show anything that I can see ICMP.

I see these when I FILTER on ICMP - but they are all IPV4. Which still should be working too.

based on these rules:

bearhntr

This one seems to get a 10/10: https://test-ipv6.com/

Given that the other one shows that ICMP was not tested - I am not going to worry about it.

stephenw10

ICMP is required for IPv6 but the default firewall rules should pass it:

# IPv6 ICMP is not auxiliary, it is required for operation
# See man icmp6(4)
# 1    unreach         Destination unreachable
# 2    toobig          Packet too big
# 128  echoreq         Echo service request
# 129  echorep         Echo service reply
# 133  routersol       Router solicitation
# 134  routeradv       Router advertisement
# 135  neighbrsol      Neighbor solicitation
# 136  neighbradv      Neighbor advertisement
pass  quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} ridentifier 1000000107 keep state

You probably need to filter by ipv6-icmp if it was being blocked by pfSense. However it shouldn't be possible to block the 4 icmp types as the rule is 'quick' and high up in the rules table.

Steve

bearhntr

@stephenw10 said in pfSense on PROXMOX with HomeAssistant:

ipv6-icmp

I get n nothing:

stephenw10

My mistake it's actually logged as ICMPv6:

 	Sep 26 13:40:20 	WAN 	Default deny rule IPv6 (1000000105) 	[xxxx:yyyy:7282:101:20d:b4ff:fe0c:aed6]		[xxxx:yyyy:7282:101::2000]		ICMPv6
	Sep 26 13:40:21 	WAN 	Default deny rule IPv6 (1000000105) 	[xxxx:yyyy:7282:101:20d:b4ff:fe0c:aed6]		[xxxx:yyyy:7282:101::2000]		ICMPv6
	Sep 26 13:40:22 	WAN 	Default deny rule IPv6 (1000000105) 	[xxxx:yyyy:7282:101:20d:b4ff:fe0c:aed6]		[xxxx:yyyy:7282:101::2000]		ICMPv6 

Echorequest/replies are blocked by default like that but the 4 required types should never be.

Steve

bearhntr

@stephenw10

Not getting any hits - unless I just put in ICMP (and the errors show v4, no v6)

stephenw10

Not blocked in pfSense then. So either it just wasn't tested, as it seems to imply. Or it's blocked upstream.

Steve

bearhntr

@stephenw10 @jimp @Patch @Gblenn

Thanks again everyone for your help.

I am going to run this like this for a while - and take weekly backups. When I am ready to move to Proxmox - I will install fresh and then restore the last backup.

Right now I have another issue... suddenly the 4-port card that I put into the HP Z240 prevents the machine from booting. I can take it out and put into another machine and that one boots just fine. Boots all the way to Windows server 2019, is seen and all 4-ports are there.

Put it in the HP and I get 3 slow-beeps and RED power light, then 2 fast-beeps and white power light. I have a ticket with the folks at HP. It is an HP card 331T card.