Since upgrading to 2.7.0 cannot ping6 fe80::%vtnet0 - WAN fw rules seem to apply to link-local addresses ?
-
Some VPS providers have you set the IPv6 gateway to fe80:: (Vultr) or fe80::1 (hetzner).
On 2.6.0 this was simple. Create gateway and select "Use non-local gateway through interface specific route." in Advanced settings.
Since upgrading to 2.7.0 the IPv6 gateway on some but not all instances shows unreachable.
First hint:
If wepfctl -dit will work!
[2.7.0-RELEASE][root@pfSense.home.arpa]/root: ping6 fe80::%vtnet0 PING6(56=40+8+8 bytes) fe80::5400:3ff:fecd:bbc5%vtnet0 --> fe80::%vtnet0 ^C --- fe80::%vtnet0 ping6 statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss [2.7.0-RELEASE][root@pfSense.home.arpa]/root: pfctl -d pf disabled [2.7.0-RELEASE][root@pfSense.home.arpa]/root: ping6 fe80::%vtnet0 PING6(56=40+8+8 bytes) fe80::5400:3ff:fecd:bbc5%vtnet0 --> fe80::%vtnet0 16 bytes from fe80::fc00:3ff:fecd:bbc5%vtnet0, icmp_seq=0 hlim=64 time=0.120 ms 16 bytes from fe80::fc00:3ff:fecd:bbc5%vtnet0, icmp_seq=1 hlim=64 time=0.123 ms 16 bytes from fe80::fc00:3ff:fecd:bbc5%vtnet0, icmp_seq=2 hlim=64 time=0.097 ms ^C --- fe80::%vtnet0 ping6 statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.097/0.113/0.123/0.011 ms [2.7.0-RELEASE][root@pfSense.home.arpa]/root: pfctl -e pf enabledIs it possible that in 2.6.0 we had whitelisted stuff like interface routes to fe80:: so that it matches before wan fw rules are processed and in 2.7.0 the order was changed or the special rule was removed ?
I managed to resolve it by creating icmp6 allow rule for source fe80::/10 on WAN
I feel this was not needed in 2.6..0
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.