Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall bloking allowed traffic

    Scheduled Pinned Locked Moved IPv6
    5 Posts 2 Posters 600 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hsv
      last edited by

      Hi
      I cannot see what I am missing
      But I have these rules
      0/0 B
      IPv6 TCP fc00:18f:11ab:3012:0:0:0:11 * fc00:18f:11ab:3010:0:0:0:11 2500 * none Passed via EasyRule
      0/0 B
      IPv6 TCP fc00:18f:11ab:3012::11 * fc00:18f:11ab:3010::11 2500 * none Passed via EasyRule
      0/1.07 MiB

      But in the firewall log it says this

      Action Time Interface Source Destination Protocol
      X Jan 4 00:18:00 NNF_TESTLAN_VLAN3012 [fc00:18f:11ab:3012::11]:56450 [fc00:18f:11ab:3010::11]:2500 TCP:S

      As you can see I have tried with both short and long form of IPv6

      Other IPv6 traffic works but not this traffic.

      I have tried to capture some traffic to see that would help but no.
      23:15:37.125400 IP6 fc00:18f:11ab:3012::11.56449 > fc00:18f:11ab:3010::11.2500: tcp 0
      23:17:45.447200 IP6 fc00:18f:11ab:3012::11.56450 > fc00:18f:11ab:3010::11.2500: tcp 0
      23:17:46.461041 IP6 fc00:18f:11ab:3012::11.56450 > fc00:18f:11ab:3010::11.2500: tcp 0
      23:17:48.469205 IP6 fc00:18f:11ab:3012::11.56450 > fc00:18f:11ab:3010::11.2500: tcp 0

      Any idears?

      Regards
      Henning

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @hsv
        last edited by johnpoz

        @hsv order of rules matter, top down first to trigger wins.. Can you put up the pic rules where your seeing these blocks rules.. Do you have any rules in floating tab?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        H 1 Reply Last reply Reply Quote 0
        • H
          hsv @johnpoz
          last edited by

          @johnpoz

          Hej John

          Thanks for you reply and questions.

          No I do not use floating rules.

          After I changed the IPv6 number for the interface from fc00:18f:11ab:3010::1 to fc00:18f:11ab:3010:0:0:0:1 the rules started to work and all the other rules still worked.

          I have before had problems with IPv6 where the fix is to change the IPv6 number for the interface from short IPv6 form to long and back again when it stops working again. So I have had this problem before that suddently PFsense stops working with some rules and then I have to change the format for IPv6 and then it works again.
          This is the first time where it was only some rules. All the previous problems was on 2.6 but always on one interface not all.

          Regards
          Henning

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @hsv
            last edited by

            @hsv said in Firewall bloking allowed traffic:

            c00:18f:11ab:3010:0:0:0:1

            your block up there is to :11 not :1 if your only allowing to :1 then yeah to :11 would be blocked

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            H 1 Reply Last reply Reply Quote 0
            • H
              hsv @johnpoz
              last edited by

              @johnpoz
              Hi John
              That was fast:-)

              Sorry that my explanation was not clear enough.
              fc00:18f:11ab:3010::1 and fc00:18f:11ab:3010:0:0:0:1 is the default gateway for the subnet on the interface. That was what I tried to explain by saying I change the IPv6 number of the interfaces from short to long or the otherway.
              So no the server have the same IPv6 number all the time ending on 11 (fc00:18f:11ab:3010::11).
              Configuration of the Interfaces:
              IPv4 Configuration Type: Static IPv4
              IPv6 Configuration Type: Static IPv6

              Static IPv6 Configuration
              IPv6 address
              fc00:18f:11ab:3010::1/64 (Short)
              or
              fc00:18f:11ab:3010:0:0:0:1/64 (Long)

              Regards
              Henning

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.