Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Internal IPV6 Traffic Blocked by Default Deny Rule

    Scheduled Pinned Locked Moved
    Firewalling
    2
    3
    200
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      paradoiley
      last edited by

      Hi,

      I am a home user on pfSense CE 2.7.2 and have a problem with IPV6 traffic being blocked between my internal networks.

      I have the following setup:
      WAN(igc0), DHCP6 client, prefix delegation size 60

      Internal Networks

      Network      |Prefix ID   |VLAN  |Virtual IP   |IPV4 Config
LAN(em1)     |5           |      |fd05::1/64      |192.168.5.1/24
INT1(em1.6)  |6           |6     |                |192.168.6.1/24
INT2(em1.9)  |9           |9     |fd09::1/64      |192.168.9.1/24
INT3(em0)    |a           |      |fd0a::1/64      |192.168.10.1/24

      INT1 is my guest network and has rules to reject any traffic to the other internal networks.

      I have a linux machine on the LAN network which I use to provide various services, such as file hosting. In addition the WAN tracked address I have also assigned it the addresses 192.168.5.10 and fd05::10 (i know that 10 != 0x10).

      The LAN, INT2, and INT3 networks have the standard default allow rules for both IPV4 and IPV6.

      My issue is that clients on the INT2 and INT3 networks are unable to reach the server at fd05::10. After some digging I found the following in the firewall logs while trying to ping from the fd0a network to the fd05 network:

      Feb  3 10:27:25 gateway filterlog[11324]: 6,,,1000000105,em0,match,block,in,6,0x00,0x0266b,64,ICMPv6,58,64,fd0a::922e:16ff:fe3f:7834,fd05::10,

      The reverse works fine. I can ping fd0a::922e:16ff:fe3f:7834 from fd05::10.
      I have no problems reaching 192.168.5.0/24 from 192.168.10.0/24.
      I have no problems reaching the global address of the fd05::10 machine.

      I ended up adding a floating rule to allow all IPv6 traffic from LAN (probably not necessary), INT2, and INT3, so now it works.

      I feel like I shouldn't have to do this though. The existing rules on the INT2 and INT3 interfaces to allow all IPv6 traffic should have allowed it.

      Is it because the rule on the interface allows traffic from the INT3 subnets but fd0a::/64 is not included in those subnets? The floating rule is on the interface itself, not subnets. Is it some sort of ordering issue?

      Thanks,
      Jared

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @paradoiley
        last edited by

        @paradoiley Sounds like this. There is a patch but turns out it has side effects.

        P 1 Reply Last reply Reply Quote 0
        • P
          paradoiley @Bob.Dig
          last edited by

          @Bob-Dig That would be it. Thanks!

          Since I'm a network engineer in my spare time only, I didn't know to search for ULA and GUA :)

          I'll stick with my floating rule for now and wait for the patch to be patched.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post