Outbound ping blocked

johnpoz

@revengineer can tell you that is not blocked by default.. There are specific rules to allow IPv6 to work.. There are also rules to allow traffic from pfsense itself to go anywhere it wants.

# IPv6 ICMP is not auxiliary, it is required for operation
# See man icmp6(4)
# 1    unreach         Destination unreachable
# 2    toobig          Packet too big
# 128  echoreq         Echo service request
# 129  echorep         Echo service reply
# 133  routersol       Router solicitation
# 134  routeradv       Router advertisement
# 135  neighbrsol      Neighbor solicitation
# 136  neighbradv      Neighbor advertisement
pass  quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} ridentifier 1000000107 keep state

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out  inet all keep state allow-opts ridentifier 1000015165 label "let out anything IPv4 from firewall host itself"
pass out  inet6 all keep state allow-opts ridentifier 1000015166 label "let out anything IPv6 from firewall host itself"

So you have a rule on your floating for outbound blocking icmp that is not pfsense own address? You hid the source IP - is that pfsense IP.. Out of the box there are no floating rules.. So since that is an outbound rule (the little arrow) it must be a rule you created? Or maye you unchecked allow ipv6 in advanced which creates specific block rules?

SteveITS

@revengineer the reply would be allowed by the open state. What’s the right column?
https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html

revengineer

@johnpoz I checked the WAN and Floating rules and they are all for IPv4; there are no IPv6 rules.

I have rebooted the firewall and the problem went away. The gateway shows green/online in the dashboard, and the block errors in the firewall log stopped showing. I have changed nothing else so perhaps it is not rule related?

I can report that this has occurred to me multiple times since upgrading to v2.8.0. That is, the IPv6 gateway will sometimes show red upon booting, and a reboot fixes the problem and makes it green again. It will then stay green until the next reboot.

Perhaps 2.8.1 will magically fix the issue, but I will want to wait until this version goes from beta to stable before I test this.

revengineer

@SteveITS No sure what you mean. The image above shows right column as "ICMPv6" and per the web page you linked this column is labeled "Protocol"

I should have stated before the the source IPv6, which I obscured, is that of my pfsense box.

johnpoz

@revengineer what specific rule blocked it.. If you move your mouse over the X it would give you the rid, or if you click the x you will get more info.

Or if you in the log settings tell it to show the rule as a column it will tell which rule blocked.. For example on that block its my scan deny rule..

Its quite possible you got blocked by this rule - because you had no valid IPv6 address?

block out  inet6 all ridentifier 1000000106 label "Default deny rule IPv6"

But we need to see the details of which specific rule is blocking your traffic to help figure out what is going on.

SteveITS

@revengineer Yeah my bad, sorry. Hadn't had much coffee yet yesterday.

@revengineer said in Outbound ping blocked:

rebooted the firewall and the problem went away

Did you WAN IPv6 address change at that point?

revengineer

@johnpoz Thank you for the tips on how to find the associated blocking rule. Unfortunately, there have been so many blocks that all my filter.log.* files only go back several hours but not to yesterday morning. So I will have to wait until the problem reoccurs. I may need to the weekend to play with this.

@SteveITS The next time this occurs, I will check for a change of the IPv6 address. I believe that I checked the last for letters and there was no change. But this is preliminary and I certainly did not check the entire address.

I will post back here when I have an update. In the meantime, I appreciate the troubleshooting tips described above.

revengineer

Finally, the problem returned. The rule that triggered this action is:

@137 block drop out log quick inet6 proto ipv6-icmp from any to 2606:4700:4700::1111 icmp6-type echoreq label "gateway monitoring" ridentifier 1000016411

I do not see such rule in my set. Does this help for diagnostic?

EDIT: In Routing, I see that my gateway address for IPv6 is currently listed as "dynamic". I believe that this is usually not the case.

EDIT2: Rebooted, gateway back to green, firewall no longer triggered, gateway now has an IPv6 address again (no longer dynamic).

johnpoz

@revengineer said in Outbound ping blocked:

I do not see such rule in my set

not all rules are shown in the gui.. You can view the full rule list here

https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html

I don't have a lot of experience with IPv6 from isp.. I use a he tunnel, where everything is static setup so nothing changes.

But isn't that address cloudflare IPv6 address? Are you using that for monitoring vs just whatever your normal IPv6 gateway would be from your isp?

revengineer

@johnpoz Thank you for the hints. I used the command

pfctl -sa

to grab the complete rule set. There are currently no block rules for icmp traffic and the label "gateway monitoring" cannot be found. So the reboot must have cleared this rule, which seems to imply that it get dynamically generated. The next time this issue reoccurs, I will try the above command again to verify that the blocking rule is in the listing.

Indeed, I use the cloudflare IPv6 DNS server address to verify that the IPv6 gateway is up. My internet provider (Xfinity in the US) changed their network early this year, and since then, their IPv6 gateways are not pingable anymore. So I had to choose another address based on recommendation from someone in previous thread on this message board.

I do not have much experience with IPv6 either. I just set up the gateway because the internet provider is assigning both IPv4 and IPv6 addresses. If I were not a little OCD, I would perhaps ignore it. But understanding the issue would be useful for my education.

pkx232c

Hello,

Same issue here, a "gateway monitoring" rule blocks IPv6 gateway monitoring.
Removing the monitor address from the gateway configuration and re-adding it causes the rule to disappear and monitoring works again until next interface reset.

The issue began after upgrade to 2.8.0 and is still here in 2.8.1.

Best regards,

Ed