pfSense 25.11RC does not like IPv6 turned off?

Bob.Dig

@gniting No problem here, I just tested this.

kprovost

@gniting Do you by any chance have nat64 rules?

gniting

@kprovost said in pfSense 25.11RC does not like IPv6 turned off?:

@gniting Do you by any chance have nat64 rules?

Nope, I do not.

gniting

@Bob.Dig said in pfSense 25.11RC does not like IPv6 turned off?:

@gniting No problem here, I just tested this.

So you were able to upgrade to 25.11RC while having "allow IPv6" off?

stephenw10

Hmm, can't replicate that so far.

Unsetting that doesn't disable IPv6 in the kernel. It just removes the default IPv6 rules that pass traffic.

Can you see exactly what rule is generating that?

gniting

@stephenw10 said in pfSense 25.11RC does not like IPv6 turned off?:

Hmm, can't replicate that so far.

Unsetting that doesn't disable IPv6 in the kernel. It just removes the default IPv6 rules that pass traffic.

Can you see exactly what rule is generating that?

How do I go about that? Also, I am assuming you are recommending I turn off "Allow IPv6" and then try to hunt down the rule?

stephenw10

Yes, if you can replicate it in 25.11RC by simply disabling allow IPv6. Look at the system logs for errors. Try running Status > Filter Reload and see where it errors.

I still can't generate that error here even on systems with NAT64. So it seems likely you have some other unusual rule.

Are you able to upload your ruleset to us for testing? If so please upload the /tmp/rules.debug file here: https://nc.netgate.com/nextcloud/s/cFFWNHnLdm3rXtQ

luckman212

@stephenw10 I'm getting this too on a 3100 running 25.07.1

I've skimmed over the rules.debug but don't see anything that jumps out. Also tried disabling Allow IPv6 on Advanced settings but it had no effect, the error still presented.

My settings...

I uploaded the rules.debug to the same drop:

(Happy Thanksgiving)

gniting

@stephenw10 said in pfSense 25.11RC does not like IPv6 turned off?:

Yes, if you can replicate it in 25.11RC by simply disabling allow IPv6. Look at the system logs for errors. Try running Status > Filter Reload and see where it errors.

I still can't generate that error here even on systems with NAT64. So it seems likely you have some other unusual rule.

Are you able to upload your ruleset to us for testing? If so please upload the /tmp/rules.debug file here: https://nc.netgate.com/nextcloud/s/cFFWNHnLdm3rXtQ

Disabled "Allow IPv6" and rebooted.

All is well! I am stumped now.

stephenw10

@luckman212 Does it throw the same error against that file if you try to load it at the CLI?
pfctl -f /tmp/rulesdebug

luckman212

@stephenw10 Yes, it does.

Interestingly, when run with the dry-run (-n) flag, it does not error at all.