Mixing IPv4 and IPv6 addresses in aliases not working as expected

bl0815

I'm using pfsense  2.1-DEVELOPMENT, Built On: Fri May 18 05:58:04 EDT 2012

I set up some aliases with IPv4 and IPv6 addresses, e.g. for some dual-stacked hosts.
Now I would like to use such an alias to allow e.g. HTTP for IPv4 and IPv6 in one rule.
But such a rule results in something like:
pass in log quick on em0 reply-to (em0 129.x.y.z) inet proto tcp from <alias_1>to <alias_2>port = http flags S/SA keep state label "USER_RULE: allow HTTP"
IPv4 traffic is ok, but IPv6 is not working, I think because of the "reply-to (em0 129.x.y.z).

Is there a chance that in a future version of pfsense it will be possible to have one rule for dual-stacked aliases?</alias_2></alias_1>

podilarius

First, I don't think you can combine IPV4 and IPV6 rules. You also cannot combine aliases. You will have to have one alias for IPv4 and another IPv6. You will also have to have 2 firewall rules as well.

jimp

Mixing in an alias is OK but you need two rules
One for IPv4 and one for IPv6, both identical except for IPv4/6 selected.

databeestje

Rules that apply to both address families are on the roadmap. There is just no ticket yet.

bl0815

It's good to know it is on the roadmap.

And there is now also a ticket: http://redmine.pfsense.org/issues/2466

databeestje

I just added that ticket and committed the code too. This is mainly for reference. Try and provide feedback.

rcfa

@databeestje:

I just added that ticket and committed the code too. This is mainly for reference. Try and provide feedback.

I've added code that allows for setting a firewall rule to IPv4+IPv6

Limitations:

• only allows tcp/udp and icmp
• no icmp types
• no gateways or groups

Considering locking it down further to just rules with aliases.

Can you elaborate a bit on why the restrictions are there you listed? Just trying to understand the reasoning.

e.g. if I want the system to just act as a router, in IPv4-only, I just create a floating rule with allow any protocol from any address to any address on any interface. It would seem I can't do that specifying "any version of IP protocol", because that would run afoul of the "any protocol" part of the rule.

Are these IPv6/IPv4-combo rules broken into two rules behind the scenes, or do they remain one rule at the pf-level?

databeestje

Yeah this is just 1 rule. These are not broken up into 2 rules, so I want to limit the choices

When we code support for splitting the rule behind the scenes some of the limitations may go.

I might actually add the any type. But I need to verify it doesn't cause rule errors before I do so.

bl0815

@databeestje:

I just added that ticket and committed the code too. This is mainly for reference. Try and provide feedback.

Updated today to 2.1-BETA0 (amd64) built on Wed Jun 13 15:10:24 EDT 2012

On OPT-Interfaces dual-stack rules with dual-stack aliases are now working.
But as you have written in your comment to feature #2466 it is still not working on WAN-Interface rules.

What is the purpose of the "reply-to (wan-interface default-gw)" part of WAN-interface rules?

jimp

reply-to ensures that traffic goes back out the way it came in.

So in a multi-wan setup, if you query something (such as a port forward) that goes through to lan, when the return traffic goes back out, it would still leave via the wan it came in through. Otherwise it would consult the routing table and use the default gateway.

bl0815

@jimp:

reply-to ensures that traffic goes back out the way it came in.

So in a multi-wan setup, if you query something (such as a port forward) that goes through to lan, when the return traffic goes back out, it would still leave via the wan it came in through. Otherwise it would consult the routing table and use the default gateway.

Thanks!