• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Mixing IPv4 and IPv6 addresses in aliases not working as expected

2.1 Snapshot Feedback and Problems - RETIRED
5
11
3.3k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    bl0815
    last edited by May 31, 2012, 1:38 PM

    I'm using pfsense  2.1-DEVELOPMENT, Built On: Fri May 18 05:58:04 EDT 2012

    I set up some aliases with IPv4 and IPv6 addresses, e.g. for some dual-stacked hosts.
    Now I would like to use such an alias to allow e.g. HTTP for IPv4 and IPv6 in one rule.
    But such a rule results in something like:
    pass in log quick on em0 reply-to (em0 129.x.y.z) inet proto tcp from <alias_1>to <alias_2>port = http flags S/SA keep state label "USER_RULE: allow HTTP"
    IPv4 traffic is ok, but IPv6 is not working, I think because of the "reply-to (em0 129.x.y.z).

    Is there a chance that in a future version of pfsense it will be possible to have one rule for dual-stacked aliases?</alias_2></alias_1>

    1 Reply Last reply Reply Quote 0
    • P
      podilarius
      last edited by May 31, 2012, 2:31 PM

      First, I don't think you can combine IPV4 and IPV6 rules. You also cannot combine aliases. You will have to have one alias for IPv4 and another IPv6. You will also have to have 2 firewall rules as well.

      1 Reply Last reply Reply Quote 0
      • J
        jimp Rebel Alliance Developer Netgate
        last edited by May 31, 2012, 4:53 PM

        Mixing in an alias is OK but you need two rules
        One for IPv4 and one for IPv6, both identical except for IPv4/6 selected.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • D
          databeestje
          last edited by May 31, 2012, 6:50 PM

          Rules that apply to both address families are on the roadmap. There is just no ticket yet.

          1 Reply Last reply Reply Quote 0
          • B
            bl0815
            last edited by Jun 1, 2012, 9:00 AM

            It's good to know it is on the roadmap.

            And there is now also a ticket: http://redmine.pfsense.org/issues/2466

            1 Reply Last reply Reply Quote 0
            • D
              databeestje
              last edited by Jun 1, 2012, 7:27 PM

              I just added that ticket and committed the code too. This is mainly for reference. Try and provide feedback.

              1 Reply Last reply Reply Quote 0
              • R
                rcfa
                last edited by Jun 1, 2012, 8:30 PM Jun 1, 2012, 8:27 PM

                @databeestje:

                I just added that ticket and committed the code too. This is mainly for reference. Try and provide feedback.

                I've added code that allows for setting a firewall rule to IPv4+IPv6

                Limitations:

                • only allows tcp/udp and icmp
                • no icmp types
                • no gateways or groups

                Considering locking it down further to just rules with aliases.

                Can you elaborate a bit on why the restrictions are there you listed? Just trying to understand the reasoning.

                e.g. if I want the system to just act as a router, in IPv4-only, I just create a floating rule with allow any protocol from any address to any address on any interface. It would seem I can't do that specifying "any version of IP protocol", because that would run afoul of the "any protocol" part of the rule.

                Are these IPv6/IPv4-combo rules broken into two rules behind the scenes, or do they remain one rule at the pf-level?

                1 Reply Last reply Reply Quote 0
                • D
                  databeestje
                  last edited by Jun 1, 2012, 8:42 PM

                  Yeah this is just 1 rule. These are not broken up into 2 rules, so I want to limit the choices

                  When we code support for splitting the rule behind the scenes some of the limitations may go.

                  I might actually add the any type. But I need to verify it doesn't cause rule errors before I do so.

                  1 Reply Last reply Reply Quote 0
                  • B
                    bl0815
                    last edited by Jun 14, 2012, 1:12 PM

                    @databeestje:

                    I just added that ticket and committed the code too. This is mainly for reference. Try and provide feedback.

                    Updated today to 2.1-BETA0 (amd64) built on Wed Jun 13 15:10:24 EDT 2012

                    On OPT-Interfaces dual-stack rules with dual-stack aliases are now working.
                    But as you have written in your comment to feature #2466 it is still not working on WAN-Interface rules.

                    What is the purpose of the "reply-to (wan-interface default-gw)" part of WAN-interface rules?

                    1 Reply Last reply Reply Quote 0
                    • J
                      jimp Rebel Alliance Developer Netgate
                      last edited by Jun 14, 2012, 5:57 PM

                      reply-to ensures that traffic goes back out the way it came in.

                      So in a multi-wan setup, if you query something (such as a port forward) that goes through to lan, when the return traffic goes back out, it would still leave via the wan it came in through. Otherwise it would consult the routing table and use the default gateway.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • B
                        bl0815
                        last edited by Jun 15, 2012, 9:19 AM

                        @jimp:

                        reply-to ensures that traffic goes back out the way it came in.

                        So in a multi-wan setup, if you query something (such as a port forward) that goes through to lan, when the return traffic goes back out, it would still leave via the wan it came in through. Otherwise it would consult the routing table and use the default gateway.

                        Thanks!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.