Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Servers behind 6to4 IPv6 interface

    Scheduled Pinned Locked Moved IPv6
    15 Posts 5 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate
      last edited by

      OK, how about a the raw log output (clog /var/log/filter.log) for those connections and also /tmp/rules.debug

      That would give us more detail about exactly which interfaces are involved in the background here.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        Here are the logs from filter.log.

        May  1 10:28:23 officefw pf:     71.XX.XXX.57 > 70.XX.XXX.125: (hlim 63, next-header TCP (6) payload length: 32) 2002:XXXX:XXXX:13:XXX:XXXX:XXXX:5cf4.55172 > 2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884.80: Flags [s], cksum 0xd537 (correct), seq 1951051361, win 8192, options [mss 1220,nop,wscale 2,nop,nop,sackOK], length 0
        May  1 10:28:26 officefw pf: 00:00:02.987371 rule 1/0(match): block in on fxp0: (tos 0x20, ttl 30, id 64163, offset 0, flags [none], proto IPv6 (41), length 92)
        May  1 10:28:26 officefw pf:     71.XX.XXX.57 > 70.XX.XXX.125: (hlim 63, next-header TCP (6) payload length: 32) 2002:XXXX:XXXX:13:XXX:XXXX:XXXX:5cf4.55171 > 2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884.80: Flags [s], cksum 0xf3c2 (correct), seq 3416078468, win 8192, options [mss 1220,nop,wscale 2,nop,nop,sackOK], length 0
        May  1 10:28:26 officefw pf: 00:00:00.001893 rule 1/0(match): block in on fxp0: (tos 0x20, ttl 30, id 39261, offset 0, flags [none], proto IPv6 (41), length 92)
        May  1 10:28:26 officefw pf:     71.XX.XXX.57 > 70.XX.XXX.125: (hlim 63, next-header TCP (6) payload length: 32) 2002:XXXX:XXXX:13:XXX:XXXX:XXXX:5cf4.55172 > 2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884.80: Flags [s], cksum 0xd537 (correct), seq 1951051361, win 8192, options [mss 1220,nop,wscale 2,nop,nop,sackOK], length 0
        May  1 10:28:32 officefw pf: 00:00:05.969728 rule 1/0(match): block in on fxp0: (tos 0x20, ttl 30, id 29939, offset 0, flags [none], proto IPv6 (41), length 88)
        May  1 10:28:32 officefw pf:     71.XX.XXX.57 > 70.XX.XXX.125: (hlim 63, next-header TCP (6) payload length: 28) 2002:XXXX:XXXX:13:XXX:XXXX:XXXX:5cf4.55171 > 2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884.80: Flags [s], cksum 0x07cc (correct), seq 3416078468, win 8192, options [mss 1220,nop,nop,sackOK], length 0
        May  1 10:28:32 officefw pf: 00:00:00.001497 rule 1/0(match): block in on fxp0: (tos 0x20, ttl 30, id 49309, offset 0, flags [none], proto IPv6 (41), length 88)
        May  1 10:28:32 officefw pf:     71.XX.XXX.57 > 70.XX.XXX.125: (hlim 63, next-header TCP (6) payload length: 28) 2002:XXXX:XXXX:13:XXX:XXXX:XXXX:5cf4.55172 > 2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884.80: Flags [s], cksum 0xe940 (correct), seq 1951051361, win 8192, options [mss 1220,nop,nop,sackOK], length 0
        May  1 10:28:44 officefw pf: 00:00:11.938549 rule 1/0(match): block in on fxp0: (tos 0x20, ttl 30, id 36504, offset 0, flags [none], proto IPv6 (41), length 92)
        May  1 10:28:44 officefw pf:     71.XX.XXX.57 > 70.XX.XXX.125: (hlim 63, next-header TCP (6) payload length: 32) 2002:XXXX:XXXX:13:XXX:XXXX:XXXX:5cf4.55173 > 2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884.80: Flags [s], cksum 0xcdaf (correct), seq 2091298188, win 8192, options [mss 1220,nop,wscale 2,nop,nop,sackOK], length 0
        May  1 10:28:47 officefw pf: 00:00:02.991260 rule 1/0(match): block in on fxp0: (tos 0x20, ttl 30, id 38019, offset 0, flags [none], proto IPv6 (41), length 92)
        May  1 10:28:47 officefw pf:     71.XX.XXX.57 > 70.XX.XXX.125: (hlim 63, next-header TCP (6) payload length: 32) 2002:XXXX:XXXX:13:XXX:XXXX:XXXX:5cf4.55173 > 2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884.80: Flags [s], cksum 0xcdaf (correct), seq 2091298188, win 8192, options [mss 1220,nop,wscale 2,nop,nop,sackOK], length 0
        May  1 10:28:53 officefw pf: 00:00:05.968526 rule 1/0(match): block in on fxp0: (tos 0x20, ttl 30, id 59650, offset 0, flags [none], proto IPv6 (41), length 88)
        May  1 10:28:53 officefw pf:     71.XX.XXX.57 > 70.XX.XXX.125: (hlim 63, next-header TCP (6) payload length: 28) 2002:XXXX:XXXX:13:XXX:XXXX:XXXX:5cf4.55173 > 2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884.80: Flags [s], cksum 0x01b9 (correct), seq 2091298188, win 65535, options [mss 1220,nop,nop,sackOK], length 0
        
        I am going to sanitize the rules.debug and post separately. 
        
        [/s][/s][/s][/s][/s][/s][/s][/s]
        
        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          ok, no rush. databeestje is off on vacation this week so it may be next week before he can look at it, I just figured he'd need the extra detail given the way the last bit you posted looked.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • P
            podilarius
            last edited by

            o its no problem … I just have a lot of stuff to mask. Here it is for everyone to help with. It should pass, but does not.

            #System aliases
            
            loopback = "{ lo0 }"
            WAN = "{ fxp0 stf0  }"
            LAN = "{ fxp2 }"
            IPsec = "{ enc0 }"
            OpenVPN = "{ openvpn }"
            
            #SSH Lockout Table
            table <sshlockout>persist
            table <webconfiguratorlockout>persist
            #Snort tables
            table <snort2c>table <virusprot># User Aliases 
            adminports = "{   22   10000 }"
            asigra = "{   4400:4420 }"
            table <asigrasvrs>{    10.XX:XX.23  10.XX:XX.39 } 
            asigrasvrs = "<asigrasvrs>"
            table <blockips>{   80.31.145.0 } 
            blockips = "<blockips>"
            table <dnsservers>{    10.XX:XX.41 } 
            dnsservers = "<dnsservers>"
            table <ftpsvrs>{    10.XX:XX.41 } 
            ftpsvrs = "<ftpsvrs>"
            table <karn>{   10.XX:XX.41 } 
            Karn = "<karn>"
            mailports = "{   25  110  995  143  993  2525  465  26 }"
            table <mailsvrs>{    10.XX:XX.41 } 
            mailsvrs = "<mailsvrs>"
            ovpn = "{   1194 }"
            table <phones>{   10.XX:XX.176/28  10.XX:XX.6/32 } 
            phones = "<phones>"
            table <sdstestlin>{   10.XX:XX.23 } 
            sdstestlin = "<sdstestlin>"
            table <sdstestlinip6>{   2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884 } 
            sdstestlinip6 = "<sdstestlinip6>"
            table <thasdsgroup>{   4.XX.XXX.65/26  65.XX.XXX.120/26  216.XX.XXX.126/27 } 
            ThaSDSGroup = "<thasdsgroup>"
            table <volalocityin>{   205.XX.XXX.1/24 } 
            VolalocityIn = "<volalocityin>"
            webmin = "{   10000 }"
            table <webminsvrs>{    10.XX:XX.41   10.XX:XX.23 } 
            webminsvrs = "<webminsvrs>"
            table <webservers>{    10.XX:XX.41   10.XX:XX.23 } 
            webservers = "<webservers>"
            
            # Gateways
            GWComcastGW = " route-to ( fxp0 70.XX:XXX.126 ) "
            GWLabGW = " route-to ( fxp2 10.XX:XX.15 ) "
            GWWAN_6TO4 = " route-to ( stf0 2002:XXXX:XXXX:: ) "
            
            set loginterface fxp2
            set optimization normal
            set limit states 197000
            set limit src-nodes 197000
            
            set skip on pfsync0
            
            scrub on $WAN all    fragment reassemble
            scrub on $LAN all    fragment reassemble
            
            no nat proto carp
            no rdr proto carp
            nat-anchor "natearly/*"
            nat-anchor "natrules/*"
            
            # Outbound NAT rules
            nat on $WAN  from 10.XX:XX.23/32 to 87.XXX.XXX.65/32 -> 70.XX:XXX.125/32 port 1024:65535  
            nat on $WAN  from 10.XX:XX.23/32 to 65.XXX.XXX.16/28 -> 70.XX:XXX.125/32 port 1024:65535  
            nat on $WAN  from 10.XX:XX.23/32 to 97.XXX.XXX.144/28 -> 70.XX:XXX.125/32 port 1024:65535  
            nat on $WAN  from 10.XX:XX.23/32 to 209.XXX.XXX.212/32 -> 70.XX:XXX.125/32 port 1024:65535  
            nat on $WAN  from 10.XX:XX.176/28 to any -> 70.XX:XXX.122/32 port 1024:65535  
            nat on $WAN  from 10.XX:XX.41/32 to any -> 70.XX:XXX.124/32 port 1024:65535  
            nat on $WAN  from 10.XX:XX.23/32 to any -> 70.XX:XXX.123/32 port 1024:65535  
            nat on $WAN  from 10.XX:XX.0/24 to any port 500 -> 70.XX:XXX.125/32  static-port
            nat on $WAN  from 10.XX:XX.0/24 to any -> 70.XX:XXX.125/32 port 1024:65535  
            nat on $WAN  from 127.0.0.0/8 to any -> 70.XX:XXX.125/32 port 1024:65535  
            nat on $WAN  from 10.11.1.0/30 to any -> 70.XX:XXX.125/32 port 1024:65535  
            nat on $WAN  from 10.13.26.0/24 to any -> 70.XX:XXX.125/32 port 1024:65535  
            nat on $WAN  from 10.4X.XX.0/24 to any -> 70.XX:XXX.125/32 port 1024:65535  
            nat on $WAN  from 192.168.42.0/24 to any -> 70.XX:XXX.125/32 port 1024:65535  
            
            # Load balancing anchor
            rdr-anchor "relayd/*"
            # TFTP proxy
            rdr-anchor "tftp-proxy/*"
            table <vpn_networks>{ 10.X.XX.0/24 10.XX.X.12/30 10.X.XX.0/24 10.XX.XX.20/30 172.16.XX.0/24 10.XX.XX.0/30 }
            table <negate_networks>{ 70.XX:XXX.120/29 10.XX:XX.0/24 10.XX.XX.0/24 10.XX.XX.0/24  10.X.XX.0/24 10.XX.XX.12/30 10.X.XX.0/24 10.XX.X.20/30 172.XX.XX.0/24 10.XX.X.0/30 }
            # NAT Inbound Redirects
            rdr on fxp0 proto { tcp udp } from any to 70.XX:XXX.124 port 53 -> $Karn
            rdr on fxp0 proto tcp from any to 70.XX:XXX.124 port 80 -> $Karn
            rdr on fxp0 proto tcp from any to 70.XX:XXX.124 port 443 -> $Karn
            rdr on fxp0 proto tcp from any to 70.XX:XXX.124 port $webmin -> $Karn
            rdr on fxp0 proto tcp from any to 70.XX:XXX.124 port 22 -> $Karn
            rdr on fxp0 proto tcp from any to 70.XX:XXX.124 port $mailports -> $Karn
            rdr on fxp0 proto tcp from any to 70.XX:XXX.123 port $asigra -> $sdstestlin
            rdr on fxp0 proto tcp from any to 70.XX:XXX.123 port $adminports -> $sdstestlin
            rdr on fxp0 proto tcp from any to 70.XX:XXX.123 port 80 -> $sdstestlin
            rdr on fxp0 proto tcp from any to 70.XX:XXX.123 port 443 -> $sdstestlin
            rdr on fxp0 proto tcp from any to 70.XX:XXX.125 port 4417:4418 -> 10.XX:XX.39
            # UPnPd rdr anchor
            rdr-anchor "miniupnpd"
            
            anchor "relayd/*"
            #---------------------------------------------------------------------------
            # default deny rules
            #---------------------------------------------------------------------------
            block in log inet all label "Default deny rule IPv4"
            block out log inet all label "Default deny rule IPv4"
            block in log inet6 all label "Default deny rule IPv6"
            block out log inet6 all label "Default deny rule IPv6"
            
            # IPv6 ICMP is not auxilary, it is required for operation
            # See man icmp6(4)
            # 1    unreach         Destination unreachable
            # 2    toobig          Packet too big
            # 128  echoreq         Echo service request
            # 129  echorep         Echo service reply
            # 133  routersol       Router solicitation
            # 134  routeradv       Router advertisement
            # 135  neighbrsol      Neighbor solicitation
            # 136  neighbradv      Neighbor advertisement
            pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state
            
            # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
            pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
            pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
            pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
            pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
            pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state
            
            # We use the mighty pf, we cannot be fooled.
            block quick inet proto { tcp, udp } from any port = 0 to any
            block quick inet proto { tcp, udp } from any to any port = 0
            block quick inet6 proto { tcp, udp } from any port = 0 to any
            block quick inet6 proto { tcp, udp } from any to any port = 0
            
            # Snort package
            block quick from <snort2c>to any label "Block snort2c hosts"
            block quick from any to <snort2c>label "Block snort2c hosts"
            block in log quick proto carp from (self) to any
            pass quick proto carp
            pass quick proto pfsync
            
            # SSH lockout
            block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
            
            # webConfigurator lockout
            block in log quick proto tcp from <webconfiguratorlockout>to any port 443 label "webConfiguratorlockout"
            block in quick from <virusprot>to any label "virusprot overload table"
            table <bogons>persist file "/etc/bogons"
            table <bogonsv6>persist file "/etc/bogonsv6"
            # block bogon networks
            # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
            # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
            block in log quick on $WAN from <bogons>to any label "block bogon IPv4 networks from WAN"
            block in log quick on $WAN from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
            antispoof for fxp0
            # block anything from private networks on interfaces with the option set
            antispoof for $WAN
            block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
            block in log quick on $WAN from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
            block in log quick on $WAN from 172.XX.XX.0/12 to any label "Block private networks from WAN block 172.16/12"
            block in log quick on $WAN from 192.XX.XX.0/16 to any label "Block private networks from WAN block 192.168/16"
            block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
            
            # allow our proto 41 traffic from the 6to4 border relay in
            pass in on $WAN proto 41 from 192.88.99.1 to (self) label "Allow 6in4 traffic in for 6to4 on WAN"
            pass out on $WAN proto 41 from (self) to 192.88.99.1 label "Allow 6in4 traffic out for 6to4 on WAN"
            antispoof for fxp2
            
            # allow access to DHCPv6 server on LAN
            anchor "dhcpv6serverLAN"
            # We need inet6 icmp for stateless autoconfig and dhcpv6
            pass quick on $LAN inet6 proto udp from fe80::/10 to fe80::/10 port = 546 label "allow access to DHCPv6 server"
            pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 label "allow access to DHCPv6 server"
            pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 label "allow access to DHCPv6 server"
            pass quick on $LAN inet6 proto udp from ff02::/16 to fe80::/10 port = 547 label "allow access to DHCPv6 server"
            pass in quick on $LAN inet6 proto udp from fe80::/10 to 2002:XXXX:XXXX:d::1 port = 546 label "allow access to DHCPv6 server"
            pass out quick on $LAN inet6 proto udp from 2002:XXXX:XXXX:d::1 port = 547 to fe80::/10 label "allow access to DHCPv6 server"
            
            # loopback
            pass in on $loopback inet all label "pass IPv4 loopback"
            pass out on $loopback inet all label "pass IPv4 loopback"
            pass in on $loopback inet6 all label "pass IPv6 loopback"
            pass out on $loopback inet6 all label "pass IPv6 loopback"
            # let out anything from the firewall host itself and decrypted IPsec traffic
            pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
            pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
            pass out route-to ( fxp0 70.XX:XXX.126 ) from 70.XX:XXX.125 to !70.XX:XXX.120/29 keep state allow-opts label "let out anything from firewall host itself"
            pass out route-to ( stf0 2002:XXXX:XXXX:: ) inet6 from 2002:XXXX:XXXX::/48 to !2002:XXXX:XXXX::/48 keep state allow-opts label "let out anything from firewall host itself"
            pass out on $IPsec all keep state label "IPsec internal host to host"
            # make sure the user cannot lock himself out of the webConfigurator or SSH
            pass in quick on fxp2 proto tcp from any to (fxp2) port { 80 443  22 } keep state label "anti-lockout rule"
            
            # User-defined rules follow
            
            anchor "userrules/*"
            block  in  quick  on $WAN reply-to ( fxp0 70.XX:XXX.126 )  from   $blockips to any  label "USER_RULE: Block Known Black Hatters"
            pass  in  quick  on $WAN reply-to ( fxp0 70.XX:XXX.126 )  proto udp  from any to 70.XX:XXX.125 port $ovpn  keep state  label "USER_RULE: OpenVPN Access Rule"
            pass  in  quick  on $WAN reply-to ( fxp0 2002:XXXX:XXXX:: ) inet6 from   2002:XXXX:XXXX:13:203:XXXX:XXXX:7df4 to   2002:XXXX:XXXX:d::1 keep state  label "USER_RULE: IPV6 Test"
            pass  in  quick  on $WAN reply-to ( fxp0 70.XX:XXX.126 )  proto { tcp udp }  from any to   $dnsservers port 53  keep state  label "USER_RULE: Our DNS and Backup DNS servers"
            pass  in  quick  on $WAN reply-to ( fxp0 70.XX:XXX.126 )  proto tcp  from any to   $webservers port 80  flags S/SA keep state  label "USER_RULE: HTTP Access for Web Servers"
            pass  in  quick  on $WAN reply-to ( fxp0 70.XX:XXX.126 )  proto tcp  from any to   $webservers port 443  flags S/SA keep state  label "USER_RULE: Secure HTTP Access for Web Servers"
            pass  in  quick  on $WAN reply-to ( fxp0 70.XX:XXX.126 )  proto tcp  from any to   $asigrasvrs port $asigra  flags S/SA keep state  label "USER_RULE: Asigra Test Systems"
            pass  in  quick  on $WAN reply-to ( fxp0 2002:XXXX:XXXX:: ) inet6 proto tcp  from any to   $sdstestlinip6 port $asigra  flags S/SA keep state  label "USER_RULE: Asigra Test Systems IPV6"
            pass  in  quick  on $WAN reply-to ( fxp0 2002:XXXX:XXXX:: ) inet6 proto tcp  from any to   $sdstestlinip6 port 80  flags S/SA keep state  label "USER_RULE: Asigra Test Systems IPV6"
            pass  in  quick  on $WAN reply-to ( fxp0 2002:XXXX:XXXX:: ) inet6 proto tcp  from any to   $sdstestlinip6 port 443  flags S/SA keep state  label "USER_RULE: Asigra Test Systems IPV6"
            pass  in  quick  on $WAN reply-to ( fxp0 70.XX:XXX.126 )  proto tcp  from   $ThaSDSGroup to   $webminsvrs port $adminports  flags S/SA keep state  label "USER_RULE: Webmin Servers"
            pass  in  quick  on $WAN reply-to ( fxp0 70.XX:XXX.126 )  proto tcp  from any to   $mailsvrs port $mailports  flags S/SA keep state  label "USER_RULE: Mail Access"
            pass  in  quick  on $LAN  from 10.XX:XX.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"
            pass  in  quick  on $LAN inet6 from any to any keep state  label "USER_RULE: Default allow LAN to any rule"
            pass  in  quick  on $LAN  from   10.XX.XX.0/24 to any keep state  label "USER_RULE: Default allow Lab LAN to any rule"
            pass  in  quick  on $LAN  from   10.4X.XX.0/24 to any keep state  label "USER_RULE: Default allow Lab LAN to any rule"
            pass  in  quick  on $IPsec  from any to any keep state  label "USER_RULE: Default Allow Rule"
            pass  in  quick  on $OpenVPN  from any to any keep state  label "USER_RULE: OpenVPN Default Allow Rule"
            
            # Automatic Pass rules for any delegated IPv6 prefixes through dynamic IPv6 clients
            pass in quick on $LAN inet6 from 2002:XXXX:XXXX:0:0:0:0:0/48 to any keep state label "Allow IPv6 on LAN to any"
            # Add rules to bypass firewall rules for static routes
            pass quick on $LAN proto tcp from 10.XX:XX.0/24 to 10.XX.XX.0/24 flags any keep state(sloppy) label "pass traffic between statically routed subnets"
            pass quick on $LAN from 10.XX:XX.0/24 to 10.XX.XX.0/24 keep state(sloppy) label "pass traffic between statically routed subnets"
            pass quick on $LAN proto tcp from 10.XX.XX.0/24 to 10.XX:XX.0/24 flags any keep state(sloppy) label "pass traffic between statically routed subnets"
            pass quick on $LAN from 10.XX.XX.0/24 to 10.XX:XX.0/24 keep state(sloppy) label "pass traffic between statically routed subnets"
            pass quick on $LAN proto tcp from 10.XX:XX.0/24 to 10.4X.XX.0/24 flags any keep state(sloppy) label "pass traffic between statically routed subnets"
            pass quick on $LAN from 10.XX:XX.0/24 to 10.4X.XX.0/24 keep state(sloppy) label "pass traffic between statically routed subnets"
            pass quick on $LAN proto tcp from 10.4X.XX.0/24 to 10.XX:XX.0/24 flags any keep state(sloppy) label "pass traffic between statically routed subnets"
            pass quick on $LAN from 10.4X.XX.0/24 to 10.XX:XX.0/24 keep state(sloppy) label "pass traffic between statically routed subnets"
            
            # VPN Rules
            pass out on $WAN  route-to ( fxp0 70.XX:XXX.126 )  proto udp from any to  any  port = 500 keep state label "IPsec: Mobile P1 - outbound isakmp"
            pass in on $WAN  reply-to ( fxp0 70.XX:XXX.126 )  proto udp from  any  to any port = 500 keep state label "IPsec: Mobile P1 - inbound isakmp"
            pass out on $WAN  route-to ( fxp0 70.XX:XXX.126 )  proto udp from any to  any  port = 4500 keep state label "IPsec: Mobile P1 - outbound nat-t"
            pass in on $WAN  reply-to ( fxp0 70.XX:XXX.126 )  proto udp from  any  to any port = 4500 keep state label "IPsec: Mobile P1 - inbound nat-t"
            pass out on $WAN  route-to ( fxp0 70.XX:XXX.126 )  proto esp from any to  any  keep state label "IPsec: Mobile P1 - outbound esp proto"
            pass in on $WAN  reply-to ( fxp0 70.XX:XXX.126 )  proto esp from  any  to any keep state label "IPsec: Mobile P1 - inbound esp proto"
            anchor "tftp-proxy/*"</bogonsv6></bogons></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></vpn_networks></webservers></webservers></webminsvrs></webminsvrs></volalocityin></volalocityin></thasdsgroup></thasdsgroup></sdstestlinip6></sdstestlinip6></sdstestlin></sdstestlin></phones></phones></mailsvrs></mailsvrs></karn></karn></ftpsvrs></ftpsvrs></dnsservers></dnsservers></blockips></blockips></asigrasvrs></asigrasvrs></virusprot></snort2c></webconfiguratorlockout></sshlockout> 
            
            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Interesting…

              # allow our proto 41 traffic from the 6to4 border relay in
              pass in on $WAN proto 41 from 192.88.99.1 to (self) label "Allow 6in4 traffic in for 6to4 on WAN"
              pass out on $WAN proto 41 from (self) to 192.88.99.1 label "Allow 6in4 traffic out for 6to4 on WAN"
              antispoof for fxp2
              
              

              But in your firewall logs:

              May  1 10:28:23 officefw pf:     71.XX.XXX.57 > 70.XX.XXX.125: (hlim 63, next-header TCP (6) payload length: 32) 2002:XXXX:XXXX:13:XXX:XXXX:XXXX:5cf4.55172 > 2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884.80: Flags [s], cksum 0xd537 (correct), seq 1951051361, win 8192, options [mss 1220,nop,wscale 2,nop,nop,sackOK], length 0
              May  1 10:28:26 officefw pf: 00:00:02.987371 rule 1/0(match): block in on fxp0: (tos 0x20, ttl 30, id 64163, offset 0, flags [none], proto IPv6 (41), length 92)
              
              So the rule should be passing proto 41 from 71.XX.XXX.57, but somehow it's getting 192.88.99.1 there.
              
              We don't have a way to make a proto 41 pass rule in the GUI yet, but you could do one of two things:
              
              1\. Add a rule to pass any proto from 71.XX.XXX.57 to your WAN IP.
              
              or 2\. edit /usr/local/www/firewall_rules_edit.php - find the line with this:
              [code]$protocols = explode(" ", "TCP UDP TCP/UDP ICMP ESP AH GRE IGMP OSPF any carp pfsync");[/code]
              And change it to something like:
              [code]$protocols = explode(" ", "TCP UDP TCP/UDP ICMP ESP AH GRE IGMP OSPF any carp pfsync ipv6");[/code]
              
              Then make a rule on WAN to pass that proto from 71.XX.XXX.57 to your WAN IP.
              
              There may be a bug in the auto rules there, but it would have wait wait for databeestje to look at in more detail.[/s]
              

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • P
                podilarius
                last edited by

                192.88.99.1 is the ipv6 to ipv4 broker and a rule that comes from the 6to4 config. I am guessing that is to the world or outside of pfSense domain. I will do as you suggest and let you know the outcome. I hope to have real IPv6 soon and I will not have to worry about 6to4 configs.

                1 Reply Last reply Reply Quote 0
                • P
                  podilarius
                  last edited by

                  Unfortunately I have had no luck either way. anyone else with 6to4 configuration on 2 sides able to get this working?

                  1 Reply Last reply Reply Quote 0
                  • D
                    databeestje
                    last edited by

                    We already replicated the issue, we are currently debugging it with a FreeBSD developer.

                    1 Reply Last reply Reply Quote 0
                    • D
                      databeestje
                      last edited by

                      redmine ticket opened http://redmine.pfsense.org/issues/2412

                      1 Reply Last reply Reply Quote 0
                      • M
                        maxovride
                        last edited by

                        I finally got all my stuff configured tonight, and had this issue at first but I have been able to make rules that allow my systems to be accessible from the internet.  I followed thishttp://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker ipv6 guide to setup my connection with HE and then added a rule like you see below, before putting in the rule I was unable to ping my ipv6 address or connect to anything on my ipv6 address (going outbound was fine).  Basically it is a rule for the opt interface i created for the ipv6 that is an allow everything ipv6 with a desitination of my server ipv6 address.

                        Here is a paste of HE portscan and ping test for my ipv6 ip after i put this rule in.

                        Starting Nmap 5.00 ( http://nmap.org ) at 2012-07-24 21:07 PDT
                        Interesting ports on 2001:470:x:xx::ff78:
                        Not shown: 999 closed ports
                        PORT  STATE SERVICE
                        22/tcp open  ssh

                        Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds

                        ipv6ruleed.png
                        ipv6ruleed.png_thumb

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.