DHCPv6 traffic blocked on LAN with DHCPv6 relay enabled
-
LAN traffic from fe80::/10 port 546 to ff02::/16 port 547 gets blocked. More info: https://redmine.pfsense.org/issues/3074
-
From the other thread:
Well, I get DHCPv6 traffic blocked even on LAN, without any bogonsv6 of course.
Jul 5 15:01:14 gw pf: 00:00:12.746276 rule 5/0(match): block in on vr0: (hlim 64, next-header UDP (17) payload length: 32) fe80::240:8cff:fe7a:7a5c.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=dcdc9d (client ID hwaddr type 1 00408c7a7a5c) (elapsed time 52080)) Jul 5 15:02:17 gw pf: 00:00:04.172277 rule 5/0(match): block in on vr0: (hlim 1, next-header UDP (17) payload length: 38) fe80::21b:78ff:fe0e:f84b.546 > ff02::1:2.547: [udp sum ok] dhcp6 inf-req (xid=23468c (elapsed time 0) (client ID hwaddr type 1 001b780ef84b) (option request status code))https://redmine.pfsense.org/issues/3074
What is rule 5?
pfctl -vvsr | grep '@5 '(Mind the space before the closing ')
-
@5 block drop in log inet6 all label "Default deny rule IPv6"
-
OK, yeah it appears as though the code to put in the auto rules just doesn't check if relay is enabled.
DHCPv6 relay is a bit of an afterthought, it was only worked on recently and I'm not sure anyone had a working environment to properly test it against.
It probably just needs an extra bit on that if statement to check about the status of dhcp relay.
-
Try this.
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 1db82a3..848111a 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2743,7 +2743,8 @@ EOD; } break; default: - if ((is_array($config['dhcpdv6'][$on]) && isset($config['dhcpdv6'][$on]['enable'])) || isset($oc['track6-interface'])) { + if ((is_array($config['dhcpdv6'][$on]) && isset($config['dhcpdv6'][$on]['enable'])) || isset($oc['track6-interface']) + || (is_array($config['dhcrelay6']) && !empty($config['dhcrelay6']['interface']) && in_array($on, explode(',', $config['dhcrelay6']['interface'])))) { $ipfrules .= << <eod<br># allow access to DHCPv6 server on {$oc['descr']} # We need inet6 icmp for stateless autoconfig and dhcpv6</eod<br> -
Yes, that fixed the problem. 8)
-
I saw a similar issue with prefix delegation (see issue 3028): Even though a dhcpd6 instance gets started on the tracking interface, no rules get added to actually allow DPCH6 traffic in on that interface. Would that be related?
-
I saw a similar issue with prefix delegation (see issue 3028): Even though a dhcpd6 instance gets started on the tracking interface, no rules get added to actually allow DPCH6 traffic in on that interface. Would that be related?
Don't think so… looks allowed just fine looking at the code in filter.inc.
if ((is_array($config['dhcpdv6'][$on]) && isset($config['dhcpdv6'][$on]['enable'])) || isset($oc['track6-interface'])
-
Dunno, all I know is it's not actually generating any rules for DHCP6 traffic on my LAN interface. The only DHCP6-related rules that I see are the following (all on WAN):
# allow our DHCPv6 client out to the WAN pass in quick on $WAN proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 label "allow dhcpv6 client in WAN" pass in quick on $WAN proto udp from any port = 547 to any port = 546 label "allow dhcpv6 client in WAN" pass out quick on $WAN proto udp from any port = 546 to any port = 547 label "allow dhcpv6 client out WAN" -
Actually, looking at filter.inc, the last assignment in the following fragment seems a bit odd:
if(!is_ipaddrv4($oc['ipaddr']) && !empty($oc['ipaddr'])) $oic['type'] = $oc['ipaddr']; if(!is_ipaddrv6($oc['ipaddrv6']) && !empty($oc['ipaddrv6'])) $oic['type6'] = $oc['ipaddrv6']; if (!empty($oc['track6-interface'])) $oc['track6-interface'] = $oc['track6-interface'];Note that the source and destination of the last assignment are identical ($oc); it seems like the destination should be $oic as in the preceding two assignments.
-
Actually, I think this might explain why the rules are not generated: Because the destination is 'oc' and not 'oic', FilterIfList never gets a 'track6-interface' entry, and so the if statement you quoted earlier would never see 'track6-interface' either.
-
Frankly, I am wondering if this black magic behind the scenes brings any significant benefit for non-WAN interfaces.
