Servers behind 6to4 IPv6 interface

podilarius · Apr 26, 2012, 9:16 PM

I have a server behind a 6to4 WAN and while I have no problem cruising to IPv6 sites, I cannot host a web server behind this firewall.
I am pretty sure there is not a NAT I need to setup, but I have created several firewall rules in varying "openness", all the way to wide open. I can see the traffic being droppped by the default deny rule. It seems that no matter how I form the rules, I cannot get the FW to pass the traffic.
What do I need to do to get that working?

wallabybob · Apr 27, 2012, 5:48 AM

Did you remember to reset states after tweaking the firewall rules? If so, please post an example of a report of traffic dropped by the default deny rule and a screenshot of the firewall rules on the interface identified in the dropped traffic report.

podilarius · Apr 27, 2012, 6:39 PM

I completed a full reboot in addition to that. I will post the requested information when I am back at the lab.

databeestje · Apr 28, 2012, 2:50 PM

Theoretically it should just work. I have not managed to make this work myself yet either.

There may be a issue with filter rule generation where it does not apply to stf0 properly. Need investigation.

podilarius · Apr 30, 2012, 7:02 PM


Apr 30 14:14:22	WAN	   [2002:xxxx:xxxx:13:xxx:xxxx:xxxx:xxxx]:48190	   [2002:xxxx:xxxx:d:xxx:xxxx:xxxx:xxxx]:80	IPv6
Apr 30 14:14:21	WAN	   [2002:xxxx:xxxx:13:xxx:xxxx:xxxx:xxxx]:48189	   [2002:xxxx:xxxx:d:xxx:xxxx:xxxx:xxxx]:80	IPv6
Apr 30 14:14:21	WAN	   [2002:xxxx:xxxx:13:xxx:xxxx:xxxx:xxxx]:48188	   [2002:xxxx:xxxx:d:xxx:xxxx:xxxx:xxxx]:80	IPv6
Apr 30 14:14:16	WAN	   [2002:xxxx:xxxx:13:xxx:xxxx:xxxx:xxxx]:48190	   [2002:xxxx:xxxx:d:xxx:xxxx:xxxx:xxxx]:80	IPv6
Apr 30 14:14:15	WAN	   [2002:xxxx:xxxx:13:xxx:xxxx:xxxx:xxxx]:48189	   [2002:xxxx:xxxx:d:xxx:xxxx:xxxx:xxxx]:80	IPv6
Apr 30 14:14:15	WAN	   [2002:xxxx:xxxx:13:xxx:xxxx:xxxx:xxxx]:48188	   [2002:xxxx:xxxx:d:xxx:xxxx:xxxx:xxxx]:80	IPv6
Apr 30 14:14:13	WAN	   [2002:xxxx:xxxx:13:xxx:xxxx:xxxx:xxxx]:48190	   [2002:xxxx:xxxx:d:xxx:xxxx:xxxx:xxxx]:80	IPv6
Apr 30 14:14:12	WAN	   [2002:xxxx:xxxx:13:xxx:xxxx:xxxx:xxxx]:48189	   [2002:xxxx:xxxx:d:xxx:xxxx:xxxx:xxxx]:80	IPv6
Apr 30 14:14:12	WAN	   [2002:xxxx:xxxx:13:xxx:xxxx:xxxx:xxxx]:48188	   [2002:xxxx:xxxx:d:xxx:xxxx:xxxx:xxxx]:80	IPv6

Here are the rules.

jimp · May 1, 2012, 1:58 PM

OK, how about a the raw log output (clog /var/log/filter.log) for those connections and also /tmp/rules.debug

That would give us more detail about exactly which interfaces are involved in the background here.

podilarius · May 1, 2012, 3:48 PM

Here are the logs from filter.log.

May  1 10:28:23 officefw pf:     71.XX.XXX.57 > 70.XX.XXX.125: (hlim 63, next-header TCP (6) payload length: 32) 2002:XXXX:XXXX:13:XXX:XXXX:XXXX:5cf4.55172 > 2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884.80: Flags [s], cksum 0xd537 (correct), seq 1951051361, win 8192, options [mss 1220,nop,wscale 2,nop,nop,sackOK], length 0
May  1 10:28:26 officefw pf: 00:00:02.987371 rule 1/0(match): block in on fxp0: (tos 0x20, ttl 30, id 64163, offset 0, flags [none], proto IPv6 (41), length 92)
May  1 10:28:26 officefw pf:     71.XX.XXX.57 > 70.XX.XXX.125: (hlim 63, next-header TCP (6) payload length: 32) 2002:XXXX:XXXX:13:XXX:XXXX:XXXX:5cf4.55171 > 2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884.80: Flags [s], cksum 0xf3c2 (correct), seq 3416078468, win 8192, options [mss 1220,nop,wscale 2,nop,nop,sackOK], length 0
May  1 10:28:26 officefw pf: 00:00:00.001893 rule 1/0(match): block in on fxp0: (tos 0x20, ttl 30, id 39261, offset 0, flags [none], proto IPv6 (41), length 92)
May  1 10:28:26 officefw pf:     71.XX.XXX.57 > 70.XX.XXX.125: (hlim 63, next-header TCP (6) payload length: 32) 2002:XXXX:XXXX:13:XXX:XXXX:XXXX:5cf4.55172 > 2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884.80: Flags [s], cksum 0xd537 (correct), seq 1951051361, win 8192, options [mss 1220,nop,wscale 2,nop,nop,sackOK], length 0
May  1 10:28:32 officefw pf: 00:00:05.969728 rule 1/0(match): block in on fxp0: (tos 0x20, ttl 30, id 29939, offset 0, flags [none], proto IPv6 (41), length 88)
May  1 10:28:32 officefw pf:     71.XX.XXX.57 > 70.XX.XXX.125: (hlim 63, next-header TCP (6) payload length: 28) 2002:XXXX:XXXX:13:XXX:XXXX:XXXX:5cf4.55171 > 2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884.80: Flags [s], cksum 0x07cc (correct), seq 3416078468, win 8192, options [mss 1220,nop,nop,sackOK], length 0
May  1 10:28:32 officefw pf: 00:00:00.001497 rule 1/0(match): block in on fxp0: (tos 0x20, ttl 30, id 49309, offset 0, flags [none], proto IPv6 (41), length 88)
May  1 10:28:32 officefw pf:     71.XX.XXX.57 > 70.XX.XXX.125: (hlim 63, next-header TCP (6) payload length: 28) 2002:XXXX:XXXX:13:XXX:XXXX:XXXX:5cf4.55172 > 2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884.80: Flags [s], cksum 0xe940 (correct), seq 1951051361, win 8192, options [mss 1220,nop,nop,sackOK], length 0
May  1 10:28:44 officefw pf: 00:00:11.938549 rule 1/0(match): block in on fxp0: (tos 0x20, ttl 30, id 36504, offset 0, flags [none], proto IPv6 (41), length 92)
May  1 10:28:44 officefw pf:     71.XX.XXX.57 > 70.XX.XXX.125: (hlim 63, next-header TCP (6) payload length: 32) 2002:XXXX:XXXX:13:XXX:XXXX:XXXX:5cf4.55173 > 2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884.80: Flags [s], cksum 0xcdaf (correct), seq 2091298188, win 8192, options [mss 1220,nop,wscale 2,nop,nop,sackOK], length 0
May  1 10:28:47 officefw pf: 00:00:02.991260 rule 1/0(match): block in on fxp0: (tos 0x20, ttl 30, id 38019, offset 0, flags [none], proto IPv6 (41), length 92)
May  1 10:28:47 officefw pf:     71.XX.XXX.57 > 70.XX.XXX.125: (hlim 63, next-header TCP (6) payload length: 32) 2002:XXXX:XXXX:13:XXX:XXXX:XXXX:5cf4.55173 > 2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884.80: Flags [s], cksum 0xcdaf (correct), seq 2091298188, win 8192, options [mss 1220,nop,wscale 2,nop,nop,sackOK], length 0
May  1 10:28:53 officefw pf: 00:00:05.968526 rule 1/0(match): block in on fxp0: (tos 0x20, ttl 30, id 59650, offset 0, flags [none], proto IPv6 (41), length 88)
May  1 10:28:53 officefw pf:     71.XX.XXX.57 > 70.XX.XXX.125: (hlim 63, next-header TCP (6) payload length: 28) 2002:XXXX:XXXX:13:XXX:XXXX:XXXX:5cf4.55173 > 2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884.80: Flags [s], cksum 0x01b9 (correct), seq 2091298188, win 65535, options [mss 1220,nop,nop,sackOK], length 0

I am going to sanitize the rules.debug and post separately. 

[/s][/s][/s][/s][/s][/s][/s][/s]

jimp · May 1, 2012, 4:03 PM

ok, no rush. databeestje is off on vacation this week so it may be next week before he can look at it, I just figured he'd need the extra detail given the way the last bit you posted looked.

podilarius · May 1, 2012, 4:15 PM

o its no problem … I just have a lot of stuff to mask. Here it is for everyone to help with. It should pass, but does not.

#System aliases

loopback = "{ lo0 }"
WAN = "{ fxp0 stf0  }"
LAN = "{ fxp2 }"
IPsec = "{ enc0 }"
OpenVPN = "{ openvpn }"

#SSH Lockout Table
table <sshlockout>persist
table <webconfiguratorlockout>persist
#Snort tables
table <snort2c>table <virusprot># User Aliases 
adminports = "{   22   10000 }"
asigra = "{   4400:4420 }"
table <asigrasvrs>{    10.XX:XX.23  10.XX:XX.39 } 
asigrasvrs = "<asigrasvrs>"
table <blockips>{   80.31.145.0 } 
blockips = "<blockips>"
table <dnsservers>{    10.XX:XX.41 } 
dnsservers = "<dnsservers>"
table <ftpsvrs>{    10.XX:XX.41 } 
ftpsvrs = "<ftpsvrs>"
table <karn>{   10.XX:XX.41 } 
Karn = "<karn>"
mailports = "{   25  110  995  143  993  2525  465  26 }"
table <mailsvrs>{    10.XX:XX.41 } 
mailsvrs = "<mailsvrs>"
ovpn = "{   1194 }"
table <phones>{   10.XX:XX.176/28  10.XX:XX.6/32 } 
phones = "<phones>"
table <sdstestlin>{   10.XX:XX.23 } 
sdstestlin = "<sdstestlin>"
table <sdstestlinip6>{   2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884 } 
sdstestlinip6 = "<sdstestlinip6>"
table <thasdsgroup>{   4.XX.XXX.65/26  65.XX.XXX.120/26  216.XX.XXX.126/27 } 
ThaSDSGroup = "<thasdsgroup>"
table <volalocityin>{   205.XX.XXX.1/24 } 
VolalocityIn = "<volalocityin>"
webmin = "{   10000 }"
table <webminsvrs>{    10.XX:XX.41   10.XX:XX.23 } 
webminsvrs = "<webminsvrs>"
table <webservers>{    10.XX:XX.41   10.XX:XX.23 } 
webservers = "<webservers>"

# Gateways
GWComcastGW = " route-to ( fxp0 70.XX:XXX.126 ) "
GWLabGW = " route-to ( fxp2 10.XX:XX.15 ) "
GWWAN_6TO4 = " route-to ( stf0 2002:XXXX:XXXX:: ) "

set loginterface fxp2
set optimization normal
set limit states 197000
set limit src-nodes 197000

set skip on pfsync0

scrub on $WAN all    fragment reassemble
scrub on $LAN all    fragment reassemble

no nat proto carp
no rdr proto carp
nat-anchor "natearly/*"
nat-anchor "natrules/*"

# Outbound NAT rules
nat on $WAN  from 10.XX:XX.23/32 to 87.XXX.XXX.65/32 -> 70.XX:XXX.125/32 port 1024:65535  
nat on $WAN  from 10.XX:XX.23/32 to 65.XXX.XXX.16/28 -> 70.XX:XXX.125/32 port 1024:65535  
nat on $WAN  from 10.XX:XX.23/32 to 97.XXX.XXX.144/28 -> 70.XX:XXX.125/32 port 1024:65535  
nat on $WAN  from 10.XX:XX.23/32 to 209.XXX.XXX.212/32 -> 70.XX:XXX.125/32 port 1024:65535  
nat on $WAN  from 10.XX:XX.176/28 to any -> 70.XX:XXX.122/32 port 1024:65535  
nat on $WAN  from 10.XX:XX.41/32 to any -> 70.XX:XXX.124/32 port 1024:65535  
nat on $WAN  from 10.XX:XX.23/32 to any -> 70.XX:XXX.123/32 port 1024:65535  
nat on $WAN  from 10.XX:XX.0/24 to any port 500 -> 70.XX:XXX.125/32  static-port
nat on $WAN  from 10.XX:XX.0/24 to any -> 70.XX:XXX.125/32 port 1024:65535  
nat on $WAN  from 127.0.0.0/8 to any -> 70.XX:XXX.125/32 port 1024:65535  
nat on $WAN  from 10.11.1.0/30 to any -> 70.XX:XXX.125/32 port 1024:65535  
nat on $WAN  from 10.13.26.0/24 to any -> 70.XX:XXX.125/32 port 1024:65535  
nat on $WAN  from 10.4X.XX.0/24 to any -> 70.XX:XXX.125/32 port 1024:65535  
nat on $WAN  from 192.168.42.0/24 to any -> 70.XX:XXX.125/32 port 1024:65535  

# Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"
table <vpn_networks>{ 10.X.XX.0/24 10.XX.X.12/30 10.X.XX.0/24 10.XX.XX.20/30 172.16.XX.0/24 10.XX.XX.0/30 }
table <negate_networks>{ 70.XX:XXX.120/29 10.XX:XX.0/24 10.XX.XX.0/24 10.XX.XX.0/24  10.X.XX.0/24 10.XX.XX.12/30 10.X.XX.0/24 10.XX.X.20/30 172.XX.XX.0/24 10.XX.X.0/30 }
# NAT Inbound Redirects
rdr on fxp0 proto { tcp udp } from any to 70.XX:XXX.124 port 53 -> $Karn
rdr on fxp0 proto tcp from any to 70.XX:XXX.124 port 80 -> $Karn
rdr on fxp0 proto tcp from any to 70.XX:XXX.124 port 443 -> $Karn
rdr on fxp0 proto tcp from any to 70.XX:XXX.124 port $webmin -> $Karn
rdr on fxp0 proto tcp from any to 70.XX:XXX.124 port 22 -> $Karn
rdr on fxp0 proto tcp from any to 70.XX:XXX.124 port $mailports -> $Karn
rdr on fxp0 proto tcp from any to 70.XX:XXX.123 port $asigra -> $sdstestlin
rdr on fxp0 proto tcp from any to 70.XX:XXX.123 port $adminports -> $sdstestlin
rdr on fxp0 proto tcp from any to 70.XX:XXX.123 port 80 -> $sdstestlin
rdr on fxp0 proto tcp from any to 70.XX:XXX.123 port 443 -> $sdstestlin
rdr on fxp0 proto tcp from any to 70.XX:XXX.125 port 4417:4418 -> 10.XX:XX.39
# UPnPd rdr anchor
rdr-anchor "miniupnpd"

anchor "relayd/*"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log inet all label "Default deny rule IPv4"
block out log inet all label "Default deny rule IPv4"
block in log inet6 all label "Default deny rule IPv6"
block out log inet6 all label "Default deny rule IPv6"

# IPv6 ICMP is not auxilary, it is required for operation
# See man icmp6(4)
# 1    unreach         Destination unreachable
# 2    toobig          Packet too big
# 128  echoreq         Echo service request
# 129  echorep         Echo service reply
# 133  routersol       Router solicitation
# 134  routeradv       Router advertisement
# 135  neighbrsol      Neighbor solicitation
# 136  neighbradv      Neighbor advertisement
pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state

# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state

# We use the mighty pf, we cannot be fooled.
block quick inet proto { tcp, udp } from any port = 0 to any
block quick inet proto { tcp, udp } from any to any port = 0
block quick inet6 proto { tcp, udp } from any port = 0 to any
block quick inet6 proto { tcp, udp } from any to any port = 0

# Snort package
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"
block in log quick proto carp from (self) to any
pass quick proto carp
pass quick proto pfsync

# SSH lockout
block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

# webConfigurator lockout
block in log quick proto tcp from <webconfiguratorlockout>to any port 443 label "webConfiguratorlockout"
block in quick from <virusprot>to any label "virusprot overload table"
table <bogons>persist file "/etc/bogons"
table <bogonsv6>persist file "/etc/bogonsv6"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $WAN from <bogons>to any label "block bogon IPv4 networks from WAN"
block in log quick on $WAN from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
antispoof for fxp0
# block anything from private networks on interfaces with the option set
antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
block in log quick on $WAN from 172.XX.XX.0/12 to any label "Block private networks from WAN block 172.16/12"
block in log quick on $WAN from 192.XX.XX.0/16 to any label "Block private networks from WAN block 192.168/16"
block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"

# allow our proto 41 traffic from the 6to4 border relay in
pass in on $WAN proto 41 from 192.88.99.1 to (self) label "Allow 6in4 traffic in for 6to4 on WAN"
pass out on $WAN proto 41 from (self) to 192.88.99.1 label "Allow 6in4 traffic out for 6to4 on WAN"
antispoof for fxp2

# allow access to DHCPv6 server on LAN
anchor "dhcpv6serverLAN"
# We need inet6 icmp for stateless autoconfig and dhcpv6
pass quick on $LAN inet6 proto udp from fe80::/10 to fe80::/10 port = 546 label "allow access to DHCPv6 server"
pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 label "allow access to DHCPv6 server"
pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 label "allow access to DHCPv6 server"
pass quick on $LAN inet6 proto udp from ff02::/16 to fe80::/10 port = 547 label "allow access to DHCPv6 server"
pass in quick on $LAN inet6 proto udp from fe80::/10 to 2002:XXXX:XXXX:d::1 port = 546 label "allow access to DHCPv6 server"
pass out quick on $LAN inet6 proto udp from 2002:XXXX:XXXX:d::1 port = 547 to fe80::/10 label "allow access to DHCPv6 server"

# loopback
pass in on $loopback inet all label "pass IPv4 loopback"
pass out on $loopback inet all label "pass IPv4 loopback"
pass in on $loopback inet6 all label "pass IPv6 loopback"
pass out on $loopback inet6 all label "pass IPv6 loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to ( fxp0 70.XX:XXX.126 ) from 70.XX:XXX.125 to !70.XX:XXX.120/29 keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( stf0 2002:XXXX:XXXX:: ) inet6 from 2002:XXXX:XXXX::/48 to !2002:XXXX:XXXX::/48 keep state allow-opts label "let out anything from firewall host itself"
pass out on $IPsec all keep state label "IPsec internal host to host"
# make sure the user cannot lock himself out of the webConfigurator or SSH
pass in quick on fxp2 proto tcp from any to (fxp2) port { 80 443  22 } keep state label "anti-lockout rule"

# User-defined rules follow

anchor "userrules/*"
block  in  quick  on $WAN reply-to ( fxp0 70.XX:XXX.126 )  from   $blockips to any  label "USER_RULE: Block Known Black Hatters"
pass  in  quick  on $WAN reply-to ( fxp0 70.XX:XXX.126 )  proto udp  from any to 70.XX:XXX.125 port $ovpn  keep state  label "USER_RULE: OpenVPN Access Rule"
pass  in  quick  on $WAN reply-to ( fxp0 2002:XXXX:XXXX:: ) inet6 from   2002:XXXX:XXXX:13:203:XXXX:XXXX:7df4 to   2002:XXXX:XXXX:d::1 keep state  label "USER_RULE: IPV6 Test"
pass  in  quick  on $WAN reply-to ( fxp0 70.XX:XXX.126 )  proto { tcp udp }  from any to   $dnsservers port 53  keep state  label "USER_RULE: Our DNS and Backup DNS servers"
pass  in  quick  on $WAN reply-to ( fxp0 70.XX:XXX.126 )  proto tcp  from any to   $webservers port 80  flags S/SA keep state  label "USER_RULE: HTTP Access for Web Servers"
pass  in  quick  on $WAN reply-to ( fxp0 70.XX:XXX.126 )  proto tcp  from any to   $webservers port 443  flags S/SA keep state  label "USER_RULE: Secure HTTP Access for Web Servers"
pass  in  quick  on $WAN reply-to ( fxp0 70.XX:XXX.126 )  proto tcp  from any to   $asigrasvrs port $asigra  flags S/SA keep state  label "USER_RULE: Asigra Test Systems"
pass  in  quick  on $WAN reply-to ( fxp0 2002:XXXX:XXXX:: ) inet6 proto tcp  from any to   $sdstestlinip6 port $asigra  flags S/SA keep state  label "USER_RULE: Asigra Test Systems IPV6"
pass  in  quick  on $WAN reply-to ( fxp0 2002:XXXX:XXXX:: ) inet6 proto tcp  from any to   $sdstestlinip6 port 80  flags S/SA keep state  label "USER_RULE: Asigra Test Systems IPV6"
pass  in  quick  on $WAN reply-to ( fxp0 2002:XXXX:XXXX:: ) inet6 proto tcp  from any to   $sdstestlinip6 port 443  flags S/SA keep state  label "USER_RULE: Asigra Test Systems IPV6"
pass  in  quick  on $WAN reply-to ( fxp0 70.XX:XXX.126 )  proto tcp  from   $ThaSDSGroup to   $webminsvrs port $adminports  flags S/SA keep state  label "USER_RULE: Webmin Servers"
pass  in  quick  on $WAN reply-to ( fxp0 70.XX:XXX.126 )  proto tcp  from any to   $mailsvrs port $mailports  flags S/SA keep state  label "USER_RULE: Mail Access"
pass  in  quick  on $LAN  from 10.XX:XX.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"
pass  in  quick  on $LAN inet6 from any to any keep state  label "USER_RULE: Default allow LAN to any rule"
pass  in  quick  on $LAN  from   10.XX.XX.0/24 to any keep state  label "USER_RULE: Default allow Lab LAN to any rule"
pass  in  quick  on $LAN  from   10.4X.XX.0/24 to any keep state  label "USER_RULE: Default allow Lab LAN to any rule"
pass  in  quick  on $IPsec  from any to any keep state  label "USER_RULE: Default Allow Rule"
pass  in  quick  on $OpenVPN  from any to any keep state  label "USER_RULE: OpenVPN Default Allow Rule"

# Automatic Pass rules for any delegated IPv6 prefixes through dynamic IPv6 clients
pass in quick on $LAN inet6 from 2002:XXXX:XXXX:0:0:0:0:0/48 to any keep state label "Allow IPv6 on LAN to any"
# Add rules to bypass firewall rules for static routes
pass quick on $LAN proto tcp from 10.XX:XX.0/24 to 10.XX.XX.0/24 flags any keep state(sloppy) label "pass traffic between statically routed subnets"
pass quick on $LAN from 10.XX:XX.0/24 to 10.XX.XX.0/24 keep state(sloppy) label "pass traffic between statically routed subnets"
pass quick on $LAN proto tcp from 10.XX.XX.0/24 to 10.XX:XX.0/24 flags any keep state(sloppy) label "pass traffic between statically routed subnets"
pass quick on $LAN from 10.XX.XX.0/24 to 10.XX:XX.0/24 keep state(sloppy) label "pass traffic between statically routed subnets"
pass quick on $LAN proto tcp from 10.XX:XX.0/24 to 10.4X.XX.0/24 flags any keep state(sloppy) label "pass traffic between statically routed subnets"
pass quick on $LAN from 10.XX:XX.0/24 to 10.4X.XX.0/24 keep state(sloppy) label "pass traffic between statically routed subnets"
pass quick on $LAN proto tcp from 10.4X.XX.0/24 to 10.XX:XX.0/24 flags any keep state(sloppy) label "pass traffic between statically routed subnets"
pass quick on $LAN from 10.4X.XX.0/24 to 10.XX:XX.0/24 keep state(sloppy) label "pass traffic between statically routed subnets"

# VPN Rules
pass out on $WAN  route-to ( fxp0 70.XX:XXX.126 )  proto udp from any to  any  port = 500 keep state label "IPsec: Mobile P1 - outbound isakmp"
pass in on $WAN  reply-to ( fxp0 70.XX:XXX.126 )  proto udp from  any  to any port = 500 keep state label "IPsec: Mobile P1 - inbound isakmp"
pass out on $WAN  route-to ( fxp0 70.XX:XXX.126 )  proto udp from any to  any  port = 4500 keep state label "IPsec: Mobile P1 - outbound nat-t"
pass in on $WAN  reply-to ( fxp0 70.XX:XXX.126 )  proto udp from  any  to any port = 4500 keep state label "IPsec: Mobile P1 - inbound nat-t"
pass out on $WAN  route-to ( fxp0 70.XX:XXX.126 )  proto esp from any to  any  keep state label "IPsec: Mobile P1 - outbound esp proto"
pass in on $WAN  reply-to ( fxp0 70.XX:XXX.126 )  proto esp from  any  to any keep state label "IPsec: Mobile P1 - inbound esp proto"
anchor "tftp-proxy/*"</bogonsv6></bogons></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></vpn_networks></webservers></webservers></webminsvrs></webminsvrs></volalocityin></volalocityin></thasdsgroup></thasdsgroup></sdstestlinip6></sdstestlinip6></sdstestlin></sdstestlin></phones></phones></mailsvrs></mailsvrs></karn></karn></ftpsvrs></ftpsvrs></dnsservers></dnsservers></blockips></blockips></asigrasvrs></asigrasvrs></virusprot></snort2c></webconfiguratorlockout></sshlockout>

jimp · May 1, 2012, 4:51 PM

Interesting…

# allow our proto 41 traffic from the 6to4 border relay in
pass in on $WAN proto 41 from 192.88.99.1 to (self) label "Allow 6in4 traffic in for 6to4 on WAN"
pass out on $WAN proto 41 from (self) to 192.88.99.1 label "Allow 6in4 traffic out for 6to4 on WAN"
antispoof for fxp2

But in your firewall logs:

May  1 10:28:23 officefw pf:     71.XX.XXX.57 > 70.XX.XXX.125: (hlim 63, next-header TCP (6) payload length: 32) 2002:XXXX:XXXX:13:XXX:XXXX:XXXX:5cf4.55172 > 2002:XXXX:XXXX:d:XXX:XXXX:XXXX:7884.80: Flags [s], cksum 0xd537 (correct), seq 1951051361, win 8192, options [mss 1220,nop,wscale 2,nop,nop,sackOK], length 0
May  1 10:28:26 officefw pf: 00:00:02.987371 rule 1/0(match): block in on fxp0: (tos 0x20, ttl 30, id 64163, offset 0, flags [none], proto IPv6 (41), length 92)

So the rule should be passing proto 41 from 71.XX.XXX.57, but somehow it's getting 192.88.99.1 there.

We don't have a way to make a proto 41 pass rule in the GUI yet, but you could do one of two things:

1\. Add a rule to pass any proto from 71.XX.XXX.57 to your WAN IP.

or 2\. edit /usr/local/www/firewall_rules_edit.php - find the line with this:
[code]$protocols = explode(" ", "TCP UDP TCP/UDP ICMP ESP AH GRE IGMP OSPF any carp pfsync");[/code]
And change it to something like:
[code]$protocols = explode(" ", "TCP UDP TCP/UDP ICMP ESP AH GRE IGMP OSPF any carp pfsync ipv6");[/code]

Then make a rule on WAN to pass that proto from 71.XX.XXX.57 to your WAN IP.

There may be a bug in the auto rules there, but it would have wait wait for databeestje to look at in more detail.[/s]

podilarius · May 1, 2012, 7:13 PM

192.88.99.1 is the ipv6 to ipv4 broker and a rule that comes from the 6to4 config. I am guessing that is to the world or outside of pfSense domain. I will do as you suggest and let you know the outcome. I hope to have real IPv6 soon and I will not have to worry about 6to4 configs.

podilarius · May 1, 2012, 9:45 PM

Unfortunately I have had no luck either way. anyone else with 6to4 configuration on 2 sides able to get this working?

databeestje · May 5, 2012, 7:23 PM

We already replicated the issue, we are currently debugging it with a FreeBSD developer.

databeestje · May 6, 2012, 8:20 PM

redmine ticket opened http://redmine.pfsense.org/issues/2412

maxovride · Jul 25, 2012, 4:33 AM

I finally got all my stuff configured tonight, and had this issue at first but I have been able to make rules that allow my systems to be accessible from the internet. I followed thishttp://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker ipv6 guide to setup my connection with HE and then added a rule like you see below, before putting in the rule I was unable to ping my ipv6 address or connect to anything on my ipv6 address (going outbound was fine). Basically it is a rule for the opt interface i created for the ipv6 that is an allow everything ipv6 with a desitination of my server ipv6 address.

Here is a paste of HE portscan and ping test for my ipv6 ip after i put this rule in.

Starting Nmap 5.00 ( http://nmap.org ) at 2012-07-24 21:07 PDT
Interesting ports on 2001:470:x:xx::ff78:
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh

Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds