Avahi with IPv6 bug
-
@jimp said in Avahi with IPv6 bug:
The choices really are:
- Someone could manually make a rule on their own as-is with minimal risk aside from maybe shooting their own foot with setting a gateway (what we have now).
- Avahi can make its own safe and proper rules easily in the package using built-in features (ideal)
- Break thousands of installations and allow far too much traffic through by changing the meaning of "LAN net".
My opinion would be that each package, in this case Avahi, should have its own very explicit rule as the package developer should know exactly which port etc is needed for the package to function.
I would also say pfsense should NOT include link local in the "LAN net" even though at first glance it seems like the easy answer and would maybe be ok, since the router should silently drop the packets anyway, but there are always unintended consequences.
There will probably be more issues found as people start to use ipv6 exclusively since I am finding that ipv6 uses link local addresses for a lot of things, especially multicast. Dual stack hides a lot of implantation errors in ipv6, since it can fall back to ipv4 now.
-
@jimp Just brainstorming, but one idea I was thinking of was including the appropriate multicast into "This firewall (self)".
So you could have a rule such that:
Pass -- Source:LinkLocal -> Dest:This firewall -- port:5353You wouldn't have to include every well known multicast, but just the ones that are actively serviced by the router. For Avahi, I think it is ff02::fb.
-
But "multicast" is not "this firewall", it's multicast.
Also "This Firewall (self)" is a pf macro, not a list we craft in pfSense code. We can't alter what it covers.
-
@jimp said in Avahi with IPv6 bug:
But "multicast" is not "this firewall", it's multicast.
Also "This Firewall (self)" is a pf macro, not a list we craft in pfSense code. We can't alter what it covers.
I think I agree with what you are saying but technically, if the firewall has "subscribed" to a multicast address, then it kind of is a "firewall" address.
So the question is how is the best way to allow the packet into the firewall, so that it still makes sense that it isn't going anywhere else.
Right now, I have a rule that passes ipv6 Link_Local_Address to Multicast. If someone else were to come in and see this, they would think "That's not legal. You can't pass Link Local addresses, out of the subnet" so I put a comment, required by Avahi on the rule. Maybe that is only way.
-
It's more broken to reappropriate existing macros and terms to include things they should not.
Anyone who saw a rule with a destination of "multicast" and actually thought it would leave the segment needs reeducated. That's not confusing at all. (And in the future with something like PIM might actually be allowed)
-
@isaacfl said in Avahi with IPv6 bug:
Right now, I have a rule that passes ipv6 Link_Local_Address to Multicast. If someone else were to come in and see this, they would think "That's not legal. You can't pass Link Local addresses, out of the subnet" so I put a comment, required by Avahi on the rule. Maybe that is only way.
Let's pop up a level. Can you explain what it is you are trying to accomplish with using Avahi? Is it providing information about the firewall itself? Or is it allowing dns-sd to function across subnets?
-
@dennypage said in Avahi with IPv6 bug:
@isaacfl said in Avahi with IPv6 bug:
Right now, I have a rule that passes ipv6 Link_Local_Address to Multicast. If someone else were to come in and see this, they would think "That's not legal. You can't pass Link Local addresses, out of the subnet" so I put a comment, required by Avahi on the rule. Maybe that is only way.
Let's pop up a level. Can you explain what it is you are trying to accomplish with using Avahi? Is it providing information about the firewall itself? Or is it allowing dns-sd to function across subnets?
I think it is just dns across subnets, but not sure. I am trying to get all of the Apple based home automation type things to work across the subnets. I have my iphones, ipads, appletvs wirelessly connected to one subnet. I have my thermostats, garage door openers, smart switches etc. in a different subnet. My windows pcs and printers in a 3rd subnet.
So with Avahi working properly I can print something from the iPhone in one subnet to printer in a different subnet. Also Apple TV can play a movie from a PC which is running iTunes.
It does seem to be working with Avahi, but I notice it is falling back to ipv4 a lot. Whereas before I subnetted the devices it was ipv6 exclusively. So trying to isolate the issues.
-
@jimp said in Avahi with IPv6 bug:
It's more broken to reappropriate existing macros and terms to include things they should not.
Anyone who saw a rule with a destination of "multicast" and actually thought it would leave the segment needs reeducated. That's not confusing at all. (And in the future with something like PIM might actually be allowed)
I guess it is possible using a global address to multicast across the internet using ipv6. Beyond my skills on how to do that though.
-
I stand corrected. I do have some devices that are using link local addresses only even though global addresses have been assigned.
-
@jimp said in Avahi with IPv6 bug:
The choices really are:
Someone could manually make a rule on their own as-is with minimal risk aside from maybe shooting their own foot with setting a gateway (what we have now).
So, is this how one would manually make a rule to address this? I created this on each subnet that Avahi has set under interfaces.
-
@costanzo That's about what I made mine but also added source fe80:: as /10 with port 5353