Avahi with IPv6 bug
-
@jimp Just brainstorming, but one idea I was thinking of was including the appropriate multicast into "This firewall (self)".
So you could have a rule such that:
Pass -- Source:LinkLocal -> Dest:This firewall -- port:5353You wouldn't have to include every well known multicast, but just the ones that are actively serviced by the router. For Avahi, I think it is ff02::fb.
-
But "multicast" is not "this firewall", it's multicast.
Also "This Firewall (self)" is a pf macro, not a list we craft in pfSense code. We can't alter what it covers.
-
@jimp said in Avahi with IPv6 bug:
But "multicast" is not "this firewall", it's multicast.
Also "This Firewall (self)" is a pf macro, not a list we craft in pfSense code. We can't alter what it covers.
I think I agree with what you are saying but technically, if the firewall has "subscribed" to a multicast address, then it kind of is a "firewall" address.
So the question is how is the best way to allow the packet into the firewall, so that it still makes sense that it isn't going anywhere else.
Right now, I have a rule that passes ipv6 Link_Local_Address to Multicast. If someone else were to come in and see this, they would think "That's not legal. You can't pass Link Local addresses, out of the subnet" so I put a comment, required by Avahi on the rule. Maybe that is only way.
-
It's more broken to reappropriate existing macros and terms to include things they should not.
Anyone who saw a rule with a destination of "multicast" and actually thought it would leave the segment needs reeducated. That's not confusing at all. (And in the future with something like PIM might actually be allowed)
-
@isaacfl said in Avahi with IPv6 bug:
Right now, I have a rule that passes ipv6 Link_Local_Address to Multicast. If someone else were to come in and see this, they would think "That's not legal. You can't pass Link Local addresses, out of the subnet" so I put a comment, required by Avahi on the rule. Maybe that is only way.
Let's pop up a level. Can you explain what it is you are trying to accomplish with using Avahi? Is it providing information about the firewall itself? Or is it allowing dns-sd to function across subnets?
-
@dennypage said in Avahi with IPv6 bug:
@isaacfl said in Avahi with IPv6 bug:
Right now, I have a rule that passes ipv6 Link_Local_Address to Multicast. If someone else were to come in and see this, they would think "That's not legal. You can't pass Link Local addresses, out of the subnet" so I put a comment, required by Avahi on the rule. Maybe that is only way.
Let's pop up a level. Can you explain what it is you are trying to accomplish with using Avahi? Is it providing information about the firewall itself? Or is it allowing dns-sd to function across subnets?
I think it is just dns across subnets, but not sure. I am trying to get all of the Apple based home automation type things to work across the subnets. I have my iphones, ipads, appletvs wirelessly connected to one subnet. I have my thermostats, garage door openers, smart switches etc. in a different subnet. My windows pcs and printers in a 3rd subnet.
So with Avahi working properly I can print something from the iPhone in one subnet to printer in a different subnet. Also Apple TV can play a movie from a PC which is running iTunes.
It does seem to be working with Avahi, but I notice it is falling back to ipv4 a lot. Whereas before I subnetted the devices it was ipv6 exclusively. So trying to isolate the issues.
-
@jimp said in Avahi with IPv6 bug:
It's more broken to reappropriate existing macros and terms to include things they should not.
Anyone who saw a rule with a destination of "multicast" and actually thought it would leave the segment needs reeducated. That's not confusing at all. (And in the future with something like PIM might actually be allowed)
I guess it is possible using a global address to multicast across the internet using ipv6. Beyond my skills on how to do that though.
-
I stand corrected. I do have some devices that are using link local addresses only even though global addresses have been assigned.
-
@jimp said in Avahi with IPv6 bug:
The choices really are:
Someone could manually make a rule on their own as-is with minimal risk aside from maybe shooting their own foot with setting a gateway (what we have now).
So, is this how one would manually make a rule to address this? I created this on each subnet that Avahi has set under interfaces.
-
@costanzo That's about what I made mine but also added source fe80:: as /10 with port 5353