Pfsense won't issue



  • Hello,

    I had a strange thing happen to me yesterday with pfsense.  I have been having trouble with my linux servers
    acquirring an dhcpv6 assigned address: there was no sign on pfsense's logs that the linux systems even tried
    to acquire an address.  However, dhcp for ipv4 runs properly.

    Then a strange thing happened: I shutdown the linux system and cranked up tcpdump on pfsense's command line,
    searching for "ether host " with the mac address of the linux system.  I was trying to see what packets
    arrived from the linux host.  Lo and behold: the linux system acquirred the ipv6 address.  I tested this with
    four different linux systems.  rebooting each system several times, but only when I was running tcpdump on
    pfsense, did the linux systems get an ipv6 address.

    Once the linux system had the ipv6 address, access to ipv6 internet worked properly.

    two hours later, the ipv6 address lease expired but since tcpdump wasn't running apparently the request
    didn't get through to pfsense.

    Tonight I ran a slightly different test: I ran the same tcpdump command looking for only the one mac address of the
    first linux system.  I left it running, and when I restarted the networking of all of the other linux
    systems, each of them was able to acquire its ipv6 address.

    why would it appear putting the interface into promiscuous mode caused packets to get
    through to the dhcpv6 daemon?

    Also wouldn't configuration of the dhcpv6 server create a "hidden" set of firewall rules to allow access to
    pfsense via its link-local ip address?

    The details:

    1. pfsense 2.4.2-release
    2. ipv6 available via tunnel-broker.
    3. the network is set to static ipv6 routing working properly

    linux systems:
        ubuntu 16.04 lts server
    each /etc/network/interfaces has the following line:
        auto  ens33
        iface ens33 inet dhcp
        iface ens33 inet6 dhcp



  • Hi,

    Default hidden ip firewall rules do allow DHCP traffic :

    [2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: pfctl -vvsr | grep 'fxp0'
    @1(0) scrub on fxp0 all fragment reassemble
    @61(1000002620) block drop in on ! fxp0 inet6 from 2001:470:1f13:5c0::/64 to any
    @62(1000002620) block drop in on fxp0 inet6 from fe80::212:3fff:feb3:5875 to any
    @64(1000002620) block drop in on ! fxp0 inet from 192.168.1.0/24 to any
    @66(1000002641) pass in quick on fxp0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    @67(1000002642) pass in quick on fxp0 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server"
    @68(1000002643) pass out quick on fxp0 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    @69(1000002651) pass quick on fxp0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
    @70(1000002652) pass quick on fxp0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
    @71(1000002653) pass quick on fxp0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
    @72(1000002654) pass quick on fxp0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
    @73(1000002655) pass in quick on fxp0 inet6 proto udp from fe80::/10 to 2001:470:1f13:5c0:2::1 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
    @74(1000002656) pass out quick on fxp0 inet6 proto udp from 2001:470:1f13:5c0:2::1 port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"
    @105(1475046354) pass in quick on fxp0 inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Default LAN -> any"
    @106(1475046354) pass in quick on fxp0 inet6 from 2001:470:1f13:5c0::/64 to any flags S/SA keep state label "USER_RULE: Default LAN -> any"
    
    

    Btw : "fxp0" is my LAN NIC. Use yours instead.
    Line 105 & 106 is actually my GUI single firewall rule "USER_RULE: Default LAN -> any" for IPv6 and IPv4.



  • Running "pfctl -vvsr |grep cpsw1.100" shows the "hidden" rules that allow the dhcpv6 to operate.

    I did some more research: it does not matter what pcap-filter I use: the key to my linux clients getting ipv6 addresses is that the listening ethernet be in promiscuous mode.

    Do I need to completely rebuild my firewall?

    –jason



  • @jason0:

    cpsw1.100

    You are running pfSense from some virtual device ?


  • Netgate

    Looks like an SG-1000.



  • You are correct: The firewall is an SG-1000 I purchased less than a month ago.  my servers are on vlan100, my home network is on vlan 1 (aka no vlan at all).

    Oh, I restored the configuration from pfsense 2.3 running on a nanobsd alix: I didn't find any warnings about transitioning 32-bit to 64-bit nor between 2.3 and 2.4.

    –jason



  • would there be any issues due to the built-in ethernet switch?

    –jason