Crash when removing IPv6 over IPv4 Tunneling

Hakujou

Hello,

I tried to uncheck "IPv6 over IPv4 Tunneling" in settings, but PHP throws an error. I attached the logs : 0_1550172918405_PHP_errors.zip.

By the way, it doesn't seem to work. With the option checked and the IP properly set in "IPv4 address of Tunnel Peer", the secondary gateway (which has the IP defined in the primary one) doesn't see any incoming traffic on the GIF. I also tried with a manual NAT rule IPv4 protocol 41 to secondary gateway IP, no more luck.

Thanks

stephenw10

[14-Feb-2019 20:27:07 Europe/Paris] PHP Fatal error:  Uncaught Error: Cannot unset string offsets in /usr/local/www/system_advanced_network.php:112
Stack trace:
#0 {main}
  thrown in /usr/local/www/system_advanced_network.php on line 112

Are you running 2.4.4p2?

This looks like a known bug that's fixed in 2.4.5 snapshots:
https://redmine.pfsense.org/issues/9264

You may want to test one before snaps switch to 2.5.0 (FreeBSD 12) if you can.

Steve

Hakujou

Oh right, that's exactly my issue, and I'm running 2.4.4p2.
I'd rather not switch to an unstable version at the moment, so I'll leave it this way until 2.4.5 releases.

Do you know if, when the option is enabled, it works properly ? I couldn't figure how to pass protocol 41 to an host behind pfSense. Ideally, I'd rather do NAT with source IP (to pass multiple tunnel brokers to different hosts) but I've never been able to do a working GIF tunnel behind the pfSense gateway (either from this option or with a NAT protocol 41).

stephenw10

As far as know that should work but it's not something I've ever tried personally.

As an alternative to moving to the dev branch you could just apply those patches on that ticket using the patches package.
You may be waiting sometime for that otherwise as there will undoubtedly be numerous things to fix when we move to FreeBSD 12 as base. There may not be a 2.4.5 release.

Steve

Hakujou

I might have to try again, then.
But what's the difference between this option and NAT protocol 41 in the firewall ?

stephenw10

It does this:

	/* DIAG: add ipv6 NAT, if requested */
	if ((isset($config['diag']['ipv6nat']['enable'])) &&
	    (is_ipaddr($config['diag']['ipv6nat']['ipaddr'])) &&
	    (is_array($FilterIflist['wan']))) {
		/* XXX: FIX ME!	 IPV6 */
		$natrules .= "rdr on \${$FilterIflist['wan']['descr']} proto ipv6 from any to any -> {$config['diag']['ipv6nat']['ipaddr']}\n";
	}

At least it does once you have applied those patches or are running 2.4.5. Confirmed it's broken in 2.4.4p2.

So you end up with a redirect rule like:
rdr on $WAN proto ipv6 from any to any -> 192.168.82.98
That's something you otherwise can't do in the GUI

Steve

Hakujou

I don't see any difference between that rule, and NAT with protocol IPv6 on WAN, to be honest.

stephenw10

Hmm, I agree.... let me see if I can find out what that's really supposed to be doing.

Steve

Hakujou

Thanks for the help, Steve.

I can't get this working properly. Tried with this NAT rule:

The secondary gateway (IP 10.10.10.1) doesn't seem to be able to communicate through the GIF tunnel.

Also tried with the option discussed above (with patches), no more luck. No byte is going through the tunnel.

Any idea of what's going on ?