[SOLVED] IPv6 Address not working in Alias



  • I am running a NFS Server for hosting ISO images and a few VMs.
    When I set up a new ESXi server I create a new datastore and mount the NFS share.
    This is a very convenient way to have all my ISO images available on all hypervisors I manage.

    These are my firewall rules:
    alt text

    And here is my alias:
    alt text

    The firewall rules are working fine for the hosts that are listed with their FQDN.
    The last entry (IPv6 Address) is not working.

    Firewall log:
    alt text

    Any ideas what could cause this issue?


  • LAYER 8

    In "TCP:S", the S is the TCP flag. It's a "syn" flag, which means it is trying to establish a connection
    the rule you have does not apply for some reason, hard to tell .. i think you need to check what's inside HOST_NFSClient and if [2003🅰*:22] is present in that list and also if it's allowed to send traffic on PUBLIC_IP_BRIDGE
    also, check this post https://forum.netgate.com/post/841371



  • Are there any rules above the NFS Server separator?

    Also any reason why you have tcp and udp rules, rather than tcp/udp?

    Have you killed the states?



  • Thanks for your quick reply.
    2003🅰*::22 is not listed under Diagnostics / Tables
    The addresses of the hosts I added with FQDN are inside the HOST_NFSClient table.
    Both addresses (IPv4 and IPv6) are listed if they are dual stack.

    When I copy the firewall entry and replace HOST_NFSClient with the IPv6 address I added to the alias the connection is working.
    In my opinion there must be something wrong with the alias.

    @NogBadTheBad said in IPv6 Address not working in Alias:

    Are there any rules above the NFS Server separator?

    Yes, but the behaiviour doesn't change when I move the rules to the top.

    @NogBadTheBad said in IPv6 Address not working in Alias:

    Also any reason why you have tcp and udp rules, rather than tcp/udp?

    I could not find a definitive answer which protocol is used and I wanted to see if it is true you need both and if so which one gets more traffic.

    @NogBadTheBad said in IPv6 Address not working in Alias:

    Have you killed the states?

    Yes



  • This post is deleted!


  • I do not have issues with the hosts.
    The IPv6 address I added does not work.
    Host resolution is fine.



  • @Crunk_Bass

    Yup just reread your post then deleted my comment



  • I just hit the Empty Table button on the Diagnostics / Tables page.
    Now there are no entrys in HOST_NFSClient and it seems they do not get added back again.

    I tried restarting the DNS resolver, saved the alias again and hit apply changes.

    Status / System Logs / System / DNS Resolver lists

    Nov 18 17:02:30	filterdns		Adding Action: pf table: HOST_NFSClient host: hostname1.example.com
    Nov 18 17:02:30	filterdns		Adding Action: pf table: HOST_NFSClient host: hostname2.example.com
    Nov 18 17:02:30	filterdns		Adding Action: pf table: HOST_NFSClient host: hostname3.example.com
    Nov 18 17:02:30	filterdns		Adding Action: pf table: HOST_NFSClient host: hostname4.example.com
    Nov 18 17:02:30	filterdns		Adding Action: pf table: HOST_NFSClient host: 2003:a:*::22
    

    but the list stays empty.


  • LAYER 8 Moderator

    URL Aliases are only refreshed after the time period defined in advanced settings. Default: 300s so you have to wait for at least 5min for them to repopulate or make a change, save the alias again and apply changes to force-reload the rules.



  • @Crunk_Bass
    Hello
    try from the console to execute such command
    pfctl -t HOST_NFSClient -T add your_ipv6_address

    Are there any errors ?
    if there are no errors, what shows
    pfctl -t HOST_NFSClient -Ts



  • @Konstanti adding the IP address from the command line works as expected.
    After executing the command the IP address is shown under Diagnostics / Tables.
    The other addresses that were present before I emptied the table are still missing.

    Your second command lists the IP I added (same output as Diagnostics / Tables)

    @JeGr Thanks for pointing that out. I knew I saw a setting somewhere regarding the time period the addresses are updated but didn't find it. The value is on default (300s) but until now nothing got added to the list.

    Shoud I try restarting the firewall or do want to find out where the issue exactly is?
    No problem if it takes a few days. As a workaround I added the rules manually for the IP addresses I need.



  • Thank you all very much for your help.

    I rebooted the firewall and until now (uptime 20h) the aliases are working as expected.


Log in to reply