[SOLVED] IPv6 Address not working in Alias

Crunk_Bass · Nov 24, 2019, 9:46 PM

I am running a NFS Server for hosting ISO images and a few VMs.
When I set up a new ESXi server I create a new datastore and mount the NFS share.
This is a very convenient way to have all my ISO images available on all hypervisors I manage.

These are my firewall rules:

And here is my alias:

The firewall rules are working fine for the hosts that are listed with their FQDN.
The last entry (IPv6 Address) is not working.

Firewall log:

Any ideas what could cause this issue?

kiokoman · Nov 18, 2019, 3:04 PM

In "TCP:S", the S is the TCP flag. It's a "syn" flag, which means it is trying to establish a connection
the rule you have does not apply for some reason, hard to tell .. i think you need to check what's inside HOST_NFSClient and if [2003*:22] is present in that list and also if it's allowed to send traffic on PUBLIC_IP_BRIDGE
also, check this post https://forum.netgate.com/post/841371

NogBadTheBad · Nov 18, 2019, 3:20 PM

Are there any rules above the NFS Server separator?

Also any reason why you have tcp and udp rules, rather than tcp/udp?

Have you killed the states?

Crunk_Bass · Nov 18, 2019, 3:31 PM

Thanks for your quick reply.
2003*::22 is not listed under Diagnostics / Tables
The addresses of the hosts I added with FQDN are inside the HOST_NFSClient table.
Both addresses (IPv4 and IPv6) are listed if they are dual stack.

When I copy the firewall entry and replace HOST_NFSClient with the IPv6 address I added to the alias the connection is working.
In my opinion there must be something wrong with the alias.

@NogBadTheBad said in IPv6 Address not working in Alias:

Are there any rules above the NFS Server separator?

Yes, but the behaiviour doesn't change when I move the rules to the top.

@NogBadTheBad said in IPv6 Address not working in Alias:

Also any reason why you have tcp and udp rules, rather than tcp/udp?

I could not find a definitive answer which protocol is used and I wanted to see if it is true you need both and if so which one gets more traffic.

@NogBadTheBad said in IPv6 Address not working in Alias:

Have you killed the states?

Yes

NogBadTheBad · Nov 18, 2019, 3:48 PM

This post is deleted!

Crunk_Bass · Nov 18, 2019, 3:52 PM

I do not have issues with the hosts.
The IPv6 address I added does not work.
Host resolution is fine.

NogBadTheBad · Nov 18, 2019, 3:53 PM

@Crunk_Bass

Yup just reread your post then deleted my comment

Crunk_Bass · Nov 18, 2019, 4:10 PM

I just hit the Empty Table button on the Diagnostics / Tables page.
Now there are no entrys in HOST_NFSClient and it seems they do not get added back again.

I tried restarting the DNS resolver, saved the alias again and hit apply changes.

Status / System Logs / System / DNS Resolver lists

Nov 18 17:02:30	filterdns		Adding Action: pf table: HOST_NFSClient host: hostname1.example.com
Nov 18 17:02:30	filterdns		Adding Action: pf table: HOST_NFSClient host: hostname2.example.com
Nov 18 17:02:30	filterdns		Adding Action: pf table: HOST_NFSClient host: hostname3.example.com
Nov 18 17:02:30	filterdns		Adding Action: pf table: HOST_NFSClient host: hostname4.example.com
Nov 18 17:02:30	filterdns		Adding Action: pf table: HOST_NFSClient host: 2003:a:*::22

but the list stays empty.

JeGr · Nov 18, 2019, 4:27 PM

URL Aliases are only refreshed after the time period defined in advanced settings. Default: 300s so you have to wait for at least 5min for them to repopulate or make a change, save the alias again and apply changes to force-reload the rules.

Konstanti · Nov 18, 2019, 5:05 PM

@Crunk_Bass
Hello
try from the console to execute such command
pfctl -t HOST_NFSClient -T add your_ipv6_address

Are there any errors ?
if there are no errors, what shows
pfctl -t HOST_NFSClient -Ts

Crunk_Bass · Nov 18, 2019, 7:35 PM

@Konstanti adding the IP address from the command line works as expected.
After executing the command the IP address is shown under Diagnostics / Tables.
The other addresses that were present before I emptied the table are still missing.

Your second command lists the IP I added (same output as Diagnostics / Tables)

@JeGr Thanks for pointing that out. I knew I saw a setting somewhere regarding the time period the addresses are updated but didn't find it. The value is on default (300s) but until now nothing got added to the list.

Shoud I try restarting the firewall or do want to find out where the issue exactly is?
No problem if it takes a few days. As a workaround I added the rules manually for the IP addresses I need.

Crunk_Bass · Nov 20, 2019, 9:57 PM

Thank you all very much for your help.

I rebooted the firewall and until now (uptime 20h) the aliases are working as expected.