[SOLVED] IPv6 Address not working in Alias
-
I am running a NFS Server for hosting ISO images and a few VMs.
When I set up a new ESXi server I create a new datastore and mount the NFS share.
This is a very convenient way to have all my ISO images available on all hypervisors I manage.These are my firewall rules:
And here is my alias:
The firewall rules are working fine for the hosts that are listed with their FQDN.
The last entry (IPv6 Address) is not working.Firewall log:
Any ideas what could cause this issue?
-
In "TCP:S", the S is the TCP flag. It's a "syn" flag, which means it is trying to establish a connection
the rule you have does not apply for some reason, hard to tell .. i think you need to check what's inside HOST_NFSClient and if [2003
*:22] is present in that list and also if it's allowed to send traffic on PUBLIC_IP_BRIDGE
also, check this post https://forum.netgate.com/post/841371
-
Are there any rules above the NFS Server separator?
Also any reason why you have tcp and udp rules, rather than tcp/udp?
Have you killed the states?
-
Thanks for your quick reply.
2003*::22 is not listed under Diagnostics / Tables
The addresses of the hosts I added with FQDN are inside the HOST_NFSClient table.
Both addresses (IPv4 and IPv6) are listed if they are dual stack.When I copy the firewall entry and replace HOST_NFSClient with the IPv6 address I added to the alias the connection is working.
In my opinion there must be something wrong with the alias.@NogBadTheBad said in IPv6 Address not working in Alias:
Are there any rules above the NFS Server separator?
Yes, but the behaiviour doesn't change when I move the rules to the top.
@NogBadTheBad said in IPv6 Address not working in Alias:
Also any reason why you have tcp and udp rules, rather than tcp/udp?
I could not find a definitive answer which protocol is used and I wanted to see if it is true you need both and if so which one gets more traffic.
@NogBadTheBad said in IPv6 Address not working in Alias:
Have you killed the states?
Yes
-
This post is deleted!
-
I do not have issues with the hosts.
The IPv6 address I added does not work.
Host resolution is fine.
-
Yup just reread your post then deleted my comment
-
I just hit the Empty Table button on the Diagnostics / Tables page.
Now there are no entrys in HOST_NFSClient and it seems they do not get added back again.I tried restarting the DNS resolver, saved the alias again and hit apply changes.
Status / System Logs / System / DNS Resolver lists
Nov 18 17:02:30 filterdns Adding Action: pf table: HOST_NFSClient host: hostname1.example.com Nov 18 17:02:30 filterdns Adding Action: pf table: HOST_NFSClient host: hostname2.example.com Nov 18 17:02:30 filterdns Adding Action: pf table: HOST_NFSClient host: hostname3.example.com Nov 18 17:02:30 filterdns Adding Action: pf table: HOST_NFSClient host: hostname4.example.com Nov 18 17:02:30 filterdns Adding Action: pf table: HOST_NFSClient host: 2003:a:*::22but the list stays empty.
-
URL Aliases are only refreshed after the time period defined in advanced settings. Default: 300s so you have to wait for at least 5min for them to repopulate or make a change, save the alias again and apply changes to force-reload the rules.
-
@Crunk_Bass
Hello
try from the console to execute such command
pfctl -t HOST_NFSClient -T add your_ipv6_addressAre there any errors ?
if there are no errors, what shows
pfctl -t HOST_NFSClient -Ts
-
@Konstanti adding the IP address from the command line works as expected.
After executing the command the IP address is shown under Diagnostics / Tables.
The other addresses that were present before I emptied the table are still missing.Your second command lists the IP I added (same output as Diagnostics / Tables)
@JeGr Thanks for pointing that out. I knew I saw a setting somewhere regarding the time period the addresses are updated but didn't find it. The value is on default (300s) but until now nothing got added to the list.
Shoud I try restarting the firewall or do want to find out where the issue exactly is?
No problem if it takes a few days. As a workaround I added the rules manually for the IP addresses I need.
-
Thank you all very much for your help.
I rebooted the firewall and until now (uptime 20h) the aliases are working as expected.
