OpenVPN over IPv6 - WAN Default deny rule (1000000105) always catching
-
Having once got OpenVPN working over IPv6 I now cannot get it to work again since rebuilding my pfSense installation. What is happening is the firewall logs show the WAN default deny rule is rejecting the all packets received from the client. The client I am using is the OpenVPN Android app on a Samsung S20.
Firewall rules on WAN:
Can anyone help me figure out what is going wrong?
-
Can anyone offer any words of wisdom... please? I am at a complete loss. My pfSense installation is fairly vanilla, 2.4.5-RELEASE-p1 with few extras (pfBlockerNG being the only one that I could possibly imagine being an issue) and there are no elaborate firewall rules.
What, oh what, is going on here? It is either something so obvious I can't see it, or something so obscure I will never find it.
-
Does that actual destination ipv6 address match what pfsense currently shows as its wan IPv6 address?
-
@johnpoz Yes - the IPv6 addresses in the firewall deny rule correspond to the IP address of my phone and what whatismyipaddress.com shows is the IPv6 address of my home. I have updated my dyndns.org account with this IPv6 address and that seems to be working well - the packets are arriving at the firewall on port 1194, where they are rejected.
Edit - now I read your message closely I realise I am not sure. From the pfSense Dashboard panel:
In the Interfaces panel the WAN interface is shown as up but with another IPv6 address from the one that is returned by whatismyipaddress.com.
-
@johnpoz So thank you, thank you, thank you
That was the hint that got me the step forward - I changed the OpenVPN server address from being address reported by whatismyipaddress to what is reported in the pfSense WAN interface. The packets are now flowing and I am seeing that my OpenVPN configuration is broken but that is something else which I can likely figure out.But now I am properly confused about what is my IPv6 address. whatismyipaddress.com returns both IPv4 and IPv6 addresses
IPv6: 2a00:6020:19d3:----:----:----:----:1cc4 IPv4: 94:31:...:...To my uninitiated eyes these look like real IP addresses.
The pfSense WAN interface shows its IP addresses as:
IPv6: 2a00:6020:1000:-::----:bbd5 IPv4: 100:79:0:...In the previous questions I asked about CGNAT and eventually got IPv6 working fine over DHCP6 - and learned a little about IP addresses in the process - but not enough to understand what is going on. Anyway, I have overcome that problem and am moving on to the next. Thank you again.
-
The gateway widget will show your gateway IPs - not your actual interface IPs
Look on the interface widget for your actual interface IPs
As to whatsmyIP showing a public 94.x.x.x IP - yeah that is going to show you the IP you talked to it from. So since your behind a cgnat, that will show you the isp IP that is actually the public one you use to talk to internet stuff from via IPv4.. Not the actual IP of your interface. Which will be some cgnat (100.64.0.0/10) or rfc1918 address.
As to why your seeing a different ipv6 on whatsmyIP.. That is because there is no natting in ipv6 - so it will show you the IP of the device you went to the website from - ie your PC.. So yeah that would be different than what pfsense actual wan is.
-
@johnpoz Thank you for the explanation - that is very helpful. In essence then, if IPv6 has no NATing it is simpler than IPv4 to understand, but here I tripped over the difference between the two.
I now have OpenVPN connecting but no contact to my LAN which uses IPv4. The firewall logs are clean - but something is wrong. Time to Google again.
Thank you again - if ever you find yourself in the Munich area I'll buy you a beer.
-
@charry2014 said in OpenVPN over IPv6 - WAN Default deny rule (1000000105) always catching:
find yourself in the Munich area
Well that is a given at some point ;) Oktoberfest (d’Wiesn) and all.. On my bucket list!
Durst wird durch Bier erst schön
-
@johnpoz Sadly the Wiesn is cancelled again this year - we are all hoping for next year. Bavarians generally don't like to be sober the whole year.
-
Yeah - freaking covid! And while I will be in the EU in 2022.. Unless things go south again, not correct time of year for oktoberfest - and not in Germany.. The amount of trips planned and then cancelled to DE is just heart breaking. Always seem to miss it when in EU.. Belgium, France, Luxembourg, Spain, Italy.. Just can never seem to get to DE.. :(
