Default deny rule IPv6 (1000000105) despite firewall rule
-
I am getting rejections from clients trying to connect to my windows server, and it seems to be only IPv6 connections. This happens with the Emby media server example below, but also FTPS on port 21. Both of these protocols have worked in the past. I did update to 2.6.0-RELEASE a couple weeks ago, so maybe something changed?
These are the firewall rules for Emby media server and FTPS:
I have confirmed the alias, referenced to a FQDN, resolves correctly to the IPv6 of my windows PC. How do I confirm the alias has the correct IPv6? Where should I start to figure this out, I can't see anything wrong with the firewall rules.
-
@lifespeed said in Default deny rule IPv6 (1000000105) despite firewall rule:
How do I confirm the alias has the correct IPv6? Where should I start to figure this out, I can't see anything wrong with the firewall rules.
Take a look at that table for this alias in >Diagnostics >Tables.
How do you update the FQDN of this Windows machine in the frist place or do you have static IPv6?
-
@bob-dig well this is interesting. pFsense alias is resolving to the local IPv4 address. Yet the domain name resolves to both IPv6 and IPv4 using ping -6 from the command line or a web-based DNS tool like MXToolbox.com. The domain registrar is reporting the correct address as well.
I have another device that has a domain name that maps to globally-routable IPv6 addresses; a VoIP phone. I think I need to take another look at my alias setup. Will check and report back.
-
@lifespeed You can use the same alias for IPv4 and IPv6 by the way, no need to separate them in general.
-
@bob-dig how does that work with NAT when the alias using my FQDN returns the external WAN IPv4, while the IPv6 returned by the FQDN is globally-routable without NAT? Doesn't the alias need to point to my internal IP address?
-
@lifespeed Sure. I meant just in a broader sense.
I update my aliases by hostnames from the DHCPv4+6-Servers in pfSense and then use that one alias per host containing both IPvs for my separate rules, it does work.
Still you have to find a way to update your external DNS for IPv6, pfSense is not really doing it, see here what I would wish for. -
@bob-dig said in Default deny rule IPv6 (1000000105) despite firewall rule:
Still you have to find a way to update your external DNS for IPv6, pfSense is not really doing it, see here.
This isn't the problem, I have a powershell script running as a scheduled task on the PC that updates my IP address using Godaddy API. It works, I've checked it, as mentioned above. My IP addresses are all correct at the domain registrar, resolve as expected, and automatically update if my IP address changes.
-
@lifespeed Good for you. Maybe you have a link for me how to do that for cloudflare?
I wish though, I could do all of my DDNS in pfSense. -
@bob-dig said in Default deny rule IPv6 (1000000105) despite firewall rule:
@lifespeed Sure. I meant just in a broader sense.
I update my aliases by hostnames from the DHCPv4+6-Servers in pfSense and then use that one alias containing both IPvs for my separate rules, it does work.I think this is the issue. If I just point the alias to the FQDN, it returns the globally-routable IPv6 address (good) but the IPv4 address is for the WAN. I think what I want is an alias that has the local IPv4 and the global IPv6. I don't know how to make this happen. And I don't know what you mean by I update my aliases by hostnames from the DHCPv4+6-Servers in pfSense
I agree that it makes a lot of sense to have one alias covering both IPv4 and IPv6. Although it would seem one has to understand when the IPv4 should be internal or external. As well as how to implement that, which apparently I don't.
-
@bob-dig said in Default deny rule IPv6 (1000000105) despite firewall rule:
@lifespeed Good for you. Maybe you have a link for me how to do that for cloudflare?
I wish though, I could do all of my DDNS in pfSense.I'm glad to share the script, but it would seem impossible the API would be the same between domain registrars. But the non-Godaddy bits might be useful if Cloudflare has a DDNS API.
Good idea regarding requesting pFsense support DDNS for hosts. I wonder if it will be implemented?
-
@lifespeed said in Default deny rule IPv6 (1000000105) despite firewall rule:
I think what I want is an alias that has the local IPv4 and the global IPv6.
@lifespeed That is what I do. For that to work you have to use the DHCPv6 Server in pfSense with RA managed. With that, the DHCPv6 Server can serve a static mapping to a host and also registering that hostname. From that hostname you can update your alias automatically.
For this to work your pfSense must be the only router, it will not work in a router cascade for now.@lifespeed said in Default deny rule IPv6 (1000000105) despite firewall rule:
I wonder if it will be implemented?
Would be so nice but I see nothing in this regard.
@lifespeed said in Default deny rule IPv6 (1000000105) despite firewall rule:
I'm glad to share the script, but it would seem impossible the API would be the same between domain registrars. But the non-Godaddy bits might be useful if Cloudflare has a DDNS API.
I have to pass, I am not into writing scrips or using APIs in the first place.
-
@bob-dig said in Default deny rule IPv6 (1000000105) despite firewall rule:
@lifespeed said in Default deny rule IPv6 (1000000105) despite firewall rule:
I think what I want is an alias that has the local IPv4 and the global IPv6.
@lifespeed That is what I do. For that to work you have to use the DHCPv6 Server in pfSense with RA managed. With that, the DHCPv6 Server can serve a static mapping to a host and also registering that hostname. From that hostname you can update your alias automatically.
For this to work your pfSense must be the only router, it will not work in a router cascade now.I am using DHCPv6 server, and I only have one router on my network. But I still don't understand how to proceed.
-
@bob-dig said in Default deny rule IPv6 (1000000105) despite firewall rule:
I have to pass, I am not into writing scrips or using APIs in the first place.
I'm not surprised. I only have such a script because I found it on the internet and modified it to my specific setup. But it was a script written for Godaddy API, so I got lucky by virtue of using a popular registrar.
-
@lifespeed You can make a static mapping, almost the same like with IPv4.
Find your host in >Status >DHCPv6 Leases and then create the mapping there. Maybe you have to reboot that host afterwards and pfSense too, but it will work eventually but it is not as smooth to get it working like it is with IPv4.
-
@bob-dig said in Default deny rule IPv6 (1000000105) despite firewall rule:
@lifespeed You can make a static mapping, almost the same like with IPv4.
Find your host in >Status >DHCPv6 Leases and then create the mapping there. Maybe you have to reboot that host afterwards and pfSense too, but it will work eventually but it is not as smooth to get it working like it is with IPv4.
Why would I want a static DHCPv6 lease? That is the part that works correctly using the FQDN in the alias. And, because the FQDN is DDNS'd, it works when the IPv6 changes.
What I need is an alias with the IPv6 from the FQDN, with the IPv4 static pointing to the local IPv4. Which, oddly enough, one of my aliases has now. But I don't know how it got there, and suspect it may be a holdover that hasn't been cleared and refreshed yet.
Edit: OK, if I put in myhost.mydomain.com, the alias pulls the local IPv4. If I put in mydomain.com the alias pulls the IPv6 and the WAN IPv4. I do have a static map in DHCPv4 for myhost to the static LAN IP, which is what myhost.mydomain.com in the alias retrieves. But no IPv6 is retrieved this way.
-
@lifespeed Your right, I am just copying everything I did with IPv4 to IPv6 so that pfSense could do all I want it to do in the future but that might be different to you.
So maybe just use two aliases then. The above would work but maybe it is to complicated in the first place.
-
So going back to the beginning, why is the IPv6-address missing in an alias created from an FQDN containg the IPv6-address...
pfSense updates FQDN every 5 minutes, maybe it is just that?
-
@bob-dig said in Default deny rule IPv6 (1000000105) despite firewall rule:
So going back to the beginning, why is the IPv6-address missing in an alias created from an FQDN containg the IPv6-address...
pfSense updates FQDN every 5 minutes, maybe it is just that?
That is the question. I have not been waiting 5 minutes before checking, so maybe you're right. The static IPv4 might not need 5 minutes? I had thought the "myhost" subdomain was just directing it to the static IPv4 mapping and not looking further.
Edit: No, it isn't the 5 minute wait. myhost.mydomain.com only pulls the IPv4 that is static-mapped in DHCP. No IPv6, even after 10 minutes.
By the way, really appreciate the effort you're putting into trying to help me sort this out. It isn't clear to me many pFsense users try to implement both IPv4 and IPv6 with automatically-updating DDNS for hosts behind pFsense.
-
@lifespeed said in Default deny rule IPv6 (1000000105) despite firewall rule:
Edit: No, it isn't the 5 minute wait. myhost.mydomain.com only pulls the IPv4 that is static-mapped in DHCP. No IPv6, even after 10 minutes.
That is how it should look like:
Btw: Found a ps script for CF, will try it.
PPS: To bad, it will only do IPv4 :( -
I didn't know you could put more than one host in an alias, so this is what I did.
Here is what the alias retrieves after processing mydomain.com, including the IPv4 WAN which is wrong for IPv4 firewalling a host on the LAN. Then it gets myhost, which has a static IPv4 mapping and pulls that local address (even when myhost prepends mydomain.com).
Then I use the delete button to the right of the WAN IPv4 address, retrieved with mydomain.com in the alias, and I have what I need. Don't know if the delete button is remembered, or it will pull the IPv4 WAN address again.