Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How do I forward GIF interface traffic?

    Scheduled Pinned Locked Moved
    NAT
    2
    4
    566
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • senseivitaS
      senseivita
      last edited by

      I double-natted (full cone) a connection that used to be delivered over PPPoE and I'm struggling getting the GIF tunnel interface from Hurricane Electric back up.

      I attempted 1:1 NAT with an allow anything rule, with one of this:
      Screen Shot 2022-07-04 at 01.22.52 AM.png
      …to cover all my bases. No luck. Don't know how scattered brain and all I remembered about this (largely unreferenced) bit:
      Screen Shot 2022-07-04 at 01.27.43 AM.png

      So I read carefully…
      Screen Shot 2022-07-04 at 01.37.26 AM.png
      "…to a host behind this firewall instead of handling it locally." My cue.

      I did not need firewall rules; because of the free-for-all rule and the 1:1 NAT, it should be fine, I assumed deducted* 🕵️‍♀️ and it worked. I just came to brag.

      End of thread, thanks for reading—JK. 😂

      I switched off 1:1 NAT and natted by proto instead:
      Screen Shot 2022-07-04 at 01.20.58 AM.png
      At first, there wasn't the IPV6 NAT rule because I thought specifying that in the Advanced System settings would take care of that, when that didn't happen I added the NAT rule and made it create its own associated firewall rule to make sure I was avoiding as many mistakes as possible, then deleted the manually created "IPV6" protocol firewall rule afterwards:
      Screen Shot 2022-07-04 at 01.21.33 AM.png
      It left essentially the same results but with the twisting arrows icon next to the rule.

      Last thing I noticed after all of this, is that the outtermost firewall doesn't even acknowledge the traffic:
      Screen Shot 2022-07-04 at 02.11.56 AM.png
      …but there's the rule:
      Screen Shot 2022-07-04 at 02.21.50 AM.png
      The gateway in the rule was just added while I double-checked before posting this. Speaking of gateways, the sole client the outermost firewall has, is also listed as a gateway for it, so this firewall can reach without NAT certain inner hosts, BTW. It's even using an internal host as the monitor IP, not the gateway(client/inner firewall) itself:
      Screen Shot 2022-07-04 at 02.28.40 AM.png
      I know I'm screwing up… where though? (I mean, leaving out the fact of the double NAT :P)

      Oh well, I'm taking a little break, hopefully the routing fairy has a GIF or something for me when I come back… :)

      *: any excuse to use that emoji.

      Missing something? Word endings, maybe? I included a free puzzle in this msg if you solv--okay, I'm lying. It's dyslexia, makes me do that, sorry! Just finish the word; they're rarely misspelled, just incomplete. Yeah-yeah-I know. Same thing.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @senseivita
        last edited by

        @skilledinept IPv6 doesn’t use NAT. Firewall rules are necessary on the HE interface to allow traffic (there’s a default block rule).

        My son woke me up early today so I’m not caffeinated but did you create an interface?
        https://docs.netgate.com/pfsense/en/latest/recipes/ipv6-tunnel-broker.html#create-and-assign-the-gif-interface

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        senseivitaS 1 Reply Last reply Reply Quote 0
        • senseivitaS
          senseivita @SteveITS
          last edited by

          @steveits yep-yep. All that. It was working then it stopped. The inner firewall through aliases and gateway groups, didn't change much its configuration during all of this.

          It's way too easy to switch an interface interface from something like VLAN on a vNIC(e.g. vmx0.3) to a tunnel client(e.g. ovpnc1), it's a very powerful feature IMO, the problem is that it doesn't always take. :(

          It's working again and I still don't know the answer.

          I changed an interface on the inner firewall, completely unrelated--it's internal, I just assigned another from the list like I mentioned before and no more config changes done. Back on the dashboard the HE gateway was now working.

          So I thought, maybe it was the config not taking. At least I now knew all this time was on the inner firewall whereas all my focus was on the external one. It was misrouting, that's why there was no traffic on the external one.

          The GIF tunnel uses both and IP address and a physical interface; setting a OpenVPN tunnel I learned that even if you set it on an interface that doesn't directly connect to an outgoing gateway it'll still find its way, I verified this again earlier today when I was decommissioning the old tunnel I had replaced: since it's assigned it cannot be disabled, nor I wanted to delete it so I'd have an emergency backup already set up. I set as the interface to the loopback address but it still reached the server.

          I've also observed this in the DDNS client in a multiWAN firewall. Regardless of the interface chosen it might go through another. It's likely the same was happening on the GIF tunnel, I think.

          But then I restarted the firewall for good measure and the HE interface went down again! Keep in mind that my IP address hasn't changed because it's natted from the outter firewall. HE should just come back. I couldn't make it come back again. So now I'm thinking maybe it even wasn't the firewall at all but something at Hurricane Electric's end. IDK.

          Anyway, I made so many changes trying to make it work and to present a reproducible problem that I strayed too far from what it was. Then I eliminated double NAT because—why not.

          Screen Shot 2022-07-04 at 10.24.14 AM.png

          I made a backup of the config before starting and my history is set up for something like 300 or 500 (it takes forever to start too), I could get back even without the backup. But now that it's normal again, I think I'll stop messing with it…at least for the week. It was frustratingly fun though.

          Thanks anyway for answering— have a great week!

          Missing something? Word endings, maybe? I included a free puzzle in this msg if you solv--okay, I'm lying. It's dyslexia, makes me do that, sorry! Just finish the word; they're rarely misspelled, just incomplete. Yeah-yeah-I know. Same thing.

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Rebel Alliance @senseivita
            last edited by

            @skilledinept “back away slowly“ as they say.

            I recall now when I first set up HE I had to reboot for it to work. Reproduced, entered bug report, and couldn’t get it to happen after that.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.