Cannot enable the "Allow IPv6" setting
-
After checking the "Allow IPv6" setting and selecting "Save", the page refreshes and the setting is immediately unchecked. Neither a success or error message is shown.
I have reviewed a range of logs on my system but have not been able to find anything to help me troubleshoot this issue. I have also tried returning to Factory Defaults and I can confirm that this allowed me to enable "Allow IPv6", until I restored my configuration from a backup file. This suggests my configuration is the issue, but I would be very grateful if anyone can point me towards a log file that might enable me to figure out which part of my configuration is the issue.
I think my only alternative would be to manually reconfigure the entire firewall while checking this setting after each change - which would take a long time!
Thank you in advance for your assistance.
-
You did not saw the green message :
?
The "Allow IPv6" checkbo has only one impact on the system :
Load a lot of ipv6 firewall rules into 'pf' (the firewall).
Or not.I couldn't find a reason why this checkbox shouldn't 'stick'.
Did you check the config.xml : did it contain :
<ipv6allow></ipv6allow>
in the <system> "folder" ?
-
I confirm that I do not get the usual green message when attempting this change (which I can see if I edit other settings, such as those under the "Admin Access" tab).
The "ipv6allow" string was also not present in my config.xml file. However, after adding it manually (thank you for telling me where to do so), the setting has stuck! I also received this message after a reboot, so I suspect this setting may have been the reason that the checkbox wasn't sticking initially:
To block bogon IPv6 networks the Firewall Maximum Table Entries value in System / Advanced / Firewall must be increased at least to 400000 @ 2023-10-23 09:35:39
Having corrected this setting, it looks like I can now toggle "Allow IPv6" as normal and receive the green success message.
Problem solved, thank you again
-
@Gremlin said in Cannot enable the "Allow IPv6" setting:
Problem solved,
Hummmm.
Maybe you found something.This : https://github.com/pfsense/pfsense/blob/dc96586bddbc3d209b04d602412378c656acef16/src/usr/local/pfSense/include/www/system_advanced_network.inc#L99 is the place where the "ipv6allow" has a condition.
That is the place where the "In order enable IPv6 and block bogon networks ....." message comes from.
The second part of the test : ... is_bogonsv6_used(true) && is awkward.
is_bogonsv6_used(true) will not return true if your are not using (typucally on a WAN interface) :So : if that check (WAN interface) then the function is_bogonsv6_used(true) always return false .....
I have to check test simulate this.... as I did not have the "Block bogon networks" checked on my WAN, and I could disable + save + enable + save the ipv6allow just fine. -
Interesting - I think there is more to this. I believe the if statement you linked requires the following conditions to show an error:
-
'ipv6allow' must be true.
-
is_bogonsv6_used(true)
must return true. -
The "Firewall Maximum Table Entries" setting is either:
a. Not set
b. Set to a value lower than 400,000
Looking at the
is_bogonsv6_used()
function, it looks like this does the opposite of what is expected. I think this function returns true if the "Block bogon networks" setting is true on any enabled interface?This would explain why the setting would not "stick", as my "Firewall Maximum Table Entries" setting did not pass validation.
However, I think the error message should be displayed based on the logic above. Perhaps the issue isn't the if statement logic, but the error message itself?
Apologies if I am wasting your time here - unfortunately Akismet has prevented me including GitHub links.
-
-
@Gremlin said in Cannot enable the "Allow IPv6" setting:
Looking at the is_bogonsv6_used() function, it looks like this does the opposite of what is expected. I think this function returns true if the "Block bogon networks" setting is true on any enabled interface?
The function iterates of "all interfaces" (it does so, because $force is set to true)
=> For every interface, if 'blockbogons' is set, then set $usebogonsv6 = true;$usebogonsv6 is returned.
So : what happens when you don't use/check blockbogons on any interface ?
The function, is_bogonsv6_used(true) returns always false, no matter what..So, I think (still brainstorming here) : If you managed to de select IPv6 usage, good luck turning it on
The solution is : activate bogons on a WAN interface, and you'll be fine.
Btw : bogons is/uses an IPv4 file, and a IPv6 file.
And yes :
has to be set to "400000" (400K) at least.
It can be set lower, if you've been upgrading from older pfSense version where this parameter was lower.
Or you try to run pfSense on a "512 Mbytes RAM" system - something like that.What I did notice : the "Save" operation silently fails without the error message. That's not good.
-
I can confirm that this issue is still present.
I am running pfsense CE 2.7.2, and have been running it without problems (and also without IPv6) until recently, when I attempted to configure an IPv6 tunnel using tunnelbroker.net (as my ISP does not provide IPv6). I was not able to complete the first step of the guide (https://docs.netgate.com/pfsense/en/latest/recipes/ipv6-tunnel-broker.html#allow-ipv6-traffic). As the original post describes, trying to check this box failed silently.
I had enabled "Block bogon networks" on my WAN interface, and had not changed the default Firewall Maximum Table Entries from the default value (of 200000).
After finding this thread, I changed Firewall Maximum Table Entries to 400000, and was then able to successfully enable Allow IPv6.
-
@onceler said in Cannot enable the "Allow IPv6" setting:
(https://docs.netgate.com/pfsense/en/latest/recipes/ipv6-tunnel-broker.html#allow-ipv6-traffic).
You can't - edit couldn't :
check that one ?
-
@Gertjan Correct.