Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issue with "Default deny rule IPv6 (1000000105)" Blocking All IPv6 Traffic

    Scheduled Pinned Locked Moved
    IPv6
    1
    1
    220
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mathys
      last edited by

      Issue with "Default deny rule IPv6 (1000000105)" Blocking All IPv6 Traffic

      Hello everyone,

      I am experiencing an issue with my PfSense configuration where all IPv6 traffic is being blocked by the default rule "Default deny rule IPv6 (1000000105)". Here are the details of my setup and the steps I have already taken:

      Infrastructure Context

      • OVH Server: Baremetal RISE
      • Hypervisor: Proxmox with two interfaces (WAN - vmbr0 and LAN - vmbr1)
      • Firewall: VM PfSense with a WAN interface configured with an IPv4 Failover having a virtual MAC generated in the OVH Manager

      IPv6 Information Provided by OVH

      • IPv6 block: 2001:db8:534:d5a4::/64
      • Gateway: 2001:db8:534:d5ff:00ff:00ff:00ff:00ff

      Current Configuration

      Proxmox:

      • Interface vmbr0 (WAN):

        iface vmbr0 inet6 static
  address 2001:db8:534:d5a4:1000::1/80
  gateway 2001:db8:534:d5ff:00ff:00ff:00ff:00ff
  post-up ip -6 route add 2001:db8:534:d5a4:2000::/80 via 2001:db8:534:d5a4:1000::2
  post-down ip -6 route del 2001:db8:534:d5a4:2000::/80 via 2001:db8:534:d5a4:1000::2

      • IPv6 Forwarding enabled in /etc/sysctl.conf:

        net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1

      PfSense:

      • WAN Interface: 2001:db8:534:d5a4:1000::2/80

      • LAN Interface: 2001:db8:534:d5a4:2000::1/80

      • WAN Firewall Rules:

        • Allow all incoming IPv6 traffic
        • Example rule:
          • Action: Pass
          • Interface: WAN
          • Protocol: IPv6
          • Source: Any
          • Destination: Any
          • Description: Allow all IPv6 traffic on WAN

      • LAN Firewall Rules:

        • Allow all outgoing IPv6 traffic
        • Example rule:
          • Action: Pass
          • Interface: LAN
          • Protocol: IPv6
          • Source: LAN net
          • Destination: Any
          • Description: Allow all LAN IPv6 traffic

      Issue

      Despite these configurations, all IPv6 traffic is being blocked by the rule "Default deny rule IPv6 (1000000105)", as shown in the firewall logs (see attached screenshots).

      What I Have Tried So Far

      1. Checked and adjusted firewall rules on the WAN and LAN interfaces to ensure IPv6 traffic is allowed.
      2. Enabled IPv6 forwarding on Proxmox.
      3. Used an NDP proxy (ndppd) to handle NDP announcements on Proxmox.

      Screenshots

      • Firewall logs showing IPv6 packet blocks
      • Firewall rule configurations on WAN and LAN interfaces

      c0f0c19b-e79d-4948-9066-08319eac0206-image.png
      595a1731-bf03-4054-86da-00b2fde4d8cc-image.png
      cefe5001-6b9e-4e74-b3bd-7916f0758d75-image.png

      1 Reply Last reply Reply Quote 0
      • First post
        Last post