IPv6 testing
-
@|DSI|:
When creating firewall rule, would it be possible to add option "Both" to TCP/IP Version - so that firewall rule would apply to both IPv4 and IPv6?
That makes no sense, the pf firewall rule can only apply to v4 or v6 traffic, not both. Are you referring here to aliases perhaps?
I know that it can only apply to v4 of v6. Both would "invisibly" create separate rule for IPv4 and IPv6 but user would see only one - having this option would reduce needed firewall rules.
Example:
I would like to allow outbound traffic on port 80 for both IPv4 and IPv6. Now i have to create Allow rule for IPv4 traffic on port 80, and separate rule for IPv6 traffic on port 80.
Or another example - Allow inbound traffic to webserver on LAN side:
Firstly you create alias where you list both IPv4 and IPv6 IP address of some host. Then on WAN interface you create firewall rule that allows inbound traffic on port 80, as destination IP you specify previously created alias. -
Is the problem with the outlining in the firewall log widget in combination with IPv6 on the buglist already? Check the attached screenshot.
-
Another one.. is adding IPv6 networks to Aliases on the todo list already?
-
IPv6 addresses in aliases should just work? Am I missing something here? My install already use aliases with ipv6 addresses.
There is one issue I know of on the networks type. It saves with /32, then save and edit, and you can change it to /64 or higher.
-
IPv6 addresses in aliases should just work? Am I missing something here? My install already use aliases with ipv6 addresses.
There is one issue I know of on the networks type. It saves with /32, then save and edit, and you can change it to /64 or higher.
You're right. I didn't know yet about that "trick". I meant the dropdown list only to show up to CIDR 32. I just tried it again based on your posting and I can indeed enter an IPv6 address with CIDR 32, save it, edit it and change it to the appropriate CIDR 64. Guess that changes the todo item to making the dropdown list contain all 128 entries when adding a new alias :)
-
@|DSI|:
I know that it can only apply to v4 of v6. Both would "invisibly" create separate rule for IPv4 and IPv6 but user would see only one - having this option would reduce needed firewall rules.
Example:We will not create functionality that would create rules that would not be properly visible to the user. There needs to be a rather direct connection between the UI rules and those in rules.debug.
I know fully well it is possible. But I choose not to make that functionality.
-
@databeesje: please make those images also for the nanobsd builds !
-
@databeestje, I saw you created an update for the Alias /128 problem yesterday. I just updated with the the latest 2.0RC1 release and gitsynced with smos but it still only shows 32 on a new alias entry here.
-
@databeestje, any chance to have a look at the DHCPv6 IP reservations feature? DHCPv6 works fine, but when trying to create a reservation based on a MAC address, I'm getting an error stating the address does not lie within the subnet. I'm sure it is within the defined subnet though. Check the attached screenshot.
-
@databeestje, any chance to have a look at the DHCPv6 IP reservations feature? DHCPv6 works fine, but when trying to create a reservation based on a MAC address, I'm getting an error stating the address does not lie within the subnet. I'm sure it is within the defined subnet though. Check the attached screenshot.
I have not touched the edit page yet, I'll do so later.
Regarding the alias edit issue, it's javascript which i'm very uncomfortable with. I'll see if I can poke someone to have a look see.
-
If I can lend you a helping hand in the JavaScript piece, let me know. I'm a software developer for my profession. Aimed on Microsoft Technology though, but I've done a couple of implementations with custom written JavaScript. If I can help, I'll be happy to.
-
@|DSI|:
I have now received native IPv6 connectivity from my ISP.
I am using Link Aggregation on WAN interface. IPv4 works fine on LAGG interface but I have trouble configuring IPv6 on LAGG interface.
It seems that there is problem with setting IPv6 default route on LAGG interface, because Diagnostic->Routes shows this output under IPv6:default 2a01:260:XXXX::d UGS 0 2937 1500 em0
For IPv4 it shows this
default 89.212.0.1 UGS 0 663297 1500 lagg0
So I assume that under IPv6 default route, interface should also be lagg0, not em0?
I've looked at your config but are unable to replicate with 2.0 RC1 with IPv6 bits. Perhaps something else was fixed in mainline.
I see both the v4 and v6 route attached to lagg1.
-
Seems to work now.
Maybee it also worked before, because I noticed that after moving (em0 and em1) interfaces to lagg and assigning lagg interface to WAN, IPv4 default route is correctly changed from em0 to lagg1.
But in order to change default IPv6 route from em0 to lagg1, reboot is required.
Thank you for your investigation! -
I've made a number of fixes over the weekend regarding the routing bits. Seems that I've made a horrendous hodgepodge of that code, I was overwriting existing variables, forgetting the clear existing variables etc.
i think I've fixed a bunch of those which should help.
-
@databeestje, not sure if you're aware of this, but since you checked in your blind coded IPv6 DHCP reservations page, the reservations icon on the DHCPv6 Server page points to 'services_dhcpv6_edit.php' which returns a 404 not found.
-
Forgot to add it to the repo. Sorry. It's there now
-
Thanks for adding it. It's indeed present now. Can't get the DHCPv6 to work though. I've used a Windows 7 x64 client with routerdiscovery disabled and managedaddress enabled on the requesting interface. It does get an IPv4 address from the DHCPv4 server in pfSense, but it does not get a reply on the DHCPv6 request it sends out. It makes no difference whether the requesting host has an IPv6 reservation set or not. With routerdiscovery enabled it creates its own IPv6 address, finds the pfSense box as a gateway and can connect to IPv6 hosts on the internet.
-
Can't get the DHCPv6 to work though.
Are you running DHCPv6 on a bridge? What's in the DHCP log? Does DHCP even see the DHCP v6 request?
See my note with "no route to host" in the title for a workaround for an issue with DHCPv6 on a bridge interface.
-
Are you running DHCPv6 on a bridge?
Nope, this pfSense instance has three nics: 1 connected to my WAN, 1 connected to my WIFI access point and 1 connected to my LAN. Both internal NICs use NAT to the outside world for IPv4 traffic. For IPv6 traffic, it tunnels with TunnelBroker.net. Both internal NICs have their own /64 IPv6 subnet.
What's in the DHCP log? Does DHCP even see the DHCP v6 request?
Stupid me, why didn't I think about checking that. The logs shows the following error:
php: /services_dhcp.php: The command '/usr/local/sbin/dhcpd -6 -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpdv6.conf xl0' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.1.1-P1 Copyright 2004-2010 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ /etc/dhcpdv6.conf line 18: Invalid IPv6 address. option dhcp6.name-servers 8.8.4.4, ^ /etc/dhcpdv6.conf line 21: You can not use a hardware parameter for DHCPv6 hosts. Use the host-identifier parameter instead. hardware ^ Configuration file errors encountered – exiting If you did not get this software from ftp.isc.org, please get the latest from ftp.isc.org and install that before requesting help. If you did get this software from ftp.isc.org and have not yet read the README, please read it before requesting help. If you intend to request help from the dhcp-server@isc.org mailing list, please
Any clue what this means?
-
Don't fill in a IPv4 DNS server on the DHCPv6 server page.
It appears the host identifier has changed from what it used to be. I need to see what changed.