IPv6 incoming is broken. No answer to ICMPv6 even if enabled in Firewall.

mrzaz

In the last few days the incoming IPv6 has gone broken.

(It was working OK in builds from a few days ago and no change whatsoever in the firewall settings.)

Outgoing IPv6 works OK but incoming is not working.
Even if I enabled an "Enable ALL" firewall rule I do not get any ICMPv6 reply on an incoming ICMP.
And no answer on ISAKMP port 500 either for that matter (rendering my IPSec v6 down as well)

And nothing in the firewall log regarding blocked connection.

OUTGOING:
16:28:05.929745 IP6 2001:470:27:xxx::2 > 2001:470:27:xxx::1: ICMP6, echo request, seq 48130, length 24
16:28:05.930764 IP6 2001:470:27:xxx::1 > 2001:470:27:xxx::2: ICMP6, echo reply, seq 48130, length 24

INCOMING:
16:28:09.681778 IP6 2001:470:27:54c::2.500 > 2001:470:27:xxx::2.500: UDP, length 124
16:28:10.652419 IP6 2001:470:1f0e:513::2 > 2001:470:27:xxx::2: ICMP6, echo request, seq 38626, length 40
16:28:11.434949 IP6 2001:470:1f0e:513::2 > 2001:470:27:xxx::2: ICMP6, echo request, seq 38627, length 40
16:28:12.435450 IP6 2001:470:1f0e:513::2 > 2001:470:27:xxx::2: ICMP6, echo request, seq 38628, length 40
16:28:13.434928 IP6 2001:470:1f0e:513::2 > 2001:470:27:xxx::2: ICMP6, echo request, seq 38629, length 40
16:28:14.439623 IP6 2001:470:1f0e:513::2 > 2001:470:27:xxx::2: ICMP6, echo request, seq 38630, length 40
16:28:19.683427 IP6 2001:470:27:yyy::2.500 > 2001:470:27:xxx::2.500: UDP, length 124

As said, I have checked the Firewall log on the Tunnelbroker (IPv6 ifc) and nothing is blocked but nothing gets through.

I have changed part of my IP to "xxx" to protect me and "yyy" to protect my colleagues firewall trying to setup IPSec (ISAKMP).

//Dan Lundqvist

UPDATE: A small hint could be that there is something strange with routing.
I tried to do a ping (from internet) to a machine inside my LAN that is accepted and tried to ping it and get the following:  (replace part of my IP with "xxx")

Wireshark from the inside machine.
Time          Source                Destination          Dest Port Dest port Protocol Length Info                                                            New Column
0.000000000    2a02:348:82:cb69::1  2001:470:28:xxx:f66d:4ff:fe06:3ba8                    ICMPv6  94    Echo (ping) request id=0x350b, seq=0                            1
0.000177000    2001:470:28:xxx:f66d:4ff:fe06:3ba8 2a02:348:82:cb69::1                      ICMPv6  94    Echo (ping) reply id=0x350b, seq=0                              2
0.000286000    2001:470:28:xxx::1    2001:470:28:xxx:f66d:4ff:fe06:3ba8                    ICMPv6  142    Destination Unreachable (no route to destination)              3

2001:470:28:xxx::1 = the LAN interface IP-address.

As you could see there is something strange going on.

Connections initiated from the pfSense directly is working OK but all secondary replies is not.

**I have checked the Routing table and it is now missing the "default    2001:470:27:xxx::1" entry. **
I went into the routing and uncheck the "Default Gateway" entry for the IPv6 entry and pressed apply.
And then in again and checked it again. + apply.  But still no "default" entry for the IPv6 table…

athurdent

Maybe it's related to this and you have to wait for a newer snapshot?
http://forum.pfsense.org/index.php/topic,58731.msg315026.html#msg315026
Or try a gitsync?

mrzaz

Yep, that did it.  I added the rows in the system.inc and rebooted and now the incoming seems to work.
It least for the incoming ICMPv6 Echos and replies.