sendmsg: Operation not permitted



  • Dear all,

    i am trying to get my IPv6-Connection working with pfSense. With my Debian-Maschine (same vSwitch, both vm-guest-systems) everything works fine. I activated IPv6 in System -> Advanced -> Networking -> Allow IPv6 and added Allow-* IPv6-Rules to my Firewall, just for testing-purposes…
    After that i configured my WAN-Interface and restarted pfSense:
    inet6 2001:4ba0:fffc:2c::6 prefixlen 64

    In fact the GW is 2001:4ba0:fffc:1:beef::1 so i can't add the gateway via the webinterface. So i tried to add the route via SSH:
    [2.1-RELEASE][root@pfsense.localdomain]/root(2): route add -inet6 2001:4ba0:fffc:1:beef::1 -iface em0
    add host 2001:4ba0:fffc:1:beef::1: gateway em0
    [2.1-RELEASE][root@pfsense.localdomain]/root(3): route add -inet6 default 2001:4ba0:fffc:1:beef::1
    add net default: gateway 2001:4ba0:fffc:1:beef::1

    If i try to ping the GW i will receive the following:
    [2.1-RELEASE][root@pfsense.localdomain]/root(4): ping6 2001:4ba0:fffc:1:beef::1
    PING6(56=40+8+8 bytes) 2001:4ba0:fffc:2c::6 –> 2001:4ba0:fffc:1:beef::1
    ping6: sendmsg: Operation not permitted

    In fact as i told before the same construction work's fine with my debian-system. So i made have made some mistakes. Could you please assist me? I am using:
    2.1-RELEASE (i386)
    built on Wed Sep 11 18:16:50 EDT 2013

    Thanks!
    Kind regards
    vitafit


  • Rebel Alliance Developer Netgate

    The "operation not permitted" message usually means your firewall rules are blocking the traffic. Did you check the "Allow IPv6" box under System > Advanced on the Firewall/NAT tab?



  • Hi jimp,

    yes, i did because i already googled the problem and figured out that i need to enable this options. I also created additional allow-rules for ipv6… so Firewall can't be the problem...



  • I tried to disable my Firewall with pfctl -d - same result operation not permitted…
    So the problem still remains i can't use my ipv6-adress this way in pfSense... is the way i add the ipv6-routes (because my ipv6-gw is in a different subnet) right? Why does pfSense not support such things...



  • @vitafit:

    is the way i add the ipv6-routes (because my ipv6-gw is in a different subnet) right? Why does pfSense not support such things…

    Wait, your gateway is on a remote subnet? How would you even expect that to work?



  • To expand on this a little, the problem with your setup is that you've given your pfsense box no way of actually reaching the gateway: It's not on any of the pfsense box's local subnets, so as far as your pfsense box knows, it can't talk to the gateway directly; at the same time, it also can't go through the gateway to reach the gateway in the first place. You'll have to assign an address from the same subnet as your gateway to one of the interfaces on your pfsense box.

    Edit: Presumably that is also precisely why you can't set up your gateway that way through the web interface, isn't it?



  • @razzfazz:

    To expand on this a little, the problem with your setup is that you've given your pfsense box no way of actually reaching the gateway: It's not on any of the pfsense box's local subnets, so as far as your pfsense box knows, it can't talk to the gateway directly; at the same time, it also can't go through the gateway to reach the gateway in the first place. You'll have to assign an address from the same subnet as your gateway to one of the interfaces on your pfsense box.

    Edit: Presumably that is also precisely why you can't set up your gateway that way through the web interface, isn't it?

    Right, that's the problem with my root-Server provider. I had exact the same problem with IPv4 - He gave me an external IPv4-Adress and i needed to route through a special gateway. Solution was pretty easy:
    route add -net 193.111.140.0 -iface em0
    route add default 193.111.140.1

    No i have the same situation with ipv6… but it is not working so i can't get around this the gw to route ipv6 is a different one. Like i told before: With my plain Debian-System it works that way...



  • The difference is that in your initial post, you added an interface route for the specific host address, not for a network as you did in the v4 case. Perhaps try this instead:

    
    route add -inet6 -net 2001:4ba0:fffc:1:beef::/PREFIX -iface em0
    
    

    … where PREFIX would be replaced by the appropriate number. (You should probably specify the subnet mask explicitly for the v4 case as well, by the way.)



  • @razzfazz:

    The difference is that in your initial post, you added an interface route for the specific host address, not for a network as you did in the v4 case. Perhaps try this instead:

    
    route add -inet6 -net 2001:4ba0:fffc:1:beef::/PREFIX -iface em0
    
    

    … where PREFIX would be replaced by the appropriate number. (You should probably specify the subnet mask explicitly for the v4 case as well, by the way.)

    Doesn't work - even with your way… still not permitted... mh unlovely situation :(


  • Rebel Alliance Developer Netgate

    Are you really entering all of this in manually at the CLI? Why not set the IPv6 addresses on the interface and the gateway and such in the GUI?

    If you have an IPv6 address set on the interface, and define a gateway inside that subnet for it to use, it should be able to send out so long as the rules permit the connection.

    IPv6 is no different than IPv4 in this regard.

    You have an IP address and a subnet mask (prefix). When that is configured on the interface with the right mask, the OS automatically gets a "link" route so it can reach others in the same subnet. For communication outside of your interface subnet, you need a gateway that is an IP address in that subnet or, with IPv6 you can also use a link-local address scoped on the right interface for a gateway.



  • It sounds like the GUI (rightfully) doesn't let him enter it precisely because he's trying to enter a gateway address that's not in any of the locally connected subnets.



  • @razzfazz:

    It sounds like the GUI (rightfully) doesn't let him enter it precisely because he's trying to enter a gateway address that's not in any of the locally connected subnets.

    Yes, you are right. That's the problem the gui won't let me enter an ipadress / gateway outside my own subnet! But i can't change that situation because my provider is tellling me to use it this way there is no IPv6-Gateway inside my subnet. So i need a way to use this subnet. In IPv4 i have the same situation so i put all this into my config via <shellcmd>to the needed routes will be added after every restart.

    So that's what my Provider is telling me to use:
    route add -inet6 [ipv6-gateway] -iface [interface]
    ndp -s [ipv6-gateway] [mac-gateway]
    route add -inet6 default [ipv6-gateway]

    This does even not in a plain FreeBSD-Installation work. If i use the Debian-Version like this it will work:
    ip -6 route add IHR_IPv6_Gateway dev eth0
    ip -6 route add default via IHR_IPv6_Gateway dev eth0

    I hope i could make it clear?</shellcmd>



  • Like I was saying, the first line should be this instead:

    
    route add -inet6 -net [ipv6-gateway]/64 -iface [interface]
    
    

    (Or possibly whatever other prefix length is appropriate instead of 64.)



  • @razzfazz:

    Like I was saying, the first line should be this instead:

    
    route add -inet6 -net [ipv6-gateway]/64 -iface [interface]
    
    

    (Or possibly whatever other prefix length is appropriate instead of 64.)

    Like i told you before unfortunately this doesn't help…



  • OK, so what does your routing table look like afterwards?

    Edit: Never mind, looks like it's not treated as a local segment:

    
    Destination                       Gateway                       Flags      Netif Expire
    2601:x:y:a::/64              link#2                        U          igb0 <--- local segment for this interfaces
    2601:x:y:b::/64              bc:5f:f4:xx:yy:zz             US         igb0 <--- manually added route
    
    

    Are you sure the :2c: prefix your provider gives you is intended for the WAN side, not the LAN side? I.e., you can't just use an address from the :1: prefix on the WAN interface? Using a non-local gateway seems like a very non-standard (and arguably broken) configuration. Is this what your provider tells everyone to use, or is this something specific to your particular setup?



  • @razzfazz:

    OK, so what does your routing table look like afterwards?

    Edit: Never mind, looks like it's not treated as a local segment:

    
    Destination                       Gateway                       Flags      Netif Expire
    2601:x:y:a::/64              link#2                        U          igb0 <--- local segment for this interfaces
    2601:x:y:b::/64              bc:5f:f4:xx:yy:zz             US         igb0 <--- manually added route
    
    

    Are you sure the :2c: prefix your provider gives you is intended for the WAN side, not the LAN side? I.e., you can't just use an address from the :1: prefix on the WAN interface? Using a non-local gateway seems like a very non-standard (and arguably broken) configuration. Is this what your provider tells everyone to use, or is this something specific to your particular setup?

    This is an OVH & Hetzner type setup, ie. "standard" for all.

    I'm also hitting this same problem, and an issue to use IPv6 with pfSense… else I'll have to consider the HE tunnel mechanism ;(


Log in to reply