Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 TCP resets not returning to client PC

    IPv6
    2
    2
    952
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mibsy
      last edited by

      I have  pfsense 2.1.4 box running with Hurricane Electric as a tunnel broker on the box.  I have set up IPv6 DHCP and everythign works as it should, except when I create an IPv6 firewall rule on the LAN interface.  I can set up rules that block specific ports.  Enabling and disabling the rules works as expected except if I chose reject instead of block.  Reject should create TCP resets back to the source client.  Instead they are being blocked and logged by a firewall rule that isn't one seen on the GUI.

      The log states:

      block  Aug 22 15:55:04 Direction=OUT LAN  [2607:f8b0:4007:804::1014]:80  [2001:470:1f11:5c::ffb3]:57626 TCP:RA

      @6 block drop out log inet6 all label "Default deny rule IPv6"

      The rule that triggered this action is:

      It is hitting one of the following rules from pfctl -sr

      block drop out log inet6 all label "Default deny rule IPv6"

      I have created IPv6 permits and they work fine for all traffic except these reset packets getting stopped exiting the LAN interface.

      Ideas?

      1 Reply Last reply Reply Quote 0
      • S
        simonswine
        last edited by

        Hi!

        I experienced the same problems. I was able to fix this with the attached patch. I'm not sure but probably we should file a bug report.

        The problem is that tcp resets get filtered as the 'pass out' rule for  the firewall itself is limited to TCP SYN pakets. However I still receive no ICMPv6 unreachables if i'm trying to reject IPv6 udp traffic.

        Here the patch:

        diff --git a/filter.inc b/filter.inc
index c49403a..a4e3c45 100644
--- a/filter.inc
+++ b/filter.inc
@@ -2854,8 +2854,8 @@ EOD;

        $ipfrules .= << <eod<br># let out anything from the firewall host itself and decrypted IPsec traffic
-pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
-pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
+pass out inet all flags any keep state allow-opts label "let out anything IPv4 from firewall host itself"
+pass out inet6 all flags any keep state allow-opts label "let out anything IPv6 from firewall host itself"

 EOD;</eod<br>

        Cheers

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.