• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IPv6 TCP resets not returning to client PC

Scheduled Pinned Locked Moved IPv6
2 Posts 2 Posters 980 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mibsy
    last edited by Aug 22, 2014, 8:37 PM

    I have  pfsense 2.1.4 box running with Hurricane Electric as a tunnel broker on the box.  I have set up IPv6 DHCP and everythign works as it should, except when I create an IPv6 firewall rule on the LAN interface.  I can set up rules that block specific ports.  Enabling and disabling the rules works as expected except if I chose reject instead of block.  Reject should create TCP resets back to the source client.  Instead they are being blocked and logged by a firewall rule that isn't one seen on the GUI.

    The log states:

    block  Aug 22 15:55:04 Direction=OUT LAN  [2607:f8b0:4007:804::1014]:80  [2001:470:1f11:5c::ffb3]:57626 TCP:RA

    @6 block drop out log inet6 all label "Default deny rule IPv6"

    The rule that triggered this action is:

    It is hitting one of the following rules from pfctl -sr

    block drop out log inet6 all label "Default deny rule IPv6"

    I have created IPv6 permits and they work fine for all traffic except these reset packets getting stopped exiting the LAN interface.

    Ideas?

    1 Reply Last reply Reply Quote 0
    • S
      simonswine
      last edited by Dec 6, 2014, 1:36 PM

      Hi!

      I experienced the same problems. I was able to fix this with the attached patch. I'm not sure but probably we should file a bug report.

      The problem is that tcp resets get filtered as the 'pass out' rule for  the firewall itself is limited to TCP SYN pakets. However I still receive no ICMPv6 unreachables if i'm trying to reject IPv6 udp traffic.

      Here the patch:

      diff --git a/filter.inc b/filter.inc
      index c49403a..a4e3c45 100644
      --- a/filter.inc
      +++ b/filter.inc
      @@ -2854,8 +2854,8 @@ EOD;
      
              $ipfrules .= << <eod<br># let out anything from the firewall host itself and decrypted IPsec traffic
      -pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
      -pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
      +pass out inet all flags any keep state allow-opts label "let out anything IPv4 from firewall host itself"
      +pass out inet6 all flags any keep state allow-opts label "let out anything IPv6 from firewall host itself"
      
       EOD;</eod<br> 
      

      Cheers

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received