[Resolved] Unable to browse internet firewall with IPv6

codeblue2k · May 9, 2015, 9:27 PM

I have a fresh install of pfSense and I am having some weird firewall rule issues with an IPv6 network. I added a pfSense admin rule and removed the default any any rules. I also added ICMP, DNS and HTTP/HTTPS rules. But even with those rules I am not able to browse to the internet.

can ping Googles IPv6 DNS IP from the pfSense WAN and LAN
can ping Googles IPv6 DNS IP from a host behind the firewall
can ping google.com from a host behind the firewall
can NOT browse to google.com in IE from a host behind the firewall

I have attached screenshots of my floating, WAN and LAN rules. Any help you can provide would be much appreciated.

hda · May 9, 2015, 8:54 PM

Allow ICMP for IPv6 is recommended.

How is DNS config setup ?

How is RA management setup ?

IPv6 takes priority for browsing. If IPv6 not available, switch to IPv4 may take a while. Use SixOrNot 1.0.1 in browser for your information ?

Harvy66 · May 9, 2015, 9:01 PM

I thought floating rules get processed first, and if you're blocking TCP for 4 and 6, then your TCP connections are going to get blocked. yes?

codeblue2k · May 9, 2015, 9:09 PM

@hda:

Allow ICMP for IPv6 is recommended.

How is DNS config setup ?

How is RA management setup ?

IPv6 takes priority for browsing. If IPv6 not available, switch to IPv4 may take a while. Use SixOrNot 1.0.1 in browser for your information ?

DNS on the pfSense server and on the hosts behind the firewall all point to Google DNS

Sorry, can you clarify what RA management is? Im still learning my way around pfSense.

So my pfsense host and all of the hosts behind my firewall are only using IPv6 addresses.

hda · May 9, 2015, 9:10 PM

@Harvy66:

I thought floating rules get processed first, and if you're blocking TCP for 4 and 6, then your TCP connections are going to get blocked. yes?

You're right there. I read it for ICMP i.s.o. TCP…

codeblue2k · May 9, 2015, 9:13 PM

@Harvy66:

I thought floating rules get processed first, and if you're blocking TCP for 4 and 6, then your TCP connections are going to get blocked. yes?

If that was the case wouldn't the ICMP rule that I have setup on the LAN rules be blocked? But as I mentioned I am able to ping IPs and hostnames. Just for covering my bases i disabled the floating rules and the issues still exists. Thanks for the suggestion

codeblue2k · May 9, 2015, 9:25 PM

Scratch that… it indeed seemed to have resolved the issue. Not sure why it took so long for the rule to stop blocking traffic.