IPv6 gateway / firewall rules issue
-
I have native IPv6 provided by my ISP. I have a /48 not provided by the ISP, but they do route it to me.
I use the following as my IPv6 gateway:
WANGWv6 (default) WAN fe80::%pppoe3 fe80::%pppoe3This works great, so long as I do not wish to open the firewall to an IPv6 server.
I have opened the firewall to a server on port 443.
I verified that the SYN gets to the server, and it responds with SYN|ACK.
The state table has the matching entries.
I find, however, that the SYN|ACK from the server does not flow over the pppoe3 interface, rather the underlying re1.
It needs to be squirted out pppoe3.The /tmp/rules.debug file contains:
GWWANGWv6 = " route-to ( re1 fe80::%pppoe3 ) "This requires me to explicitly select the gateway in the rule opening the server, in order to have it work.
This one works:
pass in quick on $WAN $GWWANGWv6 inet6 proto tcp from any to ...This one does not:
pass in quick on $WAN reply-to ( re1 fe80::%pppoe3 ) inet6 proto tcp from any to ...
-
fe80:: are link-local address
link-local address is a network address that is valid only for communications within the network segment
-
Please, do NOT multipost. :(
-
fe80:: are link-local address
link-local address is a network address that is valid only for communications within the network segmentAnd your point is?
-
Please, do NOT multipost. :(
This is not a multipost. You appear to understand neither this one, not the other issue. Kindly butt out.
-
Yeah, I'm definitely butted out of your "I have invented a /48 to use that noone routed to me and it doesn't work" "issue"…