Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 gateway / firewall rules issue

    Scheduled Pinned Locked Moved IPv6
    6 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      amgems
      last edited by

      I have native IPv6 provided by my ISP.  I have a /48 not provided by the ISP, but they do route it to me.

      I use the following as my IPv6 gateway:

      WANGWv6 (default)	WAN	fe80::%pppoe3	fe80::%pppoe3	
      

      This works great, so long as I do not wish to open the firewall to an IPv6 server.

      I have opened the firewall to a server on port 443.
      I verified that the SYN gets to the server, and it responds with SYN|ACK.
      The state table has the matching entries.
      I find, however, that the SYN|ACK from the server does not flow over the pppoe3 interface, rather the underlying re1.
      It needs to be squirted out pppoe3.

      The /tmp/rules.debug file contains:

      GWWANGWv6 = " route-to ( re1 fe80::%pppoe3 ) "
      
      

      This requires me to explicitly select the gateway in the rule opening the server, in order to have it work.

      This one works:

      pass  in  quick  on $WAN  $GWWANGWv6 inet6 proto tcp  from any to ...
      

      This one does not:

      pass  in  quick  on $WAN reply-to ( re1 fe80::%pppoe3 ) inet6 proto tcp  from any to ...
      
      1 Reply Last reply Reply Quote 0
      • A
        andi-ch
        last edited by

        fe80:: are link-local address
        link-local address is a network address that is valid only for communications within the network segment

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          Please, do NOT multipost. :(

          https://forum.pfsense.org/index.php?topic=96329.0

          1 Reply Last reply Reply Quote 0
          • A
            amgems
            last edited by

            @andi-ch:

            fe80:: are link-local address
            link-local address is a network address that is valid only for communications within the network segment

            And your point is?

            1 Reply Last reply Reply Quote 0
            • A
              amgems
              last edited by

              @doktornotor:

              Please, do NOT multipost. :(

              https://forum.pfsense.org/index.php?topic=96329.0

              This is not a multipost.  You appear to understand neither this one, not the other issue.  Kindly butt out.

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                Yeah, I'm definitely butted out of your "I have invented a /48 to use that noone routed to me and it doesn't work" "issue"…

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.