IPv6 gateway / firewall rules issue



  • I have native IPv6 provided by my ISP.  I have a /48 not provided by the ISP, but they do route it to me.

    I use the following as my IPv6 gateway:

    WANGWv6 (default)	WAN	fe80::%pppoe3	fe80::%pppoe3	
    

    This works great, so long as I do not wish to open the firewall to an IPv6 server.

    I have opened the firewall to a server on port 443.
    I verified that the SYN gets to the server, and it responds with SYN|ACK.
    The state table has the matching entries.
    I find, however, that the SYN|ACK from the server does not flow over the pppoe3 interface, rather the underlying re1.
    It needs to be squirted out pppoe3.

    The /tmp/rules.debug file contains:

    GWWANGWv6 = " route-to ( re1 fe80::%pppoe3 ) "
    
    

    This requires me to explicitly select the gateway in the rule opening the server, in order to have it work.

    This one works:

    pass  in  quick  on $WAN  $GWWANGWv6 inet6 proto tcp  from any to ...
    

    This one does not:

    pass  in  quick  on $WAN reply-to ( re1 fe80::%pppoe3 ) inet6 proto tcp  from any to ...
    


  • fe80:: are link-local address
    link-local address is a network address that is valid only for communications within the network segment


  • Banned



  • @andi-ch:

    fe80:: are link-local address
    link-local address is a network address that is valid only for communications within the network segment

    And your point is?



  • @doktornotor:

    Please, do NOT multipost. :(

    https://forum.pfsense.org/index.php?topic=96329.0

    This is not a multipost.  You appear to understand neither this one, not the other issue.  Kindly butt out.


  • Banned

    Yeah, I'm definitely butted out of your "I have invented a /48 to use that noone routed to me and it doesn't work" "issue"…