I am hoping that folks here can help me figure out my woes and get things working.
I upgraded from v24.1.1 to v24.1.2 and went through the (now routine) process of resetting to "Factory Default" and building my configuration from scratch.
The current hardware has been in place for 5+ years and has been upgraded in-place several times.
I'm now having issues getting the firewall to "pass" IPv6 traffic to my ISP.
My ISP delegates a /64 to my connection, which I then populate into the LAN using "Tracked Interface" and "Allow Manual...".
With OpnSense v24.1.1 and prior, I was able to configure the ISC DHCPv6 server without having to set Router Advertisements or set a Range for DHCPv6 (it used defaults I presume), just adding my internal DNS and NTP server.
With v24.1.2, I find that the only way IPv6 IPs are assigned to internal hosts is to turn on SLAAC in Router Advertisements, which has the effect of bypassing the configured DHCPv6 range and "pulling" directly from the ISP.
If I set Router Advertisements to anything except "Assisted" or "Stateless", no internal host is assigned a DHCPv6 address (other than local /private).
Even with "Assisted" or "Stateless", internal hosts are not able to connect to the Public Internet using IPv6. Browsing to IPv6 only websites or testing using the two main services (test-ipv6 and ipv6-test) fail.
I have reset to "Factory Default" several times trying to get this working - to no avail.
If I've missed something, or if there's a "lingering" file somewhere that might be holding on to "bad" IPv6 data that I need to whack from CLI, or if you need /want more diagnostic data - please let me know.
Relevant sections of /conf/config.xml are below:
<lan>
<if>igb1</if>
<descr>LAN</descr>
<enable>1</enable>
<lock>1</lock>
<spoofmac/>
<ipaddr>192.168.144.1</ipaddr>
<subnet>24</subnet>
<ipaddrv6>track6</ipaddrv6>
<track6-interface>wan</track6-interface>
<track6-prefix-id>0</track6-prefix-id>
<dhcpd6track6allowoverride>1</dhcpd6track6allowoverride>
</lan>
<dhcpdv6>
<lan>
<ddnsdomainalgorithm>hmac-md5</ddnsdomainalgorithm>
<enable>1</enable>
<range>
<from>re:da:ct:ed:5555:0000:0000:0001</from>
<to>re:da:ct:ed:5555:ffff:ffff:ffff</to>
</range>
<prefixrange>
<from/>
<to/>
<prefixlength>64</prefixlength>
</prefixrange>
<dnsserver>fde4:b3e2:db9e:1a29::11</dnsserver>
<ntpserver>fde4:b3e2:db9e:1a29::11</ntpserver>
<numberoptions>
<item/>
</numberoptions>
<ramode>assist</ramode>
<rapriority>medium</rapriority>
<ramininterval>200</ramininterval>
<ramaxinterval>600</ramaxinterval>
<radomainsearchlist/>
<radnsserver/>
<rasamednsasdhcp6>1</rasamednsasdhcp6>
<ranodefault>1</ranodefault>
</lan>
</dhcpdv6>
<nat>
<outbound>
<mode>automatic</mode>
</outbound>
<rule>
<protocol>tcp/udp</protocol>
<interface>lan</interface>
<category/>
<ipprotocol>inet</ipprotocol>
<descr>Intercept outbound DNS queries and redirect to PiHole</descr>
<tag/>
<tagged/>
<poolopts/>
<associated-rule-id>nat_65d91bc09703b2.76952125</associated-rule-id>
<target>PiHole_Host</target>
<local-port>DNS_TLS</local-port>
<source>
<address>PiHole_Host</address>
<not>1</not>
</source>
<destination>
<any>1</any>
<port>DNS_TLS</port>
</destination>
<updated>
<username>root@192.168.144.21</username>
<time>1708729571.0813</time>
<description>/firewall_nat_edit.php made changes</description>
</updated>
<created>
<username>root@192.168.144.21</username>
<time>1708727232.6187</time>
<description>/firewall_nat_edit.php made changes</description>
</created>
</rule>
<rule>
<protocol>tcp/udp</protocol>
<interface>lan</interface>
<category/>
<ipprotocol>inet6</ipprotocol>
<descr>Intercept outbound DNS queries and redirect to PiHole</descr>
<tag/>
<tagged/>
<poolopts/>
<associated-rule-id>nat_65d924dbac0c71.59779010</associated-rule-id>
<target>PiHole_Host</target>
<local-port>DNS_TLS</local-port>
<source>
<address>PiHole_Host</address>
<not>1</not>
</source>
<destination>
<any>1</any>
<port>DNS_TLS</port>
</destination>
<updated>
<username>root@192.168.144.21</username>
<time>1708729563.7049</time>
<description>/firewall_nat_edit.php made changes</description>
</updated>
<created>
<username>root@192.168.144.21</username>
<time>1708729563.7049</time>
<description>/firewall_nat_edit.php made changes</description>
</created>
</rule>
</nat>
<Alias version="1.0.1">
<geoip>
<url/>
</geoip>
<aliases>
<alias uuid="d47480b8-89de-4d95-8d12-daba56730cd1">
<enabled>1</enabled>
<name>DNS_TLS</name>
<type>port</type>
<proto/>
<interface/>
<counters>0</counters>
<updatefreq/>
<content>53
853</content>
<categories/>
<description>DNS ports with and without TLS</description>
</alias>
<alias uuid="59778dc9-8707-4d63-8a59-a49b04da72ea">
<enabled>1</enabled>
<name>DNS_Lookups</name>
<type>host</type>
<proto/>
<interface/>
<counters>0</counters>
<updatefreq/>
<content>192.168.144.11
fde4:b3e2:db9e:1a29::11</content>
<categories/>
<description>Systems permitted to query external DNS</description>
</alias>
<alias uuid="d774f802-ff64-482e-a4ca-7e76802355ed">
<enabled>1</enabled>
<name>PiHole_MAC</name>
<type>mac</type>
<proto/>
<interface/>>
<counters>0</counters>
<updatefreq/>
<content>dc:a6:32:06:df:1a</content>
<categories/>
<description>PiHole Server eth0</description>
</alias>
<alias uuid="3f41e408-4ccc-4645-9e93-3aee9bbda99f">
<enabled>1</enabled>
<name>PiHole_Host</name>
<type>host</type>
<proto/>
<interface/>
<counters>0</counters>
<updatefreq/>
<content>192.168.144.11
fde4:b3e2:db9e:1a29::11</content>
<categories/>
<description>PiHole Server eth0</description>
</alias>
</aliases>
</Alias>
Is there a reason for forcing DHCPv6?
Router advertisements and SLAAC can configure your network just fine. E.g. DHCPv6 (assisted) is not taken into account by Android
Stateless btw means to not use DHCPv6 for anything else than static configuration, e.g. assignment of DNS Servers.
SLAAC also does not mean "to pull" addresses from ISP. SLAAC is just auto-config of your hosts with the RA announced prefix (coming from your ISP and being tracked for LAN).
So: Am I missing something or do you just want to use DHCPv6?
I'm open to switching up, changing out, etc.
With v24.1.1 and prior if I didn't use the ISC DHCPv6, I couldn't specify my internal DNS /NTP servers along with associated Firewall /NAT rules, which resulted in "sneaky" apps and services bypassing my PiHole adblocker, which is why I defaulted to using it with v24.1.2.
My issue right now is that no matter how I configure "Router Advertising" and/or "ISC DHCPv6", I can't reach the Public Internet on any device (Android, Microsoft, Linux, Apple, BSD, Cisco IOS, etc.) with IPv6.
Even when I set <ramode>assist</ramode> or <ramode>stateless</ramode>, the only thing that changes is that my internal systems can "pull" an IPv6 address from the ISP allocation.
They still can't get anywhere...
Please stop talking about "pulling" IPs from your ISP. That is just wrong.
What does your WAN configuration look like?
Retrieving? Obtaining? Requesting? :D
WAN:
<wan>
<if>igb0</if>
<descr>WAN</descr>
<enable>1</enable>
<lock>1</lock>
<spoofmac/>
<blockpriv>1</blockpriv>
<blockbogons>1</blockbogons>
<ipaddr>re.da.ct.ed</ipaddr>
<subnet>27</subnet>
<gateway>WAN_GW</gateway>
<ipaddrv6>dhcp6</ipaddrv6>
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
<dhcp6-ia-pd-send-hint>1</dhcp6-ia-pd-send-hint>
<dhcp6prefixonly>1</dhcp6prefixonly>
<adv_dhcp6_interface_statement_send_options/>
<adv_dhcp6_interface_statement_request_options/>
<adv_dhcp6_interface_statement_information_only_enable/>
<adv_dhcp6_interface_statement_script/>
<adv_dhcp6_id_assoc_statement_address_enable/>
<adv_dhcp6_id_assoc_statement_address/>
<adv_dhcp6_id_assoc_statement_address_id/>
<adv_dhcp6_id_assoc_statement_address_pltime/>
<adv_dhcp6_id_assoc_statement_address_vltime/>
<adv_dhcp6_id_assoc_statement_prefix_enable/>
<adv_dhcp6_id_assoc_statement_prefix/>
<adv_dhcp6_id_assoc_statement_prefix_id/>
<adv_dhcp6_id_assoc_statement_prefix_pltime/>
<adv_dhcp6_id_assoc_statement_prefix_vltime/>
<adv_dhcp6_prefix_interface_statement_sla_len/>
<adv_dhcp6_authentication_statement_authname/>
<adv_dhcp6_authentication_statement_protocol/>
<adv_dhcp6_authentication_statement_algorithm/>
<adv_dhcp6_authentication_statement_rdm/>
<adv_dhcp6_key_info_statement_keyname/>
<adv_dhcp6_key_info_statement_realm/>
<adv_dhcp6_key_info_statement_keyid/>
<adv_dhcp6_key_info_statement_secret/>
<adv_dhcp6_key_info_statement_expire/>
<adv_dhcp6_config_advanced/>
<adv_dhcp6_config_file_override/>
<adv_dhcp6_config_file_override_path/>
</wan>
Been having weird IPv6 issues recently, too. Noticed today that for whatever reason my OPNsense doesn't have a default IPv6 route anymore. Clients and the firewall itself (on the WAN interface) have their addresses properly assigned, but the route is missing, resulting in no connectivity. Could that be your problem aswell?
If memory serves me correctly, my problem came with the update to 24.1.2, but i don't remember exactly. I have daily config backups - is the OPNsense release version in there somewhere so that i can verify?
/e: I think i might have solved my issue, and it might be related to gateways. My IPv6 gateway existed prior to upgrading to v24 with the gateway stuff being migrated during upgrade. I had configured upstream monitoring and set one of OpenDNS's addresses as the monitoring target. I now went and removed the gateway. It got automatically recreated and the default route appeared. Added the monitoring target again and enabled gateway monitoring. So far so good, route is still there. Will see tomorrow whether this all survives a nightly reboot.
Quote from: Ed V. on February 29, 2024, 01:34:29 PM
Retrieving? Obtaining? Requesting? :D
With SLAAC every host creates their own IPv6 and your router provides the necessary info (coming from ISP). But nobody pulls something from somewhere else.
Let's continune:
* Do your LAN hosts have global IPv6 addresses?
* If yes, are DNS servers properly configured? Can you resolve AAAA records?
* What firewall rules are defined for IPv6 in on LAN, in/out on WAN? Is traffic allowed?
* If yes, what happens during traceroute / tracert on windows for IPv6 on some external host, e.g. google.com?
** If it works smoothly, you're online
** If not: What"s your default gateway's status? Set and gateway monitoring active signaling "green"?
* If no, did you check firewall live view for evidence on which rules blocked traffic?
Let's see what you got.
With "Router Advertisements" for "[LAN]" set to Assisted with "Advertise Default Gateway" selected, here is the data: (There is no change if RA is set to "Unmanaged" or "Stateless".)
OPN
Interfaces
# ifconfig igb1
igb1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: LAN (lan)
options=4e0072b<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
ether 00:e0:67:1f:25:29
inet6 fe80::2e0:67ff:fe1f:2529%igb1 prefixlen 64 scopeid 0x2
inet6 fde4:b3e2:db9e:1a29::1 prefixlen 64
inet6 2001:579:4c:120:2e0:67ff:fe1f:2529 prefixlen 64
inet 192.168.144.1 netmask 0xffffff00 broadcast 192.168.144.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
# ifconfig igb0
igb0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: WAN (wan)
options=4e0072b<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
ether 00:e0:67:1f:25:28
inet6 fe80::2e0:67ff:fe1f:2528%igb0 prefixlen 64 scopeid 0x1
inet 98.187.162.137 netmask 0xffffffe0 broadcast 98.187.162.159
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
Routes
# route -n6v show default
RTA_DST: inet6 ::; RTA_NETMASK: inet6 ::; RTA_IFP: link ; RTM_GET: Report Metrics: len 272, pid: 0, seq 1, errno 0, flags:<UP,GATEWAY,STATIC>
locks: inits:
sockaddrs: <DST,NETMASK,IFP>
:: :: link#0
route to: ::
destination: ::
mask: ::
gateway: fe80::2ef8:9bff:fe9d:b419%igb0
fib: 0
interface: igb0
flags: <UP,GATEWAY,DONE>
recvpipe sendpipe ssthresh rtt,msec mtu weight expire
0 0 0 0 1500 1 0
locks: inits:
sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA>
:: fe80::2ef8:9bff:fe9d:b419%igb0 :: igb0:0.e0.67.1f.25.28 fe80::2e0:67ff:fe1f:2528%igb0
ICMP Ping test
# ping6 -c 6 2001:4860:4860::8888
PING6(56=40+8+8 bytes) 2001:579:4c:120:2e0:67ff:fe1f:2529 --> 2001:4860:4860::8888
16 bytes from 2001:4860:4860::8888, icmp_seq=0 hlim=59 time=21.475 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=1 hlim=59 time=21.968 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=2 hlim=59 time=22.530 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=3 hlim=59 time=22.799 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=4 hlim=59 time=21.856 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=5 hlim=59 time=21.361 ms
--- 2001:4860:4860::8888 ping6 statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 21.361/21.998/22.799/0.520 ms
DNS test
# dig -6 aaaa www.google.com @2001:4860:4860::8888
; <<>> DiG 9.18.24 <<>> -6 aaaa www.google.com @2001:4860:4860::8888
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13950
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.com. IN AAAA
;; ANSWER SECTION:
www.google.com. 300 IN AAAA 2607:f8b0:4023:1006::63
www.google.com. 300 IN AAAA 2607:f8b0:4023:1006::67
www.google.com. 300 IN AAAA 2607:f8b0:4023:1006::68
www.google.com. 300 IN AAAA 2607:f8b0:4023:1006::6a
;; Query time: 30 msec
;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888) (UDP)
;; WHEN: Fri Mar 01 08:12:56 CST 2024
;; MSG SIZE rcvd: 155
LAN Host
Interface
$ ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.144.11 netmask 255.255.255.0 broadcast 192.168.144.255
inet6 2001:579:4c:120:5555:9a73:b10d:e091 prefixlen 128 scopeid 0x0<global>
inet6 fe80::53bb:1ff4:f59c:40b3 prefixlen 64 scopeid 0x20<link>
inet6 2001:579:4c:120:5da5:38c7:9eda:8988 prefixlen 64 scopeid 0x0<global>
inet6 fde4:b3e2:db9e:1a29::11 prefixlen 64 scopeid 0x0<global>
inet6 fde4:b3e2:db9e:1a29:bd3f:cf4f:9cfb:1838 prefixlen 64 scopeid 0x0<global>
ether dc:a6:32:06:df:1a txqueuelen 1000 (Ethernet)
RX packets 710197 bytes 377753836 (360.2 MiB)
RX errors 0 dropped 6 overruns 0 frame 0
TX packets 472106 bytes 53403899 (50.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Routes
$ ip -6 route show
::1 dev lo proto kernel metric 30 pref medium
2001:579:4c:120:5555:9a73:b10d:e091 dev eth0 proto kernel metric 100 pref medium
2001:579:4c:120::/64 dev eth0 proto ra metric 100 pref medium
fde4:b3e2:db9e:1a29::/64 dev eth0 proto ra metric 100 pref medium
fde4:b3e2:db9e:5b10::1 dev lo proto static metric 30 pref medium
fde4:b3e2:db9e:5b10::1 dev lo proto kernel metric 256 pref medium
fde4:b3e2:db9e:5b10::2 dev lo proto kernel metric 30 pref medium
fde4:b3e2:db9e:5b10::2 dev lo proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 1024 pref medium
default via fe80::2e0:67ff:fe1f:2529 dev eth0 proto ra metric 100 pref medium
ICMP Ping test to OPN [LAN] Interface
$ ping6 -c 6 fde4:b3e2:db9e:1a29::1
PING fde4:b3e2:db9e:1a29::1(fde4:b3e2:db9e:1a29::1) 56 data bytes
64 bytes from fde4:b3e2:db9e:1a29::1: icmp_seq=1 ttl=64 time=0.560 ms
64 bytes from fde4:b3e2:db9e:1a29::1: icmp_seq=2 ttl=64 time=0.237 ms
64 bytes from fde4:b3e2:db9e:1a29::1: icmp_seq=3 ttl=64 time=0.271 ms
64 bytes from fde4:b3e2:db9e:1a29::1: icmp_seq=4 ttl=64 time=0.248 ms
64 bytes from fde4:b3e2:db9e:1a29::1: icmp_seq=5 ttl=64 time=0.298 ms
64 bytes from fde4:b3e2:db9e:1a29::1: icmp_seq=6 ttl=64 time=0.180 ms
--- fde4:b3e2:db9e:1a29::1 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5112ms
rtt min/avg/max/mdev = 0.180/0.299/0.560/0.122 ms
$ ping6 -c 6 2001:579:4c:120:2e0:67ff:fe1f:2529
PING 2001:579:4c:120:2e0:67ff:fe1f:2529(2001:579:4c:120:2e0:67ff:fe1f:2529) 56 data bytes
64 bytes from 2001:579:4c:120:2e0:67ff:fe1f:2529: icmp_seq=1 ttl=64 time=0.610 ms
64 bytes from 2001:579:4c:120:2e0:67ff:fe1f:2529: icmp_seq=2 ttl=64 time=0.267 ms
64 bytes from 2001:579:4c:120:2e0:67ff:fe1f:2529: icmp_seq=3 ttl=64 time=0.255 ms
64 bytes from 2001:579:4c:120:2e0:67ff:fe1f:2529: icmp_seq=4 ttl=64 time=0.271 ms
64 bytes from 2001:579:4c:120:2e0:67ff:fe1f:2529: icmp_seq=5 ttl=64 time=0.253 ms
64 bytes from 2001:579:4c:120:2e0:67ff:fe1f:2529: icmp_seq=6 ttl=64 time=0.178 ms
--- 2001:579:4c:120:2e0:67ff:fe1f:2529 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5098ms
rtt min/avg/max/mdev = 0.178/0.305/0.610/0.139 ms
ICMP Ping test to ISP Gateway
$ ping6 -c 6 fe80::2ef8:9bff:fe9d:b419
ping6: Warning: IPv6 link-local address on ICMP datagram socket may require ifname or scope-id => use: address%<ifname|scope-id>
PING fe80::2ef8:9bff:fe9d:b419(fe80::2ef8:9bff:fe9d:b419) 56 data bytes
--- fe80::2ef8:9bff:fe9d:b419 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5116ms
ICMP Ping test to Advertised Gateway
$ ping6 -c 6 fe80::2e0:67ff:fe1f:2529
ping6: Warning: IPv6 link-local address on ICMP datagram socket may require ifname or scope-id => use: address%<ifname|scope-id>
PING fe80::2e0:67ff:fe1f:2529(fe80::2e0:67ff:fe1f:2529) 56 data bytes
--- fe80::2e0:67ff:fe1f:2529 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5106ms
ICMP Ping test to Public IPv6
$ ping6 -c 6 2001:4860:4860::8888
ping6: connect: Network is unreachable
DNS test
$ dig -6 aaaa www.google.com @2001:4860:4860::8888
;; UDP setup with 2001:4860:4860::8888#53(2001:4860:4860::8888) for www.google.com failed: network unreachable.
;; no servers could be reached
;; UDP setup with 2001:4860:4860::8888#53(2001:4860:4860::8888) for www.google.com failed: network unreachable.
;; no servers could be reached
;; UDP setup with 2001:4860:4860::8888#53(2001:4860:4860::8888) for www.google.com failed: network unreachable.
;; no servers could be reached
NAT Rules from OPN
# pfctl -s nat
no nat proto carp all
nat on igb0 inet from (igb1:network) to any port = isakmp -> (igb0:0) static-port
nat on igb0 inet from (lo0:network) to any port = isakmp -> (igb0:0) static-port
nat on igb0 inet from 127.0.0.0/8 to any port = isakmp -> (igb0:0) static-port
nat on igb0 inet from (igb1:network) to any -> (igb0:0) port 1024:65535
nat on igb0 inet from (lo0:network) to any -> (igb0:0) port 1024:65535
nat on igb0 inet from 127.0.0.0/8 to any -> (igb0:0) port 1024:65535
no rdr proto carp all
no rdr on igb1 proto tcp from any to (igb1) port = ssh
no rdr on igb1 proto tcp from any to (igb1) port = http
no rdr on igb1 proto tcp from any to (igb1) port = https
rdr on igb1 inet proto tcp from ! <PiHole_MAC> to any port = domain -> <PiHole_DNS4> round-robin
rdr on igb1 inet proto tcp from ! <PiHole_MAC> to any port = domain-s -> <PiHole_DNS4> round-robin
rdr on igb1 inet proto udp from ! <PiHole_MAC> to any port = domain -> <PiHole_DNS4> round-robin
rdr on igb1 inet proto udp from ! <PiHole_MAC> to any port = domain-s -> <PiHole_DNS4> round-robin
rdr on igb1 inet6 proto tcp from ! <PiHole_MAC> to any port = domain -> <PiHole_DNS6> round-robin
rdr on igb1 inet6 proto tcp from ! <PiHole_MAC> to any port = domain-s -> <PiHole_DNS6> round-robin
rdr on igb1 inet6 proto udp from ! <PiHole_MAC> to any port = domain -> <PiHole_DNS6> round-robin
rdr on igb1 inet6 proto udp from ! <PiHole_MAC> to any port = domain-s -> <PiHole_DNS6> round-robin
Firewall Rules from OPN
# pfctl -s rules
scrub in all fragment reassemble
block drop in log on ! igb1 inet6 from fde4:b3e2:db9e:1a29::/64 to any
block drop in log on ! igb1 inet6 from 2001:579:4c:120::/64 to any
block drop in log on igb1 inet6 from fe80::2e0:67ff:fe1f:2529 to any
block drop in log inet6 from fde4:b3e2:db9e:1a29::1 to any
block drop in log inet6 from 2001:579:4c:120:2e0:67ff:fe1f:2529 to any
block drop in log on igb0 inet6 from fe80::2e0:67ff:fe1f:2528 to any
block drop in log on ! igb1 inet from 192.168.144.0/24 to any
block drop in log inet from 192.168.144.1 to any
block drop in log on ! igb0 inet from 98.187.162.128/27 to any
block drop in log inet from 98.187.162.137 to any
block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131"
block drop in log inet6 all label "02f4bab031b57d1e30553ce08e0ec131"
pass in log quick inet6 proto ipv6-icmp all icmp6-type unreach keep state label "1d245529367b2e34eeaff16086aeafe9"
pass in log quick inet6 proto ipv6-icmp all icmp6-type toobig keep state label "1d245529367b2e34eeaff16086aeafe9"
pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state label "1d245529367b2e34eeaff16086aeafe9"
pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state label "1d245529367b2e34eeaff16086aeafe9"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echoreq keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echoreq keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echorep keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echorep keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routersol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routersol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routeradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routeradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbrsol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbrsol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state label "71dd196398b3f1da265dbd9dcad00e70"
block drop in log quick inet proto tcp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet proto udp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet6 proto tcp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet6 proto udp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet proto tcp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet proto udp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet6 proto tcp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet6 proto udp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
pass log quick inet6 proto carp from any to ff02::12 keep state label "cf439d72ef4d245e8ad4a1405df1f665"
pass log quick inet proto carp from any to 224.0.0.18 keep state label "2ffa978d51f7b3fbc9000c2895106ee7"
block drop in log quick proto tcp from <sshlockout> to (self) port = ssh label "669143f420c3ab4118bcb0bf4b5fd823"
block drop in log quick proto tcp from <sshlockout> to (self) port = https label "6baefc2a9cf2536834c092a51134a45c"
block drop in log quick from <virusprot> to any label "8e367e2f9944d93137ae56d788c5d5e1"
pass in log quick on igb1 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "fef3d333d96a8d3558956de1fffc61cc"
pass in log quick on igb1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "fef3d333d96a8d3558956de1fffc61cc"
pass in log quick on igb1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "d2bd536587a9f5680c1f850b2d346839"
pass in log quick on igb1 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "3420206ced96c01ef73fbc4ac9deb745"
pass in log quick on igb1 inet6 proto udp from fe80::/10 to (self) port = dhcpv6-client keep state label "0fd202708c326aebbe44ab710b6d3652"
pass out log quick on igb1 inet6 proto udp from (self) port = dhcpv6-server to fe80::/10 keep state label "83f6c28de8efae9b444094e4a5bf898c"
pass in log quick on igb0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "a6cd2cce1bc1d912f6258ef1f3fb07e1"
pass in log quick on igb0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "f7e4334c3e7dc4ba900c5780b828d4a3"
pass out log quick on igb0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "5ba1258fcaf073eff4060b40ff63044d"
block drop in log quick on igb0 inet from <bogons> to any label "b7cd97a164650b538506fb551a0369e7"
block drop in log quick on igb0 inet6 from <bogonsv6> to any label "f140a48ddade668b9d6f5259669a1d5c"
block drop in log quick on igb0 inet from 10.0.0.0/8 to any label "1eb94a38e58994641aff378c21d5984f"
block drop in log quick on igb0 inet from 127.0.0.0/8 to any label "1eb94a38e58994641aff378c21d5984f"
block drop in log quick on igb0 inet from 100.64.0.0/10 to any label "1eb94a38e58994641aff378c21d5984f"
block drop in log quick on igb0 inet from 172.16.0.0/12 to any label "1eb94a38e58994641aff378c21d5984f"
block drop in log quick on igb0 inet from 192.168.0.0/16 to any label "1eb94a38e58994641aff378c21d5984f"
block drop in log quick on igb0 inet6 from fc00::/7 to any label "45afd72424c84d011c07957569151480"
pass in quick on lo0 all no state label "7535c94082e72e2207679aadb26afd92"
pass out log all flags S/SA keep state allow-opts label "fae559338f65e11c53669fc3642c93c2"
pass in log quick on igb1 proto tcp from any to (self) port = ssh flags S/SA keep state label "bb72618316fdf630cdf15f33ae3d699f"
pass in log quick on igb1 proto tcp from any to (self) port = http flags S/SA keep state label "bb72618316fdf630cdf15f33ae3d699f"
pass in log quick on igb1 proto tcp from any to (self) port = https flags S/SA keep state label "bb72618316fdf630cdf15f33ae3d699f"
pass out log route-to (igb0 98.187.162.129) inet from (igb0) to ! (igb0:network) flags S/SA keep state allow-opts label "25317b606bbeb8522d3dc66b350595a1"
pass out log route-to (igb0 fe80::2ef8:9bff:fe9d:b419) inet6 from (igb0) to ! (igb0:network) flags S/SA keep state allow-opts label "91af02f708c71d296f2293a00f2ec1cc"
pass in quick on igb1 inet6 proto tcp from <PiHole_MAC> to any port = domain flags S/SA keep state label "457120e994cd0bc8ece2f03bef41ce56"
pass in quick on igb1 inet6 proto tcp from <PiHole_MAC> to any port = domain-s flags S/SA keep state label "457120e994cd0bc8ece2f03bef41ce56"
pass in quick on igb1 inet6 proto udp from <PiHole_MAC> to any port = domain keep state label "457120e994cd0bc8ece2f03bef41ce56"
pass in quick on igb1 inet6 proto udp from <PiHole_MAC> to any port = domain-s keep state label "457120e994cd0bc8ece2f03bef41ce56"
pass in quick on igb1 inet proto tcp from <PiHole_MAC> to any port = domain flags S/SA keep state label "da04446f4f456e601986ba812cf5fb9d"
pass in quick on igb1 inet proto tcp from <PiHole_MAC> to any port = domain-s flags S/SA keep state label "da04446f4f456e601986ba812cf5fb9d"
pass in quick on igb1 inet proto udp from <PiHole_MAC> to any port = domain keep state label "da04446f4f456e601986ba812cf5fb9d"
pass in quick on igb1 inet proto udp from <PiHole_MAC> to any port = domain-s keep state label "da04446f4f456e601986ba812cf5fb9d"
pass in quick on igb1 inet6 proto tcp from ! <PiHole_MAC> to <PiHole_DNS6> port = domain flags S/SA keep state label "59adab1e255c74a28ba408bf44d657b1"
pass in quick on igb1 inet6 proto tcp from ! <PiHole_MAC> to <PiHole_DNS6> port = domain-s flags S/SA keep state label "59adab1e255c74a28ba408bf44d657b1"
pass in quick on igb1 inet6 proto udp from ! <PiHole_MAC> to <PiHole_DNS6> port = domain keep state label "59adab1e255c74a28ba408bf44d657b1"
pass in quick on igb1 inet6 proto udp from ! <PiHole_MAC> to <PiHole_DNS6> port = domain-s keep state label "59adab1e255c74a28ba408bf44d657b1"
pass in quick on igb1 inet proto tcp from ! <PiHole_MAC> to <PiHole_DNS4> port = domain flags S/SA keep state label "6dad948e502d0194a27c640890dff3d6"
pass in quick on igb1 inet proto tcp from ! <PiHole_MAC> to <PiHole_DNS4> port = domain-s flags S/SA keep state label "6dad948e502d0194a27c640890dff3d6"
pass in quick on igb1 inet proto udp from ! <PiHole_MAC> to <PiHole_DNS4> port = domain keep state label "6dad948e502d0194a27c640890dff3d6"
pass in quick on igb1 inet proto udp from ! <PiHole_MAC> to <PiHole_DNS4> port = domain-s keep state label "6dad948e502d0194a27c640890dff3d6"
block drop in quick on igb1 inet6 proto tcp from ! <PiHole_MAC> to any port = domain label "d6c370a1fc10e5ce2e50b1e4f723de00"
block drop in quick on igb1 inet6 proto tcp from ! <PiHole_MAC> to any port = domain-s label "d6c370a1fc10e5ce2e50b1e4f723de00"
block drop in quick on igb1 inet6 proto udp from ! <PiHole_MAC> to any port = domain label "d6c370a1fc10e5ce2e50b1e4f723de00"
block drop in quick on igb1 inet6 proto udp from ! <PiHole_MAC> to any port = domain-s label "d6c370a1fc10e5ce2e50b1e4f723de00"
block drop in quick on igb1 inet proto tcp from ! <PiHole_MAC> to any port = domain label "4a346edff76c061eec2c613d413af50b"
block drop in quick on igb1 inet proto tcp from ! <PiHole_MAC> to any port = domain-s label "4a346edff76c061eec2c613d413af50b"
block drop in quick on igb1 inet proto udp from ! <PiHole_MAC> to any port = domain label "4a346edff76c061eec2c613d413af50b"
block drop in quick on igb1 inet proto udp from ! <PiHole_MAC> to any port = domain-s label "4a346edff76c061eec2c613d413af50b"
pass in quick on igb1 inet6 from (igb1:network) to any flags S/SA keep state label "8ebd079ac5051cde9aa14391041e0025"
pass in quick on igb1 inet6 from fe80::/10 to any flags S/SA keep state label "8ebd079ac5051cde9aa14391041e0025"
pass in quick on igb1 inet from (igb1:network) to any flags S/SA keep state label "2e0fe9f0e69a777054d36feee301301c"
Alias Table for "PiHole_MAC"
# pfctl -t PiHole_MAC -T show
192.168.144.11
2001:579:4c:120:5555:9a73:b10d:e091
fde4:b3e2:db9e:1a29::11
fe80::53bb:1ff4:f59c:40b3
Just for grins - here's what a Microsoft Windows system sees.
Interface
Ethernet adapter Ethernet 4:
Connection-specific DNS Suffix . : lan.local.us
Description . . . . . . . . . . . : Intel(R) I211 Gigabit Network Connection #2
Physical Address. . . . . . . . . : F0-2F-74-D3-B8-52
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:579:4c:120:8bf1:529:2289:3504(Preferred)
IPv6 Address. . . . . . . . . . . : fde4:b3e2:db9e:1a29::eb1e(Preferred)
Lease Obtained. . . . . . . . . . : Friday, March 1, 2024 09:38:41
Lease Expires . . . . . . . . . . : Saturday, March 2, 2024 09:38:40
IPv6 Address. . . . . . . . . . . : fde4:b3e2:db9e:1a29:bfcb:42c0:7157:544b(Preferred)
Temporary IPv6 Address. . . . . . : 2001:579:4c:120:7c17:d9fb:7c25:26cf(Preferred)
Temporary IPv6 Address. . . . . . : fde4:b3e2:db9e:1a29:7c17:d9fb:7c25:26cf(Preferred)
Link-local IPv6 Address . . . . . : fe80::e0be:a038:5030:f7f2%16(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.144.21(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, March 1, 2024 09:37:55
Lease Expires . . . . . . . . . . : Saturday, March 2, 2024 09:37:55
Default Gateway . . . . . . . . . : fe80::2e0:67ff:fe1f:2529%16
192.168.144.1
DHCP Server . . . . . . . . . . . : 192.168.144.11
DHCPv6 IAID . . . . . . . . . . . : 703606644
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2A-D5-E4-3E-B4-0E-DE-F7-4D-3D
DNS Servers . . . . . . . . . . . : fde4:b3e2:db9e:1a29::11
192.168.144.11
NetBIOS over Tcpip. . . . . . . . : Enabled
Routes
C:\>route print -6
===========================================================================
Interface List
22...f0 2f 74 d3 b8 d0 ......Realtek PCIe 2.5GbE Family Controller #2
30...00 15 5d 58 33 d0 ......Hyper-V Virtual Ethernet Adapter #5
16...f0 2f 74 d3 b8 52 ......Intel(R) I211 Gigabit Network Connection #2
19...0a 00 27 00 00 13 ......VirtualBox Host-Only Ethernet Adapter
7...00 ff 15 55 9b 77 ......TAP-Windows Adapter V9 for OpenVPN Connect
26...........................OpenVPN Data Channel Offload
32...b4 0e de f7 4d 41 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
24...00 15 5d 8f c9 29 ......Hyper-V Virtual Ethernet Adapter
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
16 281 2001:579:4c:120::/64 On-link
16 281 2001:579:4c:120:7c17:d9fb:7c25:26cf/128
On-link
16 281 2001:579:4c:120:8bf1:529:2289:3504/128
On-link
16 281 fde4:b3e2:db9e:1a29::/64 On-link
16 281 fde4:b3e2:db9e:1a29::eb1e/128
On-link
16 281 fde4:b3e2:db9e:1a29:7c17:d9fb:7c25:26cf/128
On-link
16 281 fde4:b3e2:db9e:1a29:bfcb:42c0:7157:544b/128
On-link
19 281 fe80::/64 On-link
16 281 fe80::/64 On-link
24 5256 fe80::/64 On-link
19 281 fe80::6b4e:bc42:6225:64b2/128
On-link
24 5256 fe80::7061:9fd4:cd1f:fa4f/128
On-link
16 281 fe80::e0be:a038:5030:f7f2/128
On-link
1 331 ff00::/8 On-link
19 281 ff00::/8 On-link
16 281 ff00::/8 On-link
24 5256 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
C:\>netsh interface ipv6 show route
Publish Type Met Prefix Idx Gateway/Interface Name
------- -------- --- ------------------------ --- ------------------------
No System 256 ::1/128 1 Loopback Pseudo-Interface 1
No Manual 256 2001:579:4c:120::/64 16 Ethernet 4
No System 256 2001:579:4c:120:7c17:d9fb:7c25:26cf/128 16 Ethernet 4
No System 256 2001:579:4c:120:8bf1:529:2289:3504/128 16 Ethernet 4
No Manual 256 fde4:b3e2:db9e:1a29::/64 16 Ethernet 4
No System 256 fde4:b3e2:db9e:1a29::eb1e/128 16 Ethernet 4
No System 256 fde4:b3e2:db9e:1a29:7c17:d9fb:7c25:26cf/128 16 Ethernet 4
No System 256 fde4:b3e2:db9e:1a29:bfcb:42c0:7157:544b/128 16 Ethernet 4
No System 256 fe80::/64 30 vEthernet (Default Switch (Wi-Fi))
No System 256 fe80::/64 19 Ethernet 3
No System 256 fe80::/64 26 OpenVPN Connect DCO Adapter
No System 256 fe80::/64 7 Local Area Connection
No System 256 fe80::/64 22 Ethernet 5
No System 256 fe80::/64 16 Ethernet 4
No System 256 fe80::/64 32 Bluetooth Network Connection
No System 256 fe80::/64 24 vEthernet (Default Switch)
No System 256 fe80::42cc:5baf:e39e:6a0f/128 32 Bluetooth Network Connection
No System 256 fe80::493c:96ef:b3b1:1fae/128 30 vEthernet (Default Switch (Wi-Fi))
No System 256 fe80::6b4e:bc42:6225:64b2/128 19 Ethernet 3
No System 256 fe80::7061:9fd4:cd1f:fa4f/128 24 vEthernet (Default Switch)
No System 256 fe80::b847:d5ca:dbb3:ee08/128 22 Ethernet 5
No System 256 fe80::d18b:9f01:61a2:2f2e/128 7 Local Area Connection
No System 256 fe80::e0be:a038:5030:f7f2/128 16 Ethernet 4
No System 256 fe80::ff59:d680:5693:b9e4/128 26 OpenVPN Connect DCO Adapter
No System 256 ff00::/8 1 Loopback Pseudo-Interface 1
No System 256 ff00::/8 30 vEthernet (Default Switch (Wi-Fi))
No System 256 ff00::/8 19 Ethernet 3
No System 256 ff00::/8 26 OpenVPN Connect DCO Adapter
No System 256 ff00::/8 7 Local Area Connection
No System 256 ff00::/8 22 Ethernet 5
No System 256 ff00::/8 16 Ethernet 4
No System 256 ff00::/8 32 Bluetooth Network Connection
No System 256 ff00::/8 24 vEthernet (Default Switch)
ICMP Ping test to OPN RA Gateway
C:\>ping -6 fe80::2e0:67ff:fe1f:2529
Pinging fe80::2e0:67ff:fe1f:2529 with 32 bytes of data:
Reply from fe80::2e0:67ff:fe1f:2529: time<1ms
Reply from fe80::2e0:67ff:fe1f:2529: time<1ms
Reply from fe80::2e0:67ff:fe1f:2529: time<1ms
Reply from fe80::2e0:67ff:fe1f:2529: time<1ms
Ping statistics for fe80::2e0:67ff:fe1f:2529:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
ICMP Ping to Public IPv6
C:\>ping -6 2001:4860:4860::8888
Pinging 2001:4860:4860::8888 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
Ping statistics for 2001:4860:4860::8888:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
I don't mean to hijack this thread, but I think my symptoms might be related to your difficulties here. It sounds like I picked the wrong time to convert off of Ubiquiti to opnsense!
I configured the WAN interface for DHCPv6 client, requesting only a prefix enabled, sending a prefix-hint enabled, and requesting a /56 prefix. I then configured each of my internal interfaces (LAN, OPT1-4) to each to use interface tracking and assigned a unique ipv6 prefix-id to each internal interface.
I'm getting my external /56 prefix assignment properly, the FW IPv6 routing table has the correct link-local next-hop for a default gateway (FiOS ONT), and the firewall is able to ping6 www.google.com without issue.
My internal clients are seeing the the correct IPv6 prefix configured by DHCPv6 stateless configuration. Internal clients can ping FW solely on FE80: prefix, and cannot ping past the FW. On my windows client, I have the following neighbor information (sanitized of course. I have confirmed that on the other subnets, they are assigned the correct prefix ID of ":60x:" where X is the is prefix ID that I set in the opnsense):
PS C:\> netsh interface ipv6 show neighbors interface=Ethernet
Interface 11: Ethernet
Internet Address Physical Address Type
-------------------------------------------- ----------------- -----------
2600:xxxx:xxxx:600::1240 00-00-00-00-00-00 Unreachable
2600:xxxx:xxxx:600:12ca:71fe:5029:2e2c 00-00-00-00-00-00 Unreachable
2600:xxxx:xxxx:600:227c:14ff:fea1:e7de Unreachable Unreachable (Router)
2600:xxxx:xxxx:600:ed94:3f26:dcc6:c3aa 00-00-00-00-00-00 Unreachable
2600:xxxx:xxxx:3700:227c:14ff:fea1:e7de 20-7c-14-a1-e7-de Stale (Router)
fe80::227c:14ff:fea1:e7de 20-7c-14-a1-e7-de Stale (Router)
ff02::1 33-33-00-00-00-01 Permanent
ff02::2 33-33-00-00-00-02 Permanent
ff02::c 33-33-00-00-00-0c Permanent
ff02::16 33-33-00-00-00-16 Permanent
ff02::fb 33-33-00-00-00-fb Permanent
ff02::1:2 33-33-00-01-00-02 Permanent
ff02::1:3 33-33-00-01-00-03 Permanent
ff02::1:ff00:1240 33-33-ff-00-12-40 Permanent
ff02::1:ff29:2e2c 33-33-ff-29-2e-2c Permanent
ff02::1:ffa1:e7de 33-33-ff-a1-e7-de Permanent
ff02::1:ffa2:9713 33-33-ff-a2-97-13 Permanent
ff02::1:ffb2:7848 33-33-ff-b2-78-48 Permanent
ff02::1:ffdf:3bd8 33-33-ff-df-3b-d8 Permanent
Can you check your neighbor list on your windows host? I think this is a router-advertisement issue and the configuration that used to work doesn't work anymore?
Thoughts? (Again I apologize if my interruption is unwelcome. First time post on this forum.)
Thanks,
-Pete
Very relevant to the thread (in my opinion anyhow).
Something changed about how OPNsense is handling IPv6 between the 24.1.1 and the 24.1.2 releases and it's causing me issues.
I did check my IPv6 neighbors on Windows 11 and have the same "Unreachable" results that you have (different ranges of course).
I read through the most recent doc page on "Router Advertising" - nothing stands out as being "different", though just having to enable it is new in the 24.1.2 release (either it was "automagickal" in 24.1.1 or DHCPv6 was handling the RA part as well).
Hopefully wiser and more experienced folks here can help us provide enough data to troubleshoot and resolve...
Following...
I'm also seeing similar issues with 24.1.2_1 when DHCPv6 is enabled on the LAN, and have to use "Assisted" mode. It's working, so not a huge deal, but I'm wondering why DHCPv6 doesn't work as intended.
Your windows tells you what's wrong:
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
16 281 2001:579:4c:120::/64 On-link
...
There is no default gateway for your IPv6 router. There should be one having ::/0 as target prefix. This is consistent with the error messages. Your host(s) just don't know where to go to when trying to talk to the internet.
It's interesting to see that it still claims the announced default gateway but you route table doesn't reflect this. I am
This is a host misconfiguration originating in a weird RA / DHCPv6 configuration. This might be a bug in OPNsense or an absent bug (as you mentioned it worked earlier) or a misconfiguration.
I guess we need DHCPv6 and RA config to see what might be wrong.
Quote<ranodefault>1</ranodefault>
Can you double check if "Advertise Default Gateway" is on? Your radvd config shows it is off.
Here is the DHCPDv6 stanza.
I did "turn on" Default Gateway during the troubleshooting (checkbox selected (https://i.postimg.cc/x8jrssH6/2024-03-04-092104.png) and the "ranodefault" no longer appears in conf/config.xml), but it did not make a difference.
Troubleshooting over the weekend:
1 - Set up an additional Microsoft Windows 11 system from scratch (same IPv6 problem)
2 - Completely reset the Network Interfaces and the Network Stack on the original Microsoft system (no change)
3 - Tested a MacOS system (same IPv6 problem) borrowed from a friend
All LAN systems can see /ping the "IPv6 Default Gateway" provided by my ISP (fe80::2ef8:9bff:fe9d:b419) and other LAN systems using both the Private and Public IPv6 addresses, but cannot reach any system on the Public Internet.
DHCPDv6
<dhcpdv6>
<lan>
<ddnsdomainalgorithm>hmac-md5</ddnsdomainalgorithm>
<enable>1</enable>
<range>
<from>2001:579:4c:3700::</from>
<to>2001:579:4c:3700:ffff:ffff:ffff:ffff</to>
</range>
<prefixrange>
<from/>
<to/>
<prefixlength>64</prefixlength>
</prefixrange>
<dnsserver>fde4:b3e2:db9e:1000::11</dnsserver>
<ntpserver>fde4:b3e2:db9e:1000::11</ntpserver>
<numberoptions>
<item/>
</numberoptions>
<ramode>assist</ramode>
<rapriority>medium</rapriority>
<ramininterval>200</ramininterval>
<ramaxinterval>600</ramaxinterval>
<radomainsearchlist/>
<radnsserver/>
<rasamednsasdhcp6>1</rasamednsasdhcp6>
</lan>
</dhcpdv6>
Microsoft Windows IPv6 Route
C:\>route print -6
===========================================================================
Interface List
22...f0 2f 74 d3 b8 d0 ......Realtek PCIe 2.5GbE Family Controller #2
29...00 15 5d 58 33 d0 ......Hyper-V Virtual Ethernet Adapter #5
15...f0 2f 74 d3 b8 52 ......Intel(R) I211 Gigabit Network Connection #2
19...0a 00 27 00 00 13 ......VirtualBox Host-Only Ethernet Adapter
5...00 ff 15 55 9b 77 ......TAP-Windows Adapter V9 for OpenVPN Connect
25...........................OpenVPN Data Channel Offload
30...b4 0e de f7 4d 41 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
36...00 15 5d 8f c9 29 ......Hyper-V Virtual Ethernet Adapter
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
15 281 2001:579:4c:3700::/64 On-link
15 281 2001:579:4c:3700:5be9:bf0:9b9f:3923/128
On-link
15 281 2001:579:4c:3700:cc03:b286:53d8:a7fb/128
On-link
15 281 fde4:b3e2:db9e:1000::/64 On-link
15 281 fde4:b3e2:db9e:1000:5555::6b1e/128
On-link
15 281 fde4:b3e2:db9e:1000:c08d:7634:5276:2feb/128
On-link
15 281 fde4:b3e2:db9e:1000:cc03:b286:53d8:a7fb/128
On-link
19 281 fe80::/64 On-link
15 281 fe80::/64 On-link
36 5256 fe80::/64 On-link
19 281 fe80::6b4e:bc42:6225:64b2/128
On-link
36 5256 fe80::7ce3:8317:eb17:da67/128
On-link
15 281 fe80::e0be:a038:5030:f7f2/128
On-link
1 331 ff00::/8 On-link
19 281 ff00::/8 On-link
15 281 ff00::/8 On-link
36 5256 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
C:\>netsh interface ipv6 show route
Publish Type Met Prefix Idx Gateway/Interface Name
------- -------- --- ------------------------ --- ------------------------
No System 256 ::1/128 1 Loopback Pseudo-Interface 1
No Manual 256 2001:579:4c:3700::/64 15 Ethernet 4
No System 256 2001:579:4c:3700:5be9:bf0:9b9f:3923/128 15 Ethernet 4
No System 256 2001:579:4c:3700:cc03:b286:53d8:a7fb/128 15 Ethernet 4
No Manual 256 fde4:b3e2:db9e:1000::/64 15 Ethernet 4
No System 256 fde4:b3e2:db9e:1000:5555::6b1e/128 15 Ethernet 4
No System 256 fde4:b3e2:db9e:1000:c08d:7634:5276:2feb/128 15 Ethernet 4
No System 256 fde4:b3e2:db9e:1000:cc03:b286:53d8:a7fb/128 15 Ethernet 4
No System 256 fe80::/64 29 vEthernet (Default Switch (Wi-Fi))
No System 256 fe80::/64 19 Ethernet 3
No System 256 fe80::/64 25 OpenVPN Connect DCO Adapter
No System 256 fe80::/64 5 Local Area Connection
No System 256 fe80::/64 22 Ethernet 5
No System 256 fe80::/64 15 Ethernet 4
No System 256 fe80::/64 30 Bluetooth Network Connection
No System 256 fe80::/64 36 vEthernet (Default Switch)
No System 256 fe80::42cc:5baf:e39e:6a0f/128 30 Bluetooth Network Connection
No System 256 fe80::493c:96ef:b3b1:1fae/128 29 vEthernet (Default Switch (Wi-Fi))
No System 256 fe80::6b4e:bc42:6225:64b2/128 19 Ethernet 3
No System 256 fe80::7ce3:8317:eb17:da67/128 36 vEthernet (Default Switch)
No System 256 fe80::b847:d5ca:dbb3:ee08/128 22 Ethernet 5
No System 256 fe80::d18b:9f01:61a2:2f2e/128 5 Local Area Connection
No System 256 fe80::e0be:a038:5030:f7f2/128 15 Ethernet 4
No System 256 fe80::ff59:d680:5693:b9e4/128 25 OpenVPN Connect DCO Adapter
No System 256 ff00::/8 1 Loopback Pseudo-Interface 1
No System 256 ff00::/8 29 vEthernet (Default Switch (Wi-Fi))
No System 256 ff00::/8 19 Ethernet 3
No System 256 ff00::/8 25 OpenVPN Connect DCO Adapter
No System 256 ff00::/8 5 Local Area Connection
No System 256 ff00::/8 22 Ethernet 5
No System 256 ff00::/8 15 Ethernet 4
No System 256 ff00::/8 30 Bluetooth Network Connection
No System 256 ff00::/8 36 vEthernet (Default Switch)
C:\>C:\>ping 2001:4860:4860::8888
Pinging 2001:4860:4860::8888 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
Ping statistics for 2001:4860:4860::8888:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>
Ok, I think we're looking at the wrong place here.
If you can ping your ISP's gateway from LAN and the ISP's gateway is a link local address, that sounds to me as if your LAN is physically connected to your WAN. Is there some misconfigured switch between hosts and OPNsense? Or maybe some non-functional Proxmox setup?
Pinging a host with a link-local address that is not part of your network segment usually is just impossible.
It's a pretty simplistic network:
(https://i.postimg.cc/zfh6mBLc/Cox-Overview.png)
I say the "Provided" gateway as in the LAN 2009:... which is from the Cox allocation.
The two fe80: IP's on the WAN side are "Unreachable".
C:\Windows\System32>ping 2001:579:4c:3700:2e0:67ff:fe1f:2529
Pinging 2001:579:4c:3700:2e0:67ff:fe1f:2529 with 32 bytes of data:
Reply from 2001:579:4c:3700:2e0:67ff:fe1f:2529: time<1ms
Reply from 2001:579:4c:3700:2e0:67ff:fe1f:2529: time<1ms
Reply from 2001:579:4c:3700:2e0:67ff:fe1f:2529: time<1ms
Reply from 2001:579:4c:3700:2e0:67ff:fe1f:2529: time<1ms
Ping statistics for 2001:579:4c:3700:2e0:67ff:fe1f:2529:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Windows\System32>ping fe80::2e0:67ff:fe1f:2528
Pinging fe80::2e0:67ff:fe1f:2528 with 32 bytes of data:
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Ping statistics for fe80::2e0:67ff:fe1f:2528:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Windows\System32>ping fe80::2ef8:9bff:fe9d:b419
Pinging fe80::2ef8:9bff:fe9d:b419 with 32 bytes of data:
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Ping statistics for fe80::2ef8:9bff:fe9d:b419:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Windows\System32>
You're not supposed to be able to ping your WAN's LLA from your LAN clients because of different segments.
RA daemon should advertise your LAN's LLA as default gateway to your LAN clients.
What is the LLA of your LAN interface? Can you post the output of ifconfig igb1?
So your LAN's LLA is fe80::2e0:67ff:fe1f:2529 and reachable by your LAN clients. This should be advertised by radvd but for some reasons your clients don't use it as default gateway. Is it only affecting your Windows machine?
Did you restart radvd and dhcpv6 service after the configuration change to advertise the default gateway?
In order:
1 - At least for my deployment, I think I've solved the problem.
2 - Yes, it was happening across all platforms (Windows, Linux, MacOS, Android, Network /Switch gear, etc.)
3 - Yes, I restarted radvd and dhcpdv6 after each "Save /Apply".
I got frustrated last night and rolled back to v24.1.1.
As expected, IPv6 worked "normally".
I did find that (from the web console):
1 - The ISC DHCPv6 configuration did not need to have the range configured to function
2 - Router Advertisements was not enabled
3 - There was a set of "Automatically generated rules" that allowed ICMPv6 for LAN and WAN
So I went back to v24.1.2 (still no IPv6 connectivity) and made one change.
I created a rule for both LAN and WAN that allowed all ICMPv6.
Even though there are "Automatically generated rule"(s) that look identical to the ICMPv6 rules in place in v24.1.1 on both interfaces, once I created the Custom rule, IPv6 started working.
Disable the Custom ICMPv6 rule - IPv6 "breaks" again...
Maybe it's my hardware - maybe I'm just unlucky, but with all the great help and ideas /guidance /troubleshooting here at least it's now working...
Thanks for sharing. It sounds quite strange but may explain what happened.
Could you share your custom rule with is. I am really curious about it.
It's the most basic and simple of rules:
pass in quick on igb1 inet6 proto ipv6-icmp all keep state (LAN)
pass in quick on igb0 inet6 proto ipv6-icmp all keep state (WAN)
or
(https://i.postimg.cc/jSJ7JxWY/opn-icmpv6-rule.png)
I thought about trying to build out a duplicate of the RFC4890 "Automatic" rules, but once I read a bit more and realized that since, by design, ICMPv6 doesn't pose the same sort of Command and Control /data leakage risk that ICMPv4 does, I used a "blanket" rule.
If you know of any reason why that might be "bad", let me know and I'll build the duplicates...
Thanks Ed! So I am not hallucinating ;D
I have the same problem since switching from pfSense to opnsense.
https://forum.opnsense.org/index.php?topic=39033.msg191804#msg191804
Been having the same issue since 24.1.2.
IPv6 acting up. Here on a Dual-WAN set-up as well.
Can be seen when doing a ping6 etc,...
Clients get a "ICMPv6 Destination Unreachable (Address unreachable)" from the local gateway; but both IPv6 gateways are working and up.
Would be interesting to find out why this was missing in the first place. On my 24.1.2_1 everything works fine and I have automatic generated IPV6-ICMP rules for * * * * and ICMP6 types 1,2,135,136
The Automatically Generated Rules for ICMPv6 are present in my 24.1.2 system:
(https://i.postimg.cc/pLTHcH61/2024-03-06-064734.png)
But for whatever reason, IPv6 does not work without the custom /manual ICMPv6 rule.
I've reverted to 24.1.1 and re-upgraded to 24.1.2 twice, with a "Factory Default" reset each time and on 24.1.2 IPv6 does not work until I put the ICMPv6 rule in place.
If there's further debug /troubleshooting data that would help isolate the issue, I'm game to track /search and post...
Hover your mouse over "IPV6-ICMP" and it tells you which message types it actually refers to. The UI is quite restrictive here. Furthermore, those rules do not exist in any config. They are generated automatically. At least this is what the most recent source tells me.
Ping (echo request, reply) is not enabled by default. Type is not allowed.
Wow - yup.
Hadn't tried the "hover" reveal, but the list of ICMPv6 types is not at all complete per RFC 4890.
I've been searching and can't find where OPNSense defines ICMP /ICMPv6 Types
or how to build PF rules where a type is not named (the "Undefined" numerics).
The only ICMPv6 types that I can see in-use are:
- Type 1 Destination Unreachable (unreach)
- Type 2 Packet Too Big (toobig)
- Type 128 Echo Request (echoreq)
- Type 129 Echo Reply (echorep)
- Type 133 Router Solicitation (routersol)
- Type 134 Router Advertisement (routeradv)
- Type 135 Neighbor Solicitation (neighborsol)
- Type 136 Neighbor Advertisement (neighboradv)
With a few more pre-defined in the "drop-down" but those look more like they are comingled with ICMPv4 from a strict "Human readable name" perspective.
I see an array in
/usr/local/www/firewall_rules.php, but I'm not willing to edit that and I don't see any of the
icmp6types showing up in the WebUI.
Anyone have a good link /doc where I can use the WebUI or command line (
pfctl) to define types /codes, add them by number to a table, or otherwise build correct rules?
It feels like the WebUI is not robust /flexible enough (unless I've missed something) so I am likely stuck adding rules via command line...
If my read is correct, then the "Automatic" rules for ICMPv6 should encompass:
Transit through the Firewall:Must Not Drop (§4.3.1): Type 1, Type 2, Type 3 Code 0, Type 4 Code 1, Type 4 Code 2, Type 128-129
Should Not Drop (§4.3.2): Type 3 Code 1, Type 4 Code 0, Type 144-147
Needs a rule (§4.3.4): Must Allow: Seamoby
Type 150
Undefined Error Messages: Type 5-99, 102-126
Unallocated Informational Messages: Type 154-199
Type 202-254
Not sure about these - maybe a "checkbox" somewhere to turn them on?
Should Drop barring defined need (§4.3.5):Type 100-101, Type 127, Type 138-140, Type 200-201, Type 255
Local Traffic (LAN, WAN, Link Local, etc.):Must Not Drop (§4.4.1):Type 1, Type 2, Type 3 Code 0, Type 4 Code 1, Type 4 Code 2, Type 128-136, Type 141-143, Type 148, Type 149, Type 151-153
Should Not Drop (§4.4.2):Type 3 Code 1, Type 4 Code 0
Needs a Rule (4.4.4): Must Allow: Type 137
If Experimental: Type 139-140
Undefined Error Messages: Type 5-99
Type 102-126
Not sure about these - maybe a "checkbox" somewhere to turn them on?
Should Drop barring defined need (§4.4.5):Type 100-101, 127
Type 154-199
Type 200-255
Oddly, I just ran across a forum topic from 2019 that looked like it was going to help /maybe resolve the issue - but then the author got distracted and never tested /implemented the update code..
https://forum.opnsense.org/index.php?topic=14891.0 (https://forum.opnsense.org/index.php?topic=14891.0)