Print Page - IPv6 breaks under Traffic Shaping congestion

Title: IPv6 breaks under Traffic Shaping congestion
Post by: nchlsh07 on March 24, 2024, 08:15:44 PM

Versions OPNsense 23.7.12_5-amd64
FreeBSD 13.2-RELEASE-p7
OpenSSL 1.1.1w

I have recently experienced DNS failures when the WAN is congested outbound. There does not seem to be any issue with Unbound DNS, however, my DNS forwarders are IPv6.

Problem Summary:

Traffic shaping is configured - rule traffic match summary - Source/destination: ANY (mostly), Interface: WAN, Direction: In|Out, Destination/source port: (as required)
WAN is congested outbound (inbound congestion unconfirmed)
IPv6 traffic gets dropped: ICMP6 echo (ping), Unbound DNS IPv6 query forwarder (possibly other IPv6 traffic)
disabling traffic shaping - resolves
setting the Pipe bandwidth higher than the WAN link - resolves
It only seems to be a problem when the traffic shaper pipe is engaged/congested

Solution/workaround:

Review the following Topic and associated reference sites: Topic: [SOLVED] Firewall Shaper causes IPv6 address loss on WAN: https://forum.opnsense.org/index.php?topic=27247.msg132747#msg132747 (https://forum.opnsense.org/index.php?topic=27247.msg132747#msg132747)
replacing the source ANY with IP and subnets for the LAN and firewall interfaces on outbound rules - FIXED the issue
Included IP and subnets: Internal IPv4 private RFC 1918 subnets, Internal IPv6 subnet allocation, Firewall WAN public IPv4 and IPv6 addresses
Solution challenge: with the exception of the RFC 1918 addresses, the others are dynamically allocated by the ISP. I have paid for reserved IP addressing, so mine will not change. Others with a truly dynamic service where their IP addresses change regularly will have problems with this workaround, until the OPNsense UI allows the use of aliases in Traffic Shaping rules.

Many thanks to fbantgat7 for the helpful post

Title: Re: IPv6 breaks under Traffic Shaping congestion
Post by: meyergru on March 24, 2024, 10:15:59 PM

Thank you for bringing this to attention again, I had missed the original post which already contains the potential workaround. I have an ISP who uses CG-NAT with DS-Lite (and dynamic prefixes) and had the same behaviour.

I always thought this was just this provider who misinterpreted congestion flags or something to this extent. Now it seems that OpnSense is the culprit. Therefore, I opened an issue with references to this, fbantgat7's and my own threads:

https://github.com/opnsense/core/issues/7342

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: nchlsh07 on March 24, 2024, 08:15:44 PM