OPNsense Forum

English Forums => General Discussion => Topic started by: wget on July 10, 2020, 04:15:37 pm

Title: Potential 20.7 FreeBSD 12 regression with ICMPv6 - Sensei? [FIXED]
Post by: wget on July 10, 2020, 04:15:37 pm

In order to comply with RFC 4890 -  Recommendations for Filtering ICMPv6 Messages in Firewalls, in 20.1, I allowed the following ICMP traffic:
https://tools.ietf.org/html/rfc4890#section-4.3.1

I set them in Rules > WAN. cf. attachment

Authorizing this traffic allowed me to get 20/20 at the IPv6 test: ipv6-test.com/ (http://ipv6-test.com/)

A few weeks ago, I migrated to 20.7.b_181 with the FreeBSD 12 kernel (fresh install). Now, I noticed, that despite having these ICMP whitelisting rules enabled, I have been down graded to 18/20, because this ICMP specific traffic wasn't allowed to pass through anymore :/

Can anyone confirm this issue? I have Sensei installed, maybe the reason?

Title: Re: Potential 20.7 FreeBSD 12 regression with ICMPv6 - Sensei?
Post by: mb on July 10, 2020, 06:13:22 pm

Hi @wget,

Try these:

1. Put Sensei into bypass mode and see if it works (Sensei -> Status -> Enter Bypass Mode)
2. Stop Sensei and see something changes (Sensei -> Status -> Stop)

If the first option works, than it's related to Sensei
If the second option works if you stop Sensei at all, than it's related to netmap.

If it's option 1 or 2, shoot a PR and we'll have a closer look. (Report Bug) on the right hand side of the screen)

If not, than it's not related to Sensei/netmap.

Title: Re: Potential 20.7 FreeBSD 12 regression with ICMPv6 - Sensei? [FIXED]
Post by: wget on July 20, 2020, 06:24:56 pm

Quote from: mb on July 10, 2020, 06:13:22 pm

I found the culprit :) Not related to Sensei at all. And I completely removed Sensei to make sure =)

Firefox and a bunch of other browsers have removed support for TLS 1.0 and 1.1. It appears the subdomain[1] ipv6-test.com is using to test for ICMPv6 reachability is only using TLS up to 1.1 which means the resource is not being loaded.

I'll reach I sent an email to ipv6-test's maintainers to let them know about the issue.

[1] https://v6.ipv6-test.com:8443/

Title: Re: Potential 20.7 FreeBSD 12 regression with ICMPv6 - Sensei? [FIXED]
Post by: mb on July 20, 2020, 09:01:52 pm

Hi @wget, glad that you've figure out this. Thanks for the update.

Title: Re: Potential 20.7 FreeBSD 12 regression with ICMPv6 - Sensei? [FIXED]
Post by: skywalker007 on September 11, 2020, 02:39:25 pm

Just trying to get some IPv6 ICMP stuff fixed and found this thread.
Do I need to apply these rules manually? So OPNsense doesn't accept IPv6 ICMP traffic by default then?
How can I specify codes?
For example ICMPv6 - Time Exceeded (Type 3) - Code 0 only
-> I can select "time exceeded" but how do I limit it to code?

thanks!