OPNsense Forum

Archive => 15.7 Legacy Series => Topic started by: dscott_casd on December 17, 2015, 07:05:44 pm

Title: Default Deny Rule IPv6
Post by: dscott_casd on December 17, 2015, 07:05:44 pm

I'm trying to get IPv6 to work, everything is configured and the router can ping and traceroute to IPv6 addresses, but clients trying to actually use the router are getting timed out at the firewall.  I've tried flipping the "Allow IPv6" checkbox in the system settings, gone over my configs probably 20 times by now, and still cannot get this to work.  Please could someone give me a hand here?

I've tried to include screenshots, but the attachment limit is being difficult.

Screenshot 1: https://dl.dropboxusercontent.com/u/65721274/error1.jpg (https://dl.dropboxusercontent.com/u/65721274/error1.jpg)
Screenshot 2: https://dl.dropboxusercontent.com/u/65721274/error2.jpg (https://dl.dropboxusercontent.com/u/65721274/error2.jpg)

Title: Re: Default Deny Rule IPv6
Post by: 8191 on December 17, 2015, 07:11:23 pm

Did you apply the pending firewall rule changes?
Could you post the output of the command "pfctl -sr" if you have console/SSH access, please. If not easily possible, please post a screenshot of the floating rules.
I can see that you have two WAN interfaces. Does the firewall have the right interface as default gateway?

Title: Re: Default Deny Rule IPv6
Post by: dscott_casd on December 17, 2015, 07:25:55 pm

Yes, the firewall has the correct interface as the default gateway, and yes I've applied the pending changes.  Here is the output of pfctl -sr:

No ALTQ support in kernel
ALTQ related functions disabled
scrub on nfe0 all fragment reassemble
scrub on vr0 all fragment reassemble
scrub on bge0 all fragment reassemble
anchor "relayd/*" all
anchor "openvpn/*" all
anchor "ipsec/*" all
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
block drop log quick inet proto tcp from any port = 0 to any
block drop log quick inet proto tcp from any to any port = 0
block drop log quick inet proto udp from any port = 0 to any
block drop log quick inet proto udp from any to any port = 0
block drop log quick inet6 proto tcp from any port = 0 to any
block drop log quick inet6 proto tcp from any to any port = 0
block drop log quick inet6 proto udp from any port = 0 to any
block drop log quick inet6 proto udp from any to any port = 0
block drop in log quick proto tcp from <sshlockout> to (self) port = ssh label "sshlockout"
block drop in log quick proto tcp from <webConfiguratorlockout> to (self) port = https label "webConfiguratorlockout"
block drop in log quick from <virusprot> to any label "virusprot overload table"
pass in quick on nfe0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN0"
pass in quick on nfe0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN0"
pass out quick on nfe0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN0"
block drop in log on ! nfe0 inet6 from 2601:542:2:5e00::/64 to any
block drop in log on nfe0 inet6 from fe80::2e0:81ff:fe5f:d1df to any
block drop in log inet6 from 2601:542:2:5e00:2e0:81ff:fe5f:d1df to any
block drop in log inet6 from 2601:542:2:5e00:ddad:eab0:c0f2:c354 to any
block drop in log on ! nfe0 inet from 173.13.49.80/29 to any
block drop in log inet from 173.13.49.85 to any
pass quick on nfe0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on nfe0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on nfe0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass quick on nfe0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass in quick on nfe0 inet6 proto udp from fe80::/10 to 2601:542:2:5e00:2e0:81ff:fe5f:d1df port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass out quick on nfe0 inet6 proto udp from 2601:542:2:5e00:2e0:81ff:fe5f:d1df port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"
block drop in log on ! vr0 inet6 from 2601:542:2:5eff::/64 to any
block drop in log inet6 from 2601:542:2:5eff:200:24ff:fecd:71dc to any
block drop in log on vr0 inet6 from fe80::1:1 to any
block drop in log on ! vr0 inet from 192.168.1.0/24 to any
block drop in log inet from 192.168.1.1 to any
pass quick on vr0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on vr0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on vr0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass quick on vr0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass in quick on vr0 inet6 proto udp from fe80::/10 to 2601:542:2:5eff:200:24ff:fecd:71dc port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass out quick on vr0 inet6 proto udp from 2601:542:2:5eff:200:24ff:fecd:71dc port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"
block drop in log quick on bge0 from <bogons> to any label "block bogon IPv4 networks from WAN1"
block drop in log quick on bge0 from <bogonsv6> to any label "block bogon IPv6 networks from WAN1"
block drop in log on ! bge0 inet from 63.133.228.253 to any
block drop in log inet from 63.133.228.253 to any
block drop in log on bge0 inet6 from fe80::2e0:81ff:fe5f:d1de to any
block drop in log quick on bge0 inet from 10.0.0.0/8 to any label "Block private networks from WAN1 block 10/8"
block drop in log quick on bge0 inet from 127.0.0.0/8 to any label "Block private networks from WAN1 block 127/8"
block drop in log quick on bge0 inet from 100.64.0.0/10 to any label "Block private networks from WAN1 block 100.64/10"
block drop in log quick on bge0 inet from 172.16.0.0/12 to any label "Block private networks from WAN1 block 172.16/12"
block drop in log quick on bge0 inet from 192.168.0.0/16 to any label "Block private networks from WAN1 block 192.168/16"
block drop in log quick on bge0 inet6 from fc00::/7 to any label "Block ULA networks from WAN1 block fc00::/7"
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (nfe0 173.13.49.86) inet from 173.13.49.85 to ! 173.13.49.80/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (bge0 63.133.228.254) inet from 63.133.228.253 to ! 63.133.228.253 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on vr0 proto tcp from any to (vr0) port = https flags S/SA keep state label "anti-lockout rule"
pass in quick on vr0 proto tcp from any to (vr0) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on vr0 proto tcp from any to (vr0) port = ssh flags S/SA keep state label "anti-lockout rule"
anchor "userrules/*" all
pass in on nfe0 inet proto icmp all keep state label "USER_RULE: Quick ICMP"
pass in on vr0 inet proto icmp all keep state label "USER_RULE: Quick ICMP"
pass in on bge0 inet proto icmp all keep state label "USER_RULE: Quick ICMP"
pass in on nfe0 inet6 proto ipv6-icmp all keep state label "USER_RULE: Quick ICMP"
pass in on vr0 inet6 proto ipv6-icmp all keep state label "USER_RULE: Quick ICMP"
pass in on bge0 inet6 proto ipv6-icmp all keep state label "USER_RULE: Quick ICMP"
pass in quick on nfe0 inet6 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "USER_RULE: IPv6 Client DHCP"
pass in quick on vr0 inet all flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on vr0 inet6 all flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
root@OPNsense:~ #

Title: Re: Default Deny Rule IPv6
Post by: 8191 on December 18, 2015, 08:41:36 am

That's really weird... I assume vr0 is your LAN interface? Then the rule

Code: [Select]

pass in quick on vr0 inet6 all flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"Should match and allow the traffic...

Are you positive that the shown log in the screenshot is actually the reason for the connection timing out? Maybe it was a previous error (date/time?) and the current problem lies somewhere else?

Title: Re: Default Deny Rule IPv6
Post by: dscott_casd on December 18, 2015, 02:07:41 pm

I did a little more testing and find that my clients can ping both the LAN and the WAN interfaces, so traffic is obviously making it through the firewall.  Seeing that the firewall can ping and traceroute to IPv6 servers, but clients can not, I'm not sure where else to look at this point.  The gateways are set up correctly (to my knowledge), so I'm at a loss.  This is a test server, so I am willing to let someone have access in to have a look around for anything that I could have missed.

Title: Re: Default Deny Rule IPv6
Post by: franco on January 10, 2016, 07:45:34 pm

Everything looks normal and should work out of the box. If the offer still stands, I'll gladly take a look via SSH. Please PM me for details. :)