OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: marcel on May 20, 2016, 10:24:49 pm

Title: Hurricane Electric and policy routing
Post by: marcel on May 20, 2016, 10:24:49 pm
Hi

I wanted to use a Hurricane Electric IPv6 tunnel for a separate interface. I followed the steps from here https://forum.opnsense.org/index.php?topic=1992.0, but didn't choose the gif interface as default gateway because I already have an IPv6 default gateway.
In the ruleset for the separate interface I chose the GIF interface as gateway for the allow rules.

With tcpdump I can now see the traffic going through the GIF interface and replying traffic comes back. But the replying traffic gets blocked on the gif Interface. In pfstate I can see NO_TRAFFIC:SINGLE as state. It seems that the firewall can't find the already opened stateful connection for the traffic.

Is there a fix for this?

Regards
Marcel

Btw. NPT doesn't work. It just shows this error.
Code: [Select]
/usr/local/etc/rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:60: syntax error - The line in question reads [60]: binat on $HENETV6 from any to prenatprefix::/64 -> postnatprefix::/64
Title: Re: Hurricane Electric and policy routing
Post by: franco on May 21, 2016, 09:11:11 pm
Hi Marcel,

I found this regarding NO_STATE:SINGLE...

https://lists.freebsd.org/pipermail/freebsd-pf/2006-June/002260.html

It suggest to use allow-opts primitive of pf, which can be enabled in the firewall rules edit for the respective pass rule under advanced settings (allow IP options), maybe that's it.

Options for IPv6 are kind of the default now, maybe it should set that for IPv6 automatically if that was it.

Funny thing about NPT, we inherited a patch we removed, which overrode the way pf interprets the exact line you talk about, it is originally not allowed to use "from any" in a binat rule.

It's kind of fascinating, that binat rules are created in both directions:

https://github.com/opnsense/core/blob/master/src/etc/inc/filter.inc#L1709-L1710

I hope this is a bug in pf that was being tried to get fixed many years ago this way.

Can you try the following?

Force the error on the GUI, then edit /tmp/rules.debug by deleting the line it says that's bad, and then reload the rules manually:

# pfctl -f /tmp/rules.debug

The rules will load ok then, but the point is... will NPT work as expected then? I don't see a reason that it shouldn't.


Thanks,
Franco
Title: Re: Hurricane Electric and policy routing
Post by: franco on May 21, 2016, 09:25:43 pm
Historic commits... Unfortunately they explain the issue very little and were never pushed to FreeBSD...

https://github.com/pfsense/pfsense/commit/462f90060753
https://github.com/fichtner/pfsense-tools/commit/a315433389ca
Title: Re: Hurricane Electric and policy routing
Post by: marcel on May 22, 2016, 10:51:10 pm
Hi Marcel,

I found this regarding NO_STATE:SINGLE...

https://lists.freebsd.org/pipermail/freebsd-pf/2006-June/002260.html

It doesn't seem to be related to IP options. The firewall lets the outgoing traffic through the gif0 interface, but doesn't allow the replies back in. I also tried it now with this setting, but it doesn't change the behavior.

Is there some kind of antispoofing or uRPF check?

Regarding NPT, I think I first need to be able to send and receive traffic with an assigned interface and policy routing before I add NPT as an additional complexity.