OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: Space on September 12, 2016, 08:56:59 pm
-
Hi Everyone,
I have setup my first real firewall with OPNsense 16.7 and almost everything is working fine except connection to *some* IPv6 hosts. I have done the following steps:
- FritzBox: enabled "DNS-Server und IPv6-Präfix (IA_PD)zuweisen" (assign DNS server + IPv6 prefix) + OPNsense configured as "exposed host" inside Fritzbox
- OPNsense: DHCPv6 enabled on WAN + Request only a IPv6 prefix, Directly send SOLICIT, DHCPv6 Prefix Delegation size: 62, Send IPv6 prefix hint, on LAN I am running with Track Interface + IPv6 Interface: WAN and IPv6 Prefix ID 3
Situation is like this:
- from a tablet connected to FritzBox WLAN I can access the external IPv6 address (provided by Cable provider) without problem --> ssh + https connection (on high port) possible
- from OPNsense itself both ping and test port (same high port) are successful
- from linux system (on LAN) ping and telnet to that port are possible, but browser times out. I only see "Connected" and that's it ...
Does anyone have an idea what might cause this? When I connect the Linux box to FritzBox https connection is working immediately.
Thank you for any hints ... if you need further infos just let me know!
Best regards,
Jogi
-
Maybe your pass rule is IPv4 only.
-
Hi fabian,
no, the default pass rules for LAN are available both for IPv4 and IPv6. Also strange is that e.g. https://ipv6.google.com works just fine. There are no entries in FW log and no entries in IDS alerts.
How can I trace this down?
Thanks for your help!
Best regards,
Space
-
I think the packet capture is the most helpful page here...
-
Hi,
it looks like this:
No. Time Source Destination Protocol Length Info
1 0 opnsense fritzbox TCP 94 47942 > 49214 [SYN] Seq=0 Win=28800 Len=0 MSS=1440 SACK_PERM=1 TSval=265396100 TSecr=0 WS=128
2 60522 fritzbox opnsense TCP 94 49214 > 47942 [SYN, ACK] Seq=0 Ack=1 Win=14280 Len=0 MSS=1440 SACK_PERM=1 TSval=26226420 TSecr=265396100 WS=16
3 60662 opnsense fritzbox TCP 86 47942 > 49214 [ACK] Seq=1 Ack=1 Win=28800 Len=0 TSval=265396118 TSecr=26226420
4 60989 opnsense fritzbox TCP 298 47942 > 49214 [PSH, ACK] Seq=1 Ack=1 Win=28800 Len=212 TSval=265396118 TSecr=26226420
5 100945 fritzbox opnsense TCP 86 49214 > 47942 [ACK] Seq=1 Ack=213 Win=15360 Len=0 TSval=26226426 TSecr=265396118
6 364398 fritzbox opnsense TCP 97 [TCP Previous segment not captured] 49214 > 47942 [PSH, ACK] Seq=1409 Ack=213 Win=15360 Len=11 TSval=26226451 TSecr=265396118
7 364582 opnsense fritzbox TCP 98 [TCP Window Update] 47942 > 49214 [ACK] Seq=213 Ack=1 Win=29952 Len=0 TSval=265396209 TSecr=26226426 SLE=1409 SRE=1420
8 10362150 opnsense fritzbox TCP 98 [TCP Keep-Alive] 47942 > 49214 [ACK] Seq=212 Ack=1 Win=29952 Len=0 TSval=265399209 TSecr=26226426 SLE=1409 SRE=1420
9 10406805 fritzbox opnsense TCP 86 [TCP Keep-Alive ACK] 49214 > 47942 [ACK] Seq=1420 Ack=213 Win=15360 Len=0 TSval=26227456 TSecr=265396209
The connection is setup but then nothing happens...
Best regards,
Space
-
Hi,
ok, I am confused now ... I have run a trace on the Fritzbox (my internet GW) and I do not see *any* traffic of this connection in the package trace ... could this issue be causes by some 6to4 tunnel that is used by my provider? Do I have to configure OPNsense differently then?
Thanks,
Space
-
If your ISP doesn't provide native IPv6, it may be worthwhile trying a tunnel directly from OPNsense: https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html
Bart...
-
Hi,
I took the simple road ... since this was the only host (so far) that is not reachable from the backend systems directly via https (maybe because of the high port + https combination) I just use the proxy of OPNsense to access it ... works fine ... Case closed :)
Best regards,
Space