Show Posts
1
24.1 Legacy Series / Multi-WAN - IPv6 - IPv6 LoadBalanced Gateway Groups
« on: March 09, 2024, 08:20:27 pm »
Hi OPNsense team.
I'm running into strange behaviour with IPv6 Gateway Groups in Firewall rules.
I have a MultiWan Set-up with IPv6.
Both WAN's work great in terms of IPv6 individually (e.g. set the specific IPV6 gateway, into a rule that negates our own prefix ) -> Thus when something does not belong to our own "ipv6 networks", we route it out a specific IPv6 WAN interface.
This works amazingly well, ... provided I don't use a Gateway group.
The moment I start using gateway groups (and monitoring for both links is working fine!) - at random, opnsense starts replying "Destination Unreachable" for any IPv6 traffic. (see opnsense00.png / opnsense01.png).
wide image below - open it in a new tab to see details:
If I then replace the GWgroupIPv6 with *any* of the two gateways directly, apply the rule, and clear the firewall states, things work again immediately. (see opnsense02.png)
So something very strange seems to be up with the way this GatewayGroup on IPv6 is being handled. I realize this might not even be opnsense, but BSD itself, but maybe someone has run into the same issue?
I'm running into strange behaviour with IPv6 Gateway Groups in Firewall rules.
I have a MultiWan Set-up with IPv6.
Both WAN's work great in terms of IPv6 individually (e.g. set the specific IPV6 gateway, into a rule that negates our own prefix ) -> Thus when something does not belong to our own "ipv6 networks", we route it out a specific IPv6 WAN interface.
This works amazingly well, ... provided I don't use a Gateway group.
The moment I start using gateway groups (and monitoring for both links is working fine!) - at random, opnsense starts replying "Destination Unreachable" for any IPv6 traffic. (see opnsense00.png / opnsense01.png).
wide image below - open it in a new tab to see details:
If I then replace the GWgroupIPv6 with *any* of the two gateways directly, apply the rule, and clear the firewall states, things work again immediately. (see opnsense02.png)
So something very strange seems to be up with the way this GatewayGroup on IPv6 is being handled. I realize this might not even be opnsense, but BSD itself, but maybe someone has run into the same issue?