Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - bluknight

Pages1
#1
20.1 Legacy Series / Re: Gateway Policy being ignored for IPv6 route
March 23, 2020, 01:49:13 PM
Quote from: mimugmail on March 23, 2020, 07:39:40 AM
Firewall : Settings : Advanced .. can you try disabling shared forwaring?

That nailed it -- traffic outbound is working.  Re-enabling broke it, so that validated the fix.  Thank you for the help!

Now...  can you help me understand why that fixed it?
#2
20.1 Legacy Series / Gateway Policy being ignored for IPv6 route
March 22, 2020, 10:57:25 PM
So I have 2 IPv6 uplinks - aaaa:bbbb:cccc:dddd::/60 from my ISP, and eeee:ffff:gggg::/48 from TunnelBroker.  The /48 feeds my lab, and other services I run from my house that I don't want my ISP to twiddle with.  I'm trying to do a software update on a server within the /48 (no, not the firewall), pulling from repositories at wwww:xxxx::yyyy:zzzz.

I've run into a problem where if I'm connecting outbound from a server in the /48, the traffic goes out my ISP uplink (let's say qqqq:rrrr:ssss:tttt::1) instead of across the tunnel (a gateway of hhhh:iiii:jjjj:kkkk::1).

I've put (sanitized) outputs from my filter.log below, plus the corresponding rules from pfctl -vvsr.  I'm new to pf and OpnSense (I'm more of a Linux iptables/netfilter guy) but I've gotta learn sometime, and I can only assume I'm doing something monumentally stupid.

Help a fellow hacker who's down on his luck?

Code Select

Mar 22 21:16:26 OPNsense filterlog: 159,,,0,re0_vlan3000,match,pass,in,6,0x00,0xc1f1e,64,tcp,6,40,eeee:ffff:gggg:0:20c:29ff:fee2:f444,wwww:xxxx::yyyy:zzzz,34912,80,0,S,3326026852,,28800,,mss;sackOK;TS;nop;wscale
Mar 22 21:16:26 OPNsense filterlog: 130,,,0,gif0,match,pass,out,6,0x00,0xc1f1e,64,tcp,6,40,eeee:ffff:gggg:0:20c:29ff:fee2:f444,wwww:xxxx::yyyy:zzzz,34912,80,0,S,3326026852,,28800,,mss;sackOK;TS;nop;wscale
Mar 22 21:20:26 OPNsense filterlog: 159,,,0,re0_vlan3000,match,pass,in,6,0x00,0xcf121,64,tcp,6,40,eeee:ffff:gggg:0:20c:29ff:fee2:f444,wwww:xxxx::yyyy:zzzz,34948,80,0,S,1374304364,,28800,,mss;sackOK;TS;nop;wscale
Mar 22 21:20:26 OPNsense filterlog: 130,,,0,gif0,match,pass,out,6,0x00,0xcf121,64,tcp,6,40,eeee:ffff:gggg:0:20c:29ff:fee2:f444,wwww:xxxx::yyyy:zzzz,34948,80,0,S,1374304364,,28800,,mss;sackOK;TS;nop;wscale
Mar 22 21:22:58 OPNsense filterlog: 159,,,0,re0_vlan3000,match,pass,in,6,0x00,0xfaa0c,64,tcp,6,40,eeee:ffff:gggg:0:20c:29ff:fee2:f444,wwww:xxxx::yyyy:zzzz,34976,80,0,S,2639873281,,28800,,mss;sackOK;TS;nop;wscale
Mar 22 21:22:58 OPNsense filterlog: 130,,,0,gif0,match,pass,out,6,0x00,0xfaa0c,64,tcp,6,40,eeee:ffff:gggg:0:20c:29ff:fee2:f444,wwww:xxxx::yyyy:zzzz,34976,80,0,S,2639873281,,28800,,mss;sackOK;TS;nop;wscale
Mar 22 21:22:58 OPNsense filterlog: 159,,,0,re0_vlan3000,match,pass,in,6,0x00,0x3f3c9,64,tcp,6,40,eeee:ffff:gggg:0:20c:29ff:fee2:f444,wwww:xxxx::yyyy:zzzz,34978,80,0,S,1042769232,,28800,,mss;sackOK;TS;nop;wscale
Mar 22 21:22:58 OPNsense filterlog: 130,,,0,gif0,match,pass,out,6,0x00,0x3f3c9,64,tcp,6,40,eeee:ffff:gggg:0:20c:29ff:fee2:f444,wwww:xxxx::yyyy:zzzz,34978,80,0,S,1042769232,,28800,,mss;sackOK;TS;nop;wscale


Code Select

@130 pass out log all flags S/SA keep state allow-opts label "a5a4a52cb247a9d532d9e49588136184"

@159 pass in log quick on re0_vlan3000 route-to (gif0 hhhh:iiii:jjjj:kkkk::1) inet6 from eeee:ffff:gggg::/64 to ! aaaa:bbbb:cccc:dddd::/60 flags S/SA keep state label "e4344ac62537cc4ca99bf17147e9ce69"
Pages1