1
21.7 Legacy Series / Re: Problems with IPv6 and Firewall rules (deny all)?
« on: September 05, 2021, 11:40:55 am »
Attached, you'll find the floating rules (standard).
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
21.7 Legacy Series / Re: Problems with IPv6 and Firewall rules (deny all)?
« on: September 05, 2021, 11:39:55 am »
I can only connect via IPv6 from my client, if I add two rules to OPNsense, see firewall-rules-lan.JPG:
LAN: Allow all IPv6 IPV6-ICMP incoming, Allow IPv6 TCP/UDP incoming
Why?
LAN: Allow all IPv6 IPV6-ICMP incoming, Allow IPv6 TCP/UDP incoming
Why?
3
21.7 Legacy Series / Problems with IPv6 and Firewall rules (deny all)?
« on: September 04, 2021, 11:53:37 pm »
Dear reader,
I don't get my head around this problem
:
My network setup (simplified):
WWW -> FritzBox 7490 -> OPNsense Firewall -> FritzBox 4040 (one of two routers, the other router is for a different network) -> my client
My OPNsense version:
21.7.1
I want to use IPv6 on the client. The following IP adresses are anonymized.
WWW (Deutsche Telekom AG, prefix: /56) -> FritzBox 7490
- delegated prefix: 2003:AABB:CCDD:4300::/56
- IP V6 adress: 2003:AABB:CCEE:FFFF:GGGG:HHHH:IIII:JJJJ
(connectivity fine -> check)
-> OPNsense Firewall
Configuration:
Interface WAN:
IPv6 Configuration Type: DHCPv6
DHCPv6 client configuration:
- Request only an IPv6 prefix checked
- Prefix deletation size: 57 (maximum possible)
- Send IPv6 prefix
Overview:
- delgated prefix: 2003:AABB:CCDD:4380::/57
- IPv6 address: 2003:AABB:CCDD:4300::GGGG:HHHH:IIII:JJJJ
(connectivity (trace route) fine -> check)
-> FritzBox 4040
- delgated prefix: 2003:AABB:CCDD:4364::/62
- IPv6 address: 2003:AABB:CCDD:4380::GGGG:HHHH:IIII:9023
(connectivity fine -> check)
-> my client
- IPv6 address: 2003:AABB:CCDD:4364::XABC::DEFG::YBDG::ABAD
So from that point of view, every device has an IPv6 address assigned.
But a tracert from my client does not work:
tracert -6 heise.de Routenverfolgung zu heise.de [2a02:2e0:3fe:1001:302::] über maximal 30 Hops: 1 2 ms 3 ms 2 ms fritz.box [2003:AABB:CCDD:4380::GGGG:HHHH:IIII:901f] (this seems to be the 4040, despite beeing not the same address as shown in the admin panel of the FritzBox 4040)
2 * * * Zeitüberschreitung der Anforderung.
...
So interestingly, the FritzBox 4040 has a slightly different address in the tracert, but the device seems plausible.
In the firewall logs (Live View) from the OPNsense, I find:
lan Sep 4 23:47:00 2003:AABB:CCDD:4364::XABC::DEFG::YBDG::ABAD (my client) 2a02:2e0:3fe:1001:302:: ipv6-icmp Default deny rule
So, a big part of my IPv6 traffic seams to be blocked by the default rule.
By the way, I did not change the firewall rules (all default or autogenerated).
At the same time my internet connectivity works with IPv4.
I don't understand why this legitimate traffic from my client is blocked.
Can you help me?
I don't get my head around this problem
:My network setup (simplified):
WWW -> FritzBox 7490 -> OPNsense Firewall -> FritzBox 4040 (one of two routers, the other router is for a different network) -> my client
My OPNsense version:
21.7.1
I want to use IPv6 on the client. The following IP adresses are anonymized.
WWW (Deutsche Telekom AG, prefix: /56) -> FritzBox 7490
- delegated prefix: 2003:AABB:CCDD:4300::/56
- IP V6 adress: 2003:AABB:CCEE:FFFF:GGGG:HHHH:IIII:JJJJ
(connectivity fine -> check)
-> OPNsense Firewall
Configuration:
Interface WAN:
IPv6 Configuration Type: DHCPv6
DHCPv6 client configuration:
- Request only an IPv6 prefix checked
- Prefix deletation size: 57 (maximum possible)
- Send IPv6 prefix
Overview:
- delgated prefix: 2003:AABB:CCDD:4380::/57
- IPv6 address: 2003:AABB:CCDD:4300::GGGG:HHHH:IIII:JJJJ
(connectivity (trace route) fine -> check)
-> FritzBox 4040
- delgated prefix: 2003:AABB:CCDD:4364::/62
- IPv6 address: 2003:AABB:CCDD:4380::GGGG:HHHH:IIII:9023
(connectivity fine -> check)
-> my client
- IPv6 address: 2003:AABB:CCDD:4364::XABC::DEFG::YBDG::ABAD
So from that point of view, every device has an IPv6 address assigned.
But a tracert from my client does not work:
tracert -6 heise.de Routenverfolgung zu heise.de [2a02:2e0:3fe:1001:302::] über maximal 30 Hops: 1 2 ms 3 ms 2 ms fritz.box [2003:AABB:CCDD:4380::GGGG:HHHH:IIII:901f] (this seems to be the 4040, despite beeing not the same address as shown in the admin panel of the FritzBox 4040)
2 * * * Zeitüberschreitung der Anforderung.
...
So interestingly, the FritzBox 4040 has a slightly different address in the tracert, but the device seems plausible.
In the firewall logs (Live View) from the OPNsense, I find:
lan Sep 4 23:47:00 2003:AABB:CCDD:4364::XABC::DEFG::YBDG::ABAD (my client) 2a02:2e0:3fe:1001:302:: ipv6-icmp Default deny rule
So, a big part of my IPv6 traffic seams to be blocked by the default rule.
By the way, I did not change the firewall rules (all default or autogenerated).
At the same time my internet connectivity works with IPv4.
I don't understand why this legitimate traffic from my client is blocked.
Can you help me?
4
Intrusion Detection and Prevention / Re: IPS not working: Enable Drop Filter not visible
« on: April 11, 2021, 04:51:34 pm »
I am a newbie to OPNsense, too.
I can tell you that you get the eicar test done with a proxy and the antivirus plugin:
https://docs.opnsense.org/manual/how-tos/proxytransparent.html
https://docs.opnsense.org/manual/how-tos/proxyicapantivirus.html
https://docs.opnsense.org/manual/how-tos/clamav.html?highlight=clamav
I can tell you that you get the eicar test done with a proxy and the antivirus plugin:
https://docs.opnsense.org/manual/how-tos/proxytransparent.html
https://docs.opnsense.org/manual/how-tos/proxyicapantivirus.html
https://docs.opnsense.org/manual/how-tos/clamav.html?highlight=clamav
Pages: [1]