Messages

1

23.7 Legacy Series / IPv6 breaks under Traffic Shaping congestion

« on: March 24, 2024, 08:15:44 pm »

Versions    OPNsense 23.7.12_5-amd64
FreeBSD 13.2-RELEASE-p7
OpenSSL 1.1.1w

I have recently experienced DNS failures when the WAN is congested outbound. There does not seem to be any issue with Unbound DNS, however, my DNS forwarders are IPv6.

Problem Summary:

• Traffic shaping is configured - rule traffic match summary - Source/destination: ANY (mostly), Interface: WAN, Direction: In|Out, Destination/source port: (as required)
• WAN is congested outbound (inbound congestion unconfirmed)
• IPv6 traffic gets dropped: ICMP6 echo (ping), Unbound DNS IPv6 query forwarder (possibly other IPv6 traffic)
• disabling traffic shaping - resolves
• setting the Pipe bandwidth higher than the WAN link - resolves
• It only seems to be a problem when the traffic shaper pipe is engaged/congested

Solution/workaround:

• Review the following Topic and associated reference sites: Topic: [SOLVED] Firewall Shaper causes IPv6 address loss on WAN: https://forum.opnsense.org/index.php?topic=27247.msg132747#msg132747
• replacing the source ANY with IP and subnets for the LAN and firewall interfaces on outbound rules - FIXED the issue
• Included IP and subnets: Internal IPv4 private RFC 1918 subnets, Internal IPv6 subnet allocation, Firewall WAN public IPv4 and IPv6 addresses
• Solution challenge: with the exception of the RFC 1918 addresses, the others are dynamically allocated by the ISP. I have paid for reserved IP addressing, so mine will not change. Others with a truly dynamic service where their IP addresses change regularly will have problems with this workaround, until the OPNsense UI allows the use of aliases in Traffic Shaping rules.

Many thanks to fbantgat7 for the helpful post