Messages

Hi

I wanted to use a Hurricane Electric IPv6 tunnel for a separate interface. I followed the steps from here https://forum.opnsense.org/index.php?topic=1992.0, but didn't choose the gif interface as default gateway because I already have an IPv6 default gateway.
In the ruleset for the separate interface I chose the GIF interface as gateway for the allow rules.

With tcpdump I can now see the traffic going through the GIF interface and replying traffic comes back. But the replying traffic gets blocked on the gif Interface. In pfstate I can see NO_TRAFFIC:SINGLE as state. It seems that the firewall can't find the already opened stateful connection for the traffic.

Is there a fix for this?

Regards
Marcel

Btw. NPT doesn't work. It just shows this error.

Code Select Expand

/usr/local/etc/rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:60: syntax error - The line in question reads [60]: binat on $HENETV6 from any to prenatprefix::/64 -> postnatprefix::/64

Hi Franco

Thank you for fixing the route issue, I will test it as soon the new release gets released.
If you more details about my configuration / set-up I can send it to you. I could also try to replicate the issue with VMs (one as DHCPv6 and one as OpnSense).

Thank you again
Marcel

Hi Franco

Thank you for the syshook fix. I also used the fix for the null-route issue.
Now null traffic loops on the system itself, but at least not to the ISP. It looks like this old FreeBSD bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=139145

Also I tried to understand how static routes are added, it seems that they are created with

Code Select Expand

system_staticroutes_configure (which is called after pressing the apply button in system_routes.php, which calls system_routes_configure which calls system_staticroutes_configure).

I added logging code to mwexec to see if route add actually gets executed, it doesn't. Only the deletion works.

May  1 18:30:09 xxx opnsense: /system_routes.php: The command '/sbin/route delete -inet6 '2001:1111:1111::/64'' returned exit code '1', the output was 'route: writing to routing socket: No such process delete net 2001:1111:1111::/64 fib 0: not in table'

This command gets executed before pressing the apply button, this seems like a bug too.

Do you know how to debug the php-function properly? I saw xdebug, but maybe there is a better way.

Regards,
Marcel

Hi Franco

Unfortunately no. I still have to enter

Code Select Expand

/var/etc/rtsold_interface_vlan_script.sh after every reboot. Currently I'm on 16.1.12.
The null route still doesn't get applied.

Maybe the thread should be moved to the 16.1 subforum.

Hi Franco

[...]https://github.com/opnsense/core/issues/637[...]

I saw that the issue about DHCPv6-PD is now closed on Github. Does this mean it won't be fixed?

Thanks,
Marcel

Hi Franco

Thank you for creating the bug requests, I wasn't sure if I should open them directly or ask the forum first.

Regarding the null route issue, I found out that after applying the route it won't get applied to the system at all.
1.

Code Select Expand

route -n monitor
2. reconfigure IPv6 null routes, apply.
Only IPv4 route changes are visible.
Manually setting the route with

Code Select Expand

route add -inet6 -net 2001:1111:1111::/48 -iface lo0 -blackhole works, it will also show in

Code Select Expand

netstat -nr
It now seems that opnsense now has a loop in itself. Why do I see the second reply, it should have been already dropped.

Code Select Expand

C:\>tracert -d 2001:1111:1111::1

Tracing route to 2001:1111:1111::1 over a maximum of 30 hops

  1     2 ms     1 ms     3 ms  xxx::1
  2     1 ms     3 ms     1 ms  xxx::1
  3     2 ms     8 ms     3 ms  xxx::1
[...]

[DHCPv6]

Hi

I have the following issues with the IPv6 implementation in Opnsense (15.7.23-amd64):

DHCPv6
After a reboot it doesn't ask the providers DHCPv6 server for a prefix delegation, therefore my provider (Init7) doesn't route my static IPv6 /48 range to my box. Manually invoking

Code Select Expand

/var/etc/rtsold_[...].sh fixes this until next reboot.
The issue https://github.com/opnsense/core/issues/47 and post https://forum.opnsense.org/index.php?topic=1533.0 seem related.

Null-Route
Because I have a /48 range and don't use every possible /64 subnet from it, there is a routing loop between my box and the ISP.
I can create a null route for my IPv6 /48 subnet, but it doesn't get applied.
How to reproduce:

• System/Routes/All: Create a route for 2001:1111:1111::/48 to Null6 - ::1
• Check System/Routes/Status - no route for 2001:1111:1111::/48 is visible there

Also a traceroute to this destination shows that the default route will be used. In the routing log only this message is visible:

radvd[73122]: sendmsg: Permission denied

In my opinion opnsense should automatically create a null-route for a received PD with a subnet with less than 64 bits, or at least provide an option for this.