Show Posts
1
24.7 Production Series / [SOLVED] All IPv6 traffic "Default deny / state violation rule"
« on: November 19, 2024, 12:34:11 am »
I am new to OPNSense and I'm encountering a problem with IPv6. I have found a few different threads and a github issue describing the problem, but no resolution. I am using OPNSense 24.7.
The problem is that IPv6 traffic that originates on the LAN interface gets blocked by the default rule "Default deny / state violation rule" and does not traverse to the WAN interface. IPv6 traffic that originates on the WAN interface - for example, a ping test - works fine. These circumstances are consistent while watching the Live View of the Firewall logs.
I have made no changes to the default rules in any way. The system is configured to use 172.16.1.0/24 as its IP scheme, and I am using a local DNS on 172.16.1.5 (a pi hole).
IPv4 traffic works fine. IPv6 traffic works fine locally, i.e. over my (very simple) LAN. IPv6 is "Allowed" in the OPNSense settings - if I uncheck that box, the logs change to reflect this.
I found this github issue: https://github.com/opnsense/core/issues/6435 which describes my problem. But there does not appear to be a resolution. Based on this issue I tried using OPNSense 22.7 to see if that would make a difference; it did not.
It feels as though there's some kind of change to the order of the rules I need to make, but I am at the edge of my knowledge with regards to this issue, and I am concerned that one bad choice will open my firewall to the outside world.
I apologize for my ignorance, and hope that someone is able to shed some light on this subject. If you would like additional diagnostic information, please let me know.
The problem is that IPv6 traffic that originates on the LAN interface gets blocked by the default rule "Default deny / state violation rule" and does not traverse to the WAN interface. IPv6 traffic that originates on the WAN interface - for example, a ping test - works fine. These circumstances are consistent while watching the Live View of the Firewall logs.
I have made no changes to the default rules in any way. The system is configured to use 172.16.1.0/24 as its IP scheme, and I am using a local DNS on 172.16.1.5 (a pi hole).
IPv4 traffic works fine. IPv6 traffic works fine locally, i.e. over my (very simple) LAN. IPv6 is "Allowed" in the OPNSense settings - if I uncheck that box, the logs change to reflect this.
I found this github issue: https://github.com/opnsense/core/issues/6435 which describes my problem. But there does not appear to be a resolution. Based on this issue I tried using OPNSense 22.7 to see if that would make a difference; it did not.
It feels as though there's some kind of change to the order of the rules I need to make, but I am at the edge of my knowledge with regards to this issue, and I am concerned that one bad choice will open my firewall to the outside world.
I apologize for my ignorance, and hope that someone is able to shed some light on this subject. If you would like additional diagnostic information, please let me know.