The act of toggling "Disable Ingress filtering" in GIF makes DS-Lite work

Started by Vacyyyy, September 10, 2023, 09:29:46 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
September 12, 2023, 09:17:39 PM #15
Maybe it was a bugfix for an actual issue someone had with GIF and multi WAN back then? And GRE being potentially affected, too, simply wasn't considered? Just a guess.
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
September 13, 2023, 11:07:38 AM #16
There was no mention of a ticket or user-based reason in the original commit. It was never spoken of again, only refactored like 100 times. :)


Cheers,
Franco
September 14, 2023, 03:00:19 AM #17 Last Edit: September 14, 2023, 03:07:10 AM by Maurice
Update after further testing:
This works fine if the WAN IPv6 configuration type is DHCPv6 and the WAN address gets assigned via DHCPv6.
It also works if the WAN IPv6 configuration type is SLAAC and the WAN address gets autoconfigured.

But it doesn't work if the WAN IPv6 configuration type is DHCPv6, but the WAN address gets autoconfigured ("Request only an IPv6 prefix" is enabled). In this case, the gif interface gets configured with the WAN's link-local address instead of the autoconfigured GUA, which obviously doesn't work:

Code Select
# ifconfig hn1
hn1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN_DHCPv6 (wan)
        options=80018<VLAN_MTU,VLAN_HWTAGGING,LINKSTATE>
        ether 00:15:5d:d2:76:1c
        inet6 fe80::215:5dff:fed2:761c%hn1 prefixlen 64 scopeid 0x6
        inet6 2a02:8071:3123:4567:215:5dff:fed2:761c prefixlen 64 autoconf
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

# ifconfig gif0
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
        description: WAN_4in6 (opt1)
        options=80000<LINKSTATE>
        tunnel inet6 fe80::215:5dff:fed2:761c%hn1 --> 2a02:8071:2000::4002
        inet 192.0.0.2 --> 192.0.0.1 netmask 0xfffffff8
        groups: gif
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

This can not be fixed by saving the gif settings again, so it doesn't seem to be a timing issue. I also noticed that for such a "Request only an IPv6 prefix"-type WAN interface, the interfaces widget shows the link-local address instead of the autoconfigured GUA. This might have the same root cause.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
September 14, 2023, 09:08:58 AM #18
Looks easy enough... still had a TODO there ;)

https://github.com/opnsense/core/commit/1a5b2ddffd1

Does link local even make sense for outer addresses?

I don't think it was supported correctly before. Maybe be could tighten the validation and remove half of the code in that commit. Resulting configuration:

Code Select
/sbin/ifconfig gif0 inet6 tunnel fe80::f690:eaff:fe00:2d9c%igb1 fe80::1:2%igb1


Cheers,
Franco
September 15, 2023, 06:32:00 PM #19
Thanks Franco, this does indeed make gif work on a PD-only DHCPv6 WAN with SLAAC address. Should I take a look at the interfaces widget?

Link-local outer gif addresses... hmm... nothing wrong with that. A tunnel between two routers which are in the same subnet? Why not.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
Print
Go Up Pages 1 2
User actions