OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 23.7 Legacy Series »
  • IPv6 breaks under Traffic Shaping congestion
« previous next »
  • Print
Pages: [1]

Author Topic: IPv6 breaks under Traffic Shaping congestion  (Read 717 times)

nchlsh07

  • Newbie
  • *
  • Posts: 1
  • Karma: 1
    • View Profile
IPv6 breaks under Traffic Shaping congestion
« on: March 24, 2024, 08:15:44 pm »
Versions    OPNsense 23.7.12_5-amd64
FreeBSD 13.2-RELEASE-p7
OpenSSL 1.1.1w

I have recently experienced DNS failures when the WAN is congested outbound. There does not seem to be any issue with Unbound DNS, however, my DNS forwarders are IPv6.

Problem Summary:
  • Traffic shaping is configured - rule traffic match summary - Source/destination: ANY (mostly), Interface: WAN, Direction: In|Out, Destination/source port: (as required)
  • WAN is congested outbound (inbound congestion unconfirmed)
  • IPv6 traffic gets dropped: ICMP6 echo (ping), Unbound DNS IPv6 query forwarder (possibly other IPv6 traffic)
  • disabling traffic shaping - resolves
  • setting the Pipe bandwidth higher than the WAN link - resolves
  • It only seems to be a problem when the traffic shaper pipe is engaged/congested

Solution/workaround:
  • Review the following Topic and associated reference sites: Topic: [SOLVED] Firewall Shaper causes IPv6 address loss on WAN: https://forum.opnsense.org/index.php?topic=27247.msg132747#msg132747
  • replacing the source ANY with IP and subnets for the LAN and firewall interfaces on outbound rules - FIXED the issue
  • Included IP and subnets: Internal IPv4 private RFC 1918 subnets, Internal IPv6 subnet allocation, Firewall WAN public IPv4 and IPv6 addresses
  • Solution challenge: with the exception of the RFC 1918 addresses, the others are dynamically allocated by the ISP. I have paid for reserved IP addressing, so mine will not change. Others with a truly dynamic service where their IP addresses change regularly will have problems with this workaround, until the OPNsense UI allows the use of aliases in Traffic Shaping rules.

Many thanks to fbantgat7 for the helpful post
« Last Edit: March 24, 2024, 08:22:37 pm by nchlsh07 »
Logged

meyergru

  • Hero Member
  • *****
  • Posts: 1684
  • Karma: 165
  • IT Aficionado
    • View Profile
    • congenio
Re: IPv6 breaks under Traffic Shaping congestion
« Reply #1 on: March 24, 2024, 10:15:59 pm »
Thank you for bringing this to attention again, I had missed the original post which already contains the potential workaround. I have an ISP who uses CG-NAT with DS-Lite (and dynamic prefixes) and had the same behaviour.

I always thought this was just this provider who misinterpreted congestion flags or something to this extent. Now it seems that OpnSense is the culprit. Therefore, I opened an issue with references to this, fbantgat7's and my own threads:

https://github.com/opnsense/core/issues/7342
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 23.7 Legacy Series »
  • IPv6 breaks under Traffic Shaping congestion
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2