IPv6 policy routing not working

Started by patrick7, January 01, 2019, 08:57:47 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 01, 2019, 08:57:47 PM Last Edit: January 02, 2019, 06:46:20 PM by patrick7
I'm trying to set up policy routing with a he.net tunnelbroker.
The rule is matching, but the traffic is still sent to the default gateway, not to the next hop specified in the firewall rule.

Code Select
pfctl -sr | grep gif0
pass in log quick on igb2_vlan104 route-to (gif0 2001:db8::1) inet6 from (igb2_vlan104:network) to ! <LocalNetworks> flags S/SA keep state label "USER_RULE: LANSALT -> Internet"


It works for IPv4 with similar config.

Is there a bug?
April 14, 2019, 09:38:35 PM #1
no ideas? :-(
June 21, 2019, 10:23:51 PM #2 Last Edit: June 21, 2019, 10:42:05 PM by mahescho
Any news her? Seems like I've a similar problem. I've tree dual stack up links. IPv4 works with NAT and policy based routs as expected but IPv6 policy based routes do not work for me. Local IPv6 communication between subnets delegated to the various up links works as expected. My IPv6 default gateway with static addresses. The two other links are PPoE connections. I want the IPv6 policy routers make use of these PPPoE links.

The generated rule looks like this:

Code Select
pass in quick on lagg0_vlan202 inet6 from (lagg0_vlan202:network) to ! <LOCALv6> flags S/SA keep state label "USER_RULE""

I miss some thing like "route-to" ...
OPNsense 24.1.6-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.13
June 21, 2019, 11:00:18 PM #3
Quote from: mahescho on June 21, 2019, 10:23:51 PM
Any news her? Seems like I've a similar problem. I've tree dual stack up links. IPv4 works with NAT and policy based routs as expected but IPv6 policy based routes do not work for me. Local IPv6 communication between subnets delegated to the various up links works as expected. My IPv6 default gateway with static addresses. The two other links are PPoE connections. I want the IPv6 policy routers make use of these PPPoE links.

The generated rule looks like this:

Code Select
pass in quick on lagg0_vlan202 inet6 from (lagg0_vlan202:network) to ! <LOCALv6> flags S/SA keep state label "USER_RULE""

I miss some thing like "route-to" ...

If found that the two PPPoE interfaces look different. pppoe0 has two fe80 addresses and the gateway entry also has a fe80 appendix. pppoe0 has only one fe80 address and the gateway entry does not have a fe80 appendix but "dynamic" is appended. The addresses ob both connections are static, not dynamic. Wen I switch to pppoe0 the generated rule looks like this:

Code Select
pass in quick on lagg0_vlan202 route-to (pppoe0 fe80::2a0:a512:8c:43fe) inet6 from (lagg0_vlan202:network) to ! <LOCALv6> flags S/SA keep state label "USER_RULE"
OPNsense 24.1.6-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.13
June 22, 2019, 12:15:53 AM #4
Currently only disabling shared forwading helps
June 22, 2019, 09:20:31 AM #5 Last Edit: June 22, 2019, 12:22:54 PM by mahescho
Thanks, I will give this a try. I don't use the neither traffic sharper nor the captive portal and I probably never will.

Edit: I've tested this by now and it works! Thanks.

Now I've one minor problem left. On the default gateway everything works as expected but when I try to reach the public IPs of the two other up links the outgoing packages / replies get routet through the default gateway instead of the correct up link port. So the public IP's of the additional up links are not reachable from the internet.

How to fix this?
OPNsense 24.1.6-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.13
June 22, 2019, 04:39:28 PM #6
Disable Force Gateway in Firewall : Settings : Advanced
June 22, 2019, 05:27:13 PM #7
Thanks, didn't help ...
OPNsense 24.1.6-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.13
June 22, 2019, 05:45:22 PM #8
Didn't help for v6, v4 or both?
June 22, 2019, 09:22:07 PM #9
both ...
OPNsense 24.1.6-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.13
Print
Go Up Pages1
User actions