haproxy for ipv4 and ipv6 to ipv4; ipv6 doesnt work?

Started by Bytechanger, May 20, 2020, 09:13:57 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4
User actions
May 28, 2020, 09:17:14 PM #45
Quote from: robgnu on May 28, 2020, 07:39:25 PM
Hello,

I am the user from the german forum with the same issue:
I have two separate OPNsense boxes with 20.1.7 connected by PPPoE (VDSL, Deutsche Telekom). Both machines do exactly the same:
- Connecting to the ISP works perfect. MTU was not set, but calculated to 1492, which is correct.
- One machine BEHIND the firewall is reachable from the internet (SSH; I configured the according rule)
- IPv6 connections from the Internet to the WAN port of the OPNsense are getting a timeout (SSH, HTTPS etc.)
- IPv4 connections from the Internet to the WAN port of the OPNsense working as usual and fast.
- Both OPNsense machines were fresh installed with 20.1.0, then I configured the PPPoE connection and then I upgraded to the latest version.

I figured out, that disabling the Gateway "WAN_DHCP6" solves that issue. On one machine I have now a continuously restarting radvd daemon (every 2 seconds) which is another IPv6 problem, I think.

I logged into these two machines an did a "clog -f /var/log/system.log". There is a massive flooding of messages (both OPNsenses). In parallel I did the same on another pfSense, there aren't those messages:

Code Select

May 28 19:31:12 sense dhcp6c[67533]: script "/var/etc/dhcp6c_wan_script.sh" terminated
May 28 19:31:12 sense dhcp6c[67533]: removing an event on pppoe0, state=REQUEST
May 28 19:31:12 sense dhcp6c[67533]: removing server (ID: 00:02:00:00:05:83:34:30:3a:37:31:3a:38:33:3a:61:38:3a:63:38:3a:30:30:00:00:00)
May 28 19:31:12 sense dhcp6c[67533]: got an expected reply, sleeping.
May 28 19:31:12 sense dhcp6c[67533]: Sending Solicit
May 28 19:31:12 sense dhcp6c[67533]: a new XID (15754b) is generated
May 28 19:31:12 sense dhcp6c[67533]: set client ID (len 14)
May 28 19:31:12 sense dhcp6c[67533]: set identity association
May 28 19:31:12 sense dhcp6c[67533]: set elapsed time (len 2)
May 28 19:31:12 sense dhcp6c[67533]: set option request (len 4)
May 28 19:31:12 sense dhcp6c[67533]: send solicit to ff02::1:2%pppoe0
May 28 19:31:12 sense dhcp6c[67533]: reset a timer on pppoe0, state=SOLICIT, timeo=0, retrans=1016
May 28 19:31:12 sense dhcp6c[67533]: receive advertise from fe80::200:ff:fe00:0%pppoe0 on pppoe0
May 28 19:31:12 sense dhcp6c[67533]: get DHCP option client ID, len 14
May 28 19:31:12 sense dhcp6c[67533]:   DUID: 00:01:00:01:21:39:d6:87:00:0d:b9:54:2b:6c
May 28 19:31:12 sense dhcp6c[67533]: get DHCP option server ID, len 26
May 28 19:31:12 sense dhcp6c[67533]:   DUID: 00:02:00:00:05:83:34:30:3a:37:31:3a:38:33:3a:61:38:3a:63:38:3a:30:30:00:00:00
May 28 19:31:12 sense dhcp6c[67533]: get DHCP option identity association, len 59
May 28 19:31:12 sense dhcp6c[67533]:   IA_NA: ID=0, T1=0, T2=0
May 28 19:31:12 sense dhcp6c[67533]: get DHCP option status code, len 43
May 28 19:31:12 sense dhcp6c[67533]:   status code: no addresses
May 28 19:31:12 sense dhcp6c[67533]: get DHCP option DNS, len 32
May 28 19:31:12 sense dhcp6c[67533]: server ID: 00:02:00:00:05:83:34:30:3a:37:31:3a:38:33:3a:61:38:3a:63:38:3a:30:30:00:00:00, pref=-1
May 28 19:31:12 sense dhcp6c[67533]: reset timer for pppoe0 to 0.979450
May 28 19:31:13 sense dhcp6c[67533]: picked a server (ID: 00:02:00:00:05:83:34:30:3a:37:31:3a:38:33:3a:61:38:3a:63:38:3a:30:30:00:00:00)
May 28 19:31:13 sense dhcp6c[67533]: Sending Request
May 28 19:31:13 sense dhcp6c[67533]: a new XID (ac85ba) is generated
May 28 19:31:13 sense dhcp6c[67533]: set client ID (len 14)
May 28 19:31:13 sense dhcp6c[67533]: set server ID (len 26)
May 28 19:31:13 sense dhcp6c[67533]: set status code
May 28 19:31:13 sense dhcp6c[67533]: set identity association
May 28 19:31:13 sense dhcp6c[67533]: set elapsed time (len 2)
May 28 19:31:13 sense dhcp6c[67533]: set option request (len 4)
May 28 19:31:13 sense dhcp6c[67533]: send request to ff02::1:2%pppoe0
May 28 19:31:13 sense dhcp6c[67533]: reset a timer on pppoe0, state=REQUEST, timeo=0, retrans=1059
May 28 19:31:13 sense dhcp6c[67533]: receive reply from fe80::200:ff:fe00:0%pppoe0 on pppoe0
May 28 19:31:13 sense dhcp6c[67533]: get DHCP option client ID, len 14
May 28 19:31:13 sense dhcp6c[67533]:   DUID: 00:01:00:01:21:39:d6:87:00:0d:b9:54:2b:6c
May 28 19:31:13 sense dhcp6c[67533]: get DHCP option server ID, len 26
May 28 19:31:13 sense dhcp6c[67533]:   DUID: 00:02:00:00:05:83:34:30:3a:37:31:3a:38:33:3a:61:38:3a:63:38:3a:30:30:00:00:00
May 28 19:31:13 sense dhcp6c[67533]: get DHCP option identity association, len 59
May 28 19:31:13 sense dhcp6c[67533]:   IA_NA: ID=0, T1=0, T2=0
May 28 19:31:13 sense dhcp6c[67533]: get DHCP option status code, len 43
May 28 19:31:13 sense dhcp6c[67533]:   status code: no addresses
May 28 19:31:13 sense dhcp6c[67533]: get DHCP option DNS, len 32
May 28 19:31:13 sense dhcp6c[67533]: Received REPLY for REQUEST
May 28 19:31:13 sense dhcp6c[67533]: nameserver[0] 2003:180:2:7000::53
May 28 19:31:13 sense dhcp6c[67533]: nameserver[1] 2003:180:2:9000::53
May 28 19:31:13 sense dhcp6c[67533]: make an IA: NA-0
May 28 19:31:13 sense dhcp6c[67533]: status code for NA-0: no addresses
May 28 19:31:13 sense dhcp6c[67533]: IA NA-0 is invalidated
May 28 19:31:13 sense dhcp6c[67533]: remove an IA: NA-0
May 28 19:31:13 sense dhcp6c[67533]: reset a timer on pppoe0, state=INIT, timeo=0, retrans=113
May 28 19:31:13 sense dhcp6c[67533]: executes /var/etc/dhcp6c_wan_script.sh
May 28 19:31:13 sense dhcp6c: dhcp6c REQUEST on pppoe0 - running newipv6
May 28 19:31:14 sense opnsense: /usr/local/etc/rc.newwanipv6: IPv6 renewal is starting on 'pppoe0'
May 28 19:31:14 sense opnsense: /usr/local/etc/rc.newwanipv6: On (IP address: 2003:a:xxxx:xxxx:20d:b9ff:fe54:2b6c) (interface: WAN[wan]) (real interface: pppoe0).


For now, I'm out of ideas. I switched over from pfSense for some other good reasons, but I never had any problems with IPv6 on pfSense.

Robert.
May 29, 2020, 06:16:57 PM #46
I can connect with haproxy from LAN via IPv6, but I could not connect via WAN from IPv6.

I used ipv6 port forwarding to transfer to linux of LAN and confirmed whether it can be accessed by IPv6. This was successful.(I'm running ipv6nat because my network only gets IPv6 address / 64.)

I was able to communicate with haproxy from the WAN by adding the following port forwarding.
The settings currently in operation are as follows.
In my environment em0 is the physical interface ipv6 IPoE. Also, ppoe0 is ipv4 and bridhe0 is LAN.
The LAN (bridge0) has addresses 192.168.1.1 and fd4b: 5bb3: b8d2: 1c9e.(Example)

pfctl -sn
Code Select

rdr on em0 inet6 proto tcp from any to (self) port = https -> fd4b:5bb3:b8d2:1c9e::1 port 443
rdr on pppoe0 inet proto tcp from any to (self) port = https -> 192.168.1.1 port 443
rdr on bridge0 inet proto tcp from any to (self) port = https -> 192.168.1.1 port 443
rdr on bridge0 inet6 proto tcp from any to (self) port = https -> fd4b:5bb3:b8d2:1c9e::1 port 443
May 29, 2020, 09:13:05 PM #47
I don't know the FreeBSD specifics of the reply-to feature but the OPNSense docs description reads like if it remembers the layer 2 address a packet is received from and sends the reply to the same layer 2 address regardless of the layer 3 routing table.
Can someone from the OPNSense team comment on this which more knowledge?
Print
Go Up Pages 1 2 3 4
User actions