[SOLVED] Firewall rule: "Default deny rule IPv6"

[giovino]

Greetings,

I am sharing this experience as more of an FYI for others that may search the forums and less than a bug report as I wouldn't know how reproduce it.

Back ground:

My ISP provides me with an IPv4 address and a IPv6 address. I have configured the opnsense router WAN interface with "IPv4 Configuration Type": "DHCP and "IPv6 Configuration Type": "DHCPv6". I started using opnsense at version 15.7.11 and have upgraded each version since.

I recently started witnessing "slow networking" which I eventually traced back to my LAN blocking outbound IPv6. I think it was "slow" as ipv6 was timing out (being blocked) and the device (Internet) that was "slow" would fall back to ipv4.

Example Firewall Logs:

             Time                     If     Source                              Destination                      Proto
<block> Nov 29 01:01:16   LAN  [<ipv6 address>]:52068    [<ipv6 address]:443        TCP:S

I was rather confused by this as I know I had rules allowing IPv6 outbound.

Example Firewall rules:

            Proto     Source    Port       Destination   Port       Gateway Schedule   Description
<pass> IPv6 *   LAN net    *         *                     *            *                           LAN allow all IPv6

While browsing the logs through:

Status -> System Logs -> Firewall (filter: Block + LAN)

I eventually click the "X" under Act and see:

The rule that triggered this action is:
@5 block drop in log inet6 all label "Default deny rule IPv6"

That gets me thinking.. huh there's an option somewhere that (not in the firewall rules) speaks to this. I go hunting and find this:

System: Settings: Networking -> Allow IPv6

I found this setting checked, I unchecked it, clicked save. I then rechecked it and clicked save again.

Once I did this, the router stops blocking IPv6 outbound LAN traffic. (problem fixed)

Having fixed the problem I have some comments:

1. I suspect during some upgrade the bit behind "Allow IPv6" got flipped even though the UI still said it was "checked". If I could reproduce it we could call it a bug but I'm guessing i cannot so we'll write it off as a ghost in the machine.

2. Being able to click the "X" in the firewall log viewer is not obvious, once I saw there was a rule blocking IPv6 traffic it at least gave me a clue why I was seeing IPv6 traffic being blocked in the firewall logs. It would be nice if there was a better visual clue for seeing the rule/data "behind" the "X".

3. It would be nice if there was a clue in the firewall rules page that indicates that the "Allow IPv6" box isn't checked OR a rule has been applied to block IPv6 traffic. It's a big leap to see IPv6 traffic being blocked, going to the firewall rules page and seeing no rules that would block said traffic and then realizing that one needs to go to "System: Settings: Networking" to verify "Allow IPv6" is checked.

</comments>

A big thank you to everyone involved with OPNsense!

-g

[franco]

Good morning giovino,

1. I suspect during some upgrade the bit behind "Allow IPv6" got flipped even though the UI still said it was "checked". If I could reproduce it we could call it a bug but I'm guessing i cannot so we'll write it off as a ghost in the machine.

That's odd to say the least. The only suspicious change I can see is from July 13, but that was somewhere between 15.7 and 15.7.2. The only page that actually strips this config option is the actual settings page, we've never flipped defaults or behaviour and if the flag is reported in the page it should be picked up by all other components as well... Question: is this fix persistent after reboot? The only way this makes a little sense is that it's not and the reload actually triggered something else that allowed traffic to flow. We've seen such behaviour with OpenVPN traffic not passing until a reload took place.

2. Being able to click the "X" in the firewall log viewer is not obvious, once I saw there was a rule blocking IPv6 traffic it at least gave me a clue why I was seeing IPv6 traffic being blocked in the firewall logs. It would be nice if there was a better visual clue for seeing the rule/data "behind" the "X".

Full ack, that always annoyed me too. Added a ticket: https://github.com/opnsense/core/issues/487

Discussing how it could be improved would help. Any ideas?

3. It would be nice if there was a clue in the firewall rules page that indicates that the "Allow IPv6" box isn't checked OR a rule has been applied to block IPv6 traffic. It's a big leap to see IPv6 traffic being blocked, going to the firewall rules page and seeing no rules that would block said traffic and then realizing that one needs to go to "System: Settings: Networking" to verify "Allow IPv6" is checked.

The option turned off while still showing checked in the GUI is an impossible solution, so if we pin down (1) correctly this will likely not be the case. Besides, IPv6 is enabled by default so it works out of the box (I know, except this bug).

Thanks for sharing and using OPNsense!


Cheers,
Franco

[8191]

3. It would be nice if there was a clue in the firewall rules page that indicates that the "Allow IPv6" box isn't checked OR a rule has been applied to block IPv6 traffic. It's a big leap to see IPv6 traffic being blocked, going to the firewall rules page and seeing no rules that would block said traffic and then realizing that one needs to go to "System: Settings: Networking" to verify "Allow IPv6" is checked.

The option turned off while still showing checked in the GUI is an impossible solution, so if we pin down (1) correctly this will likely not be the case. Besides, IPv6 is enabled by default so it works out of the box (I know, except this bug).

The Filewall: Rules list could also show the rules implicitly applied due to other settings, as it is already the case for the Anti-Lockout Rule. I guess the Allow IPv6 setting is not the only setting affecting implicit pf rules.

[giovino]

Good morning giovino,

1. I suspect during some upgrade the bit behind "Allow IPv6" got flipped even though the UI still said it was "checked". If I could reproduce it we could call it a bug but I'm guessing i cannot so we'll write it off as a ghost in the machine.

Question: is this fix persistent after reboot? The only way this makes a little sense is that it's not and the reload actually triggered something else that allowed traffic to flow. We've seen such behaviour with OpenVPN traffic not passing until a reload took place.

franco.. you are brilliant! I rebooted the router and sure enough IPv6 traffic was being blocked and the "Allow IPv6" box was checked. I unchecked -> save -> rechecked -> saved.. IPv6 traffic was flowing again. This also makes sense as I thought I had seen this and fixed it once before but wasn't sure what I did as I "pushed" too many buttons

I'll create a github issue and reference this thread. Thank you!

2. Being able to click the "X" in the firewall log viewer is not obvious, once I saw there was a rule blocking IPv6 traffic it at least gave me a clue why I was seeing IPv6 traffic being blocked in the firewall logs. It would be nice if there was a better visual clue for seeing the rule/data "behind" the "X".

Full ack, that always annoyed me too. Added a ticket: https://github.com/opnsense/core/issues/487

Discussing how it could be improved would help. Any ideas?

Maybe have a "?" icon? Disregarding how many pixels are available for the moment...

If it says Action: Block with a "?" icon.. it would be more intuitive to _me_ that I should click that for more information.

3. It would be nice if there was a clue in the firewall rules page that indicates that the "Allow IPv6" box isn't checked OR a rule has been applied to block IPv6 traffic. It's a big leap to see IPv6 traffic being blocked, going to the firewall rules page and seeing no rules that would block said traffic and then realizing that one needs to go to "System: Settings: Networking" to verify "Allow IPv6" is checked.

The option turned off while still showing checked in the GUI is an impossible solution, so if we pin down (1) correctly this will likely not be the case. Besides, IPv6 is enabled by default so it works out of the box (I know, except this bug).

I like mf's suggestion (e.g. do not hide the implicit rules behind the scene). Of course this is probably easier said than done

[8191]

I like mf's suggestion (e.g. do not hide the implicit rules behind the scene). Of course this is probably easier said than done

I've created a PR for that specific implicit rule: #503. Of cause there might be several additional implicit rules, but it's a beginning...

[giovino]

release 15.7.22 seems to have solved this problem, big thanks to Franco for helping me work through the issue.

[franco]

Any time, thanks