Potential 20.7 FreeBSD 12 regression with ICMPv6 - Sensei? [FIXED]

Started by wget, July 10, 2020, 04:15:37 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 10, 2020, 04:15:37 PM Last Edit: July 20, 2020, 06:25:15 PM by wget
In order to comply with RFC 4890 -  Recommendations for Filtering ICMPv6 Messages in Firewalls, in 20.1, I allowed the following ICMP traffic:
https://tools.ietf.org/html/rfc4890#section-4.3.1

I set them in Rules > WAN. cf. attachment

Authorizing this traffic allowed me to get 20/20 at the IPv6 test: ipv6-test.com/

A few weeks ago, I migrated to 20.7.b_181 with the FreeBSD 12 kernel (fresh install). Now, I noticed, that despite having these ICMP whitelisting rules enabled, I have been down graded to 18/20, because this ICMP specific traffic wasn't allowed to pass through anymore :/

Can anyone confirm this issue? I have Sensei installed, maybe the reason?
PC Engines apu2c4 (3 i210AT + 4GB RAM) - multi WAN: VOO (DOCSIS based) + Proximus (xDSL based) both native dual stack IPv4/IPv6 - Belgium 🇧🇪 
OPNsense 20.1.x release version
July 10, 2020, 06:13:22 PM #1
Hi @wget,

Try these:

1. Put Sensei into bypass mode and see if it works (Sensei -> Status -> Enter Bypass Mode)
2. Stop Sensei and see something changes (Sensei -> Status -> Stop)

If the first option works, than it's related to Sensei
If the second option works if you stop Sensei at all, than it's related to netmap.

If it's option 1 or 2, shoot a PR and we'll have a closer look. (Report Bug) on the right hand side of the screen)

If not, than it's not related to Sensei/netmap.

July 20, 2020, 06:24:56 PM #2 Last Edit: July 20, 2020, 06:44:59 PM by wget
Quote from: mb on July 10, 2020, 06:13:22 PM

I found the culprit :) Not related to Sensei at all. And I completely removed Sensei to make sure =)

Firefox and a bunch of other browsers have removed support for TLS 1.0 and 1.1. It appears the subdomain[1] ipv6-test.com is using to test for ICMPv6 reachability is only using TLS up to 1.1 which means the resource is not being loaded.

I'll reach I sent an email to ipv6-test's maintainers to let them know about the issue.

[1] https://v6.ipv6-test.com:8443/
PC Engines apu2c4 (3 i210AT + 4GB RAM) - multi WAN: VOO (DOCSIS based) + Proximus (xDSL based) both native dual stack IPv4/IPv6 - Belgium 🇧🇪 
OPNsense 20.1.x release version
July 20, 2020, 09:01:52 PM #3
Hi @wget, glad that you've figure out this. Thanks for the update.
September 11, 2020, 02:39:25 PM #4
Just trying to get some IPv6 ICMP stuff fixed and found this thread.
Do I need to apply these rules manually? So OPNsense doesn't accept IPv6 ICMP traffic by default then?
How can I specify codes?
For example ICMPv6 - Time Exceeded (Type 3) - Code 0 only
-> I can select "time exceeded" but how do I limit it to code?

thanks!
System1: Qotom Q310G4 (died recently)
System1: Supermicro A2SDi-4C-HLN4F,  64GB RAM, ZFS mirrored boot drive
System2: APU2C4
Print
Go Up Pages1
User actions