Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Potential 20.7 FreeBSD 12 regression with ICMPv6 - Sensei? [FIXED]
« previous
next »
Print
Pages: [
1
]
Author
Topic: Potential 20.7 FreeBSD 12 regression with ICMPv6 - Sensei? [FIXED] (Read 1509 times)
wget
Newbie
Posts: 43
Karma: 1
Potential 20.7 FreeBSD 12 regression with ICMPv6 - Sensei? [FIXED]
«
on:
July 10, 2020, 04:15:37 pm »
In order to comply with RFC 4890 - Recommendations for Filtering ICMPv6 Messages in Firewalls, in 20.1, I allowed the following ICMP traffic:
https://tools.ietf.org/html/rfc4890#section-4.3.1
I set them in Rules > WAN. cf. attachment
Authorizing this traffic allowed me to get 20/20 at the IPv6 test:
ipv6-test.com/
A few weeks ago, I migrated to 20.7.b_181 with the FreeBSD 12 kernel (fresh install). Now, I noticed, that despite having these ICMP whitelisting rules enabled, I have been down graded to 18/20, because this ICMP specific traffic wasn't allowed to pass through anymore :/
Can anyone confirm this issue? I have Sensei installed, maybe the reason?
«
Last Edit: July 20, 2020, 06:25:15 pm by wget
»
Logged
PC Engines apu2c4 (3 i210AT + 4GB RAM) - multi WAN: VOO (DOCSIS based) + Proximus (xDSL based) both native dual stack IPv4/IPv6 - Belgium 🇧🇪
OPNsense 20.1.x release version
mb
Hero Member
Posts: 891
Karma: 96
Re: Potential 20.7 FreeBSD 12 regression with ICMPv6 - Sensei?
«
Reply #1 on:
July 10, 2020, 06:13:22 pm »
Hi @wget,
Try these:
1. Put Sensei into bypass mode and see if it works (Sensei -> Status -> Enter Bypass Mode)
2. Stop Sensei and see something changes (Sensei -> Status -> Stop)
If the first option works, than it's related to Sensei
If the second option works if you stop Sensei at all, than it's related to netmap.
If it's option 1 or 2, shoot a PR and we'll have a closer look. (Report Bug) on the right hand side of the screen)
If not, than it's not related to Sensei/netmap.
Logged
wget
Newbie
Posts: 43
Karma: 1
Re: Potential 20.7 FreeBSD 12 regression with ICMPv6 - Sensei? [FIXED]
«
Reply #2 on:
July 20, 2020, 06:24:56 pm »
Quote from: mb on July 10, 2020, 06:13:22 pm
I found the culprit
Not related to Sensei at all. And I completely removed Sensei to make sure =)
Firefox and a bunch of other browsers have removed support for TLS 1.0 and 1.1. It appears the subdomain[1] ipv6-test.com is using to test for ICMPv6 reachability is only using TLS up to 1.1 which means the resource is not being loaded.
I'll reach
I sent an email to ipv6-test's maintainers to let them know about the issue.
[1]
https://v6.ipv6-test.com:8443/
«
Last Edit: July 20, 2020, 06:44:59 pm by wget
»
Logged
PC Engines apu2c4 (3 i210AT + 4GB RAM) - multi WAN: VOO (DOCSIS based) + Proximus (xDSL based) both native dual stack IPv4/IPv6 - Belgium 🇧🇪
OPNsense 20.1.x release version
mb
Hero Member
Posts: 891
Karma: 96
Re: Potential 20.7 FreeBSD 12 regression with ICMPv6 - Sensei? [FIXED]
«
Reply #3 on:
July 20, 2020, 09:01:52 pm »
Hi @wget, glad that you've figure out this. Thanks for the update.
Logged
skywalker007
Full Member
Posts: 133
Karma: 5
Re: Potential 20.7 FreeBSD 12 regression with ICMPv6 - Sensei? [FIXED]
«
Reply #4 on:
September 11, 2020, 02:39:25 pm »
Just trying to get some IPv6 ICMP stuff fixed and found this thread.
Do I need to apply these rules manually? So OPNsense doesn't accept IPv6 ICMP traffic by default then?
How can I specify codes?
For example ICMPv6 - Time Exceeded (Type 3) - Code 0 only
-> I can select "time exceeded" but how do I limit it to code?
thanks!
Logged
System1: Qotom Q310G4
System2: APU2C4
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Potential 20.7 FreeBSD 12 regression with ICMPv6 - Sensei? [FIXED]
