Native IPv6, in rules on WAN OK, but nothing connects unless pfctl -d

[mfld-pub]

Hey all,

Super weird. I have installed OPNsense 21.1.7 on bare metal. IPv4 and IPv6 WAN assignments are static /29  and /64. IPv6 gateway is the ::1 of my /64. IPv6 WAN address is the ::2 of my IPv6 prefix.

I.e. WAN address: 2001:DB8:1212:3000::2/64, Gateway address 2001:DB8:1212:3000::1

OPNsense can make outbound connections over IPv6 just fine. But inbound only ICMP works.

For testing, I disabled Block Bogons and Block Private on WAN. Now I made some inbound rules on WAN:

allow ICMP (v4/v6) from any
allow TCP/22, TCP/443 IPv4 from an alias and log it.
allow TCP/22, TCP/443 IPv6 from an alias and log it.

I checked the alias table and it has been populated with the expected IPv6 addresses.

Now when I connect from a whitelisted address to OPNsense over IPv6 on tcp/443 or tcp/22 I can see the firewall logging the allow. But no connectivity can take place.

It just times out.

For testing I took everything out of the equation, no blocking of RFC1918, no blocking of BOGON, and put an allow rule as my very first firewall rule on WAN to allow IPV6 proto any from any.

Not sure how to scale this screenshot for the forum, so have attached the jpg below, too:


Again I can now ping OPNsense but NOT connect ssh or https over IPv6.

As a final measure to see if this is perhaps an upstream issue of sorts I ssh in (via IPv4) and do

Code Select Expand

pfctl -d

At that point IPv6 connections are accepted. I can SSH / https to the box over IPv6! How ? Why ? Whiskey Tango Foxtrot?

Attached a sanitized packet capture where I try to ssh from 2604:aa10:9211:2:68c2:f15e:579d:af88 to the WAN address. It shows the pass rule on WAN is working but then things break when OPNsense is trying to reply.

Gateway status shows up, OPNsense can initiate IPv6 conversations successfully. I do not get it.

[mfld-pub]

Just noticed there is a 21.1.7_1 point release out.

Release notes don't show anything that could be related to my issue but I thought I might get lucky. 

I applied it and although it didn't ask me to I rebooted for good measure. Issue persists.

[robgnu]

Hi,

try to set this Option:

Firewall > Settings > Advanced > Disable reply-to [check]

https://forum.opnsense.org/index.php?topic=15900.msg79646#msg79646

I had the same problem a few months ago. Since then this is the first option to set on new installations.

Bye
Robert

[mfld-pub]

Firewall > Settings > Advanced > Disable reply-to [check]

Dude!!! I am up!

The crossover from pfSense to OPNsense is full of pitfalls LOL. Thank you so much!

Why is this a thing though and why only in some environments ? I set up a few OPNsense migrations this month and only now came across this.

[robgnu]

Great! I was changing from pfSense, too. And the change to OPNsense is every little trouble worth...

[mfld-pub]

And the change to OPNsense is every little trouble worth...

100%. Enjoying it so far. Only thing holding me back is https://github.com/opnsense/plugins/issues/1972 BGP and it is a bit worrying that under "Advanced Options" in places where you could put a configuration blob to overcome UI limitations they state

This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting.

But there are things that would break horribly the moment you take away that box, i.e. https://github.com/opnsense/core/issues/2048