Problems with IPv6 and Firewall rules (deny all)?

Started by Beowulf, September 04, 2021, 11:53:37 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 04, 2021, 11:53:37 PM Last Edit: September 05, 2021, 12:00:20 AM by Beowulf
Dear reader,

I don't get my head around this problem  :-\:

My network setup (simplified):
WWW -> FritzBox 7490 -> OPNsense Firewall -> FritzBox 4040 (one of two routers, the other router is for a different network) -> my client

My OPNsense version:
21.7.1

I want to use IPv6 on the client. The following IP adresses are anonymized.

WWW (Deutsche Telekom AG, prefix: /56) -> FritzBox 7490
- delegated prefix: 2003:AABB:CCDD:4300::/56
- IP V6 adress: 2003:AABB:CCEE:FFFF:GGGG:HHHH:IIII:JJJJ
(connectivity fine -> check)

-> OPNsense Firewall
Configuration:
Interface WAN:
IPv6 Configuration Type: DHCPv6
DHCPv6 client configuration:
- Request only an IPv6 prefix checked
- Prefix deletation size: 57 (maximum possible)
- Send IPv6 prefix
Overview:
- delgated prefix: 2003:AABB:CCDD:4380::/57
- IPv6 address: 2003:AABB:CCDD:4300::GGGG:HHHH:IIII:JJJJ
(connectivity (trace route) fine -> check)

-> FritzBox 4040
- delgated prefix: 2003:AABB:CCDD:4364::/62
- IPv6 address: 2003:AABB:CCDD:4380::GGGG:HHHH:IIII:9023
(connectivity fine -> check)

-> my client
- IPv6 address: 2003:AABB:CCDD:4364::XABC::DEFG::YBDG::ABAD

So from that point of view, every device has an IPv6 address assigned.

But a tracert from my client does not work:

tracert -6 heise.de                                                                                                                                                                                                    Routenverfolgung zu heise.de [2a02:2e0:3fe:1001:302::]                                                               über maximal 30 Hops:                                                                                                                                                                                                                       1     2 ms     3 ms     2 ms  fritz.box [2003:AABB:CCDD:4380::GGGG:HHHH:IIII:901f]    (this seems to be the 4040, despite beeing not the same address as shown in the admin panel of the FritzBox 4040)
                                  2     *        *        *     Zeitüberschreitung der Anforderung.       
...

So interestingly, the FritzBox 4040 has a slightly different address in the tracert, but the device seems plausible.

In the firewall logs (Live View) from the OPNsense, I find:

lan      Sep 4 23:47:00   2003:AABB:CCDD:4364::XABC::DEFG::YBDG::ABAD (my client) 2a02:2e0:3fe:1001:302::   ipv6-icmp   Default deny rule  :o

So, a big part of my IPv6 traffic seams to be blocked by the default rule.
By the way, I did not change the firewall rules (all default or autogenerated).

At the same time my internet connectivity works with IPv4.

I don't understand why this legitimate traffic from my client is blocked.
Can you help me?




September 05, 2021, 11:39:55 AM #1
I can only connect via IPv6 from my client, if I add two rules to OPNsense, see firewall-rules-lan.JPG:

LAN: Allow all IPv6 IPV6-ICMP incoming, Allow IPv6 TCP/UDP incoming

Why?
September 05, 2021, 11:40:55 AM #2
Attached, you'll find the floating rules (standard).
Print
Go Up Pages1
User actions