Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Problems with IPv6 and Firewall rules (deny all)?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Problems with IPv6 and Firewall rules (deny all)? (Read 1917 times)
Beowulf
Newbie
Posts: 4
Karma: 0
Problems with IPv6 and Firewall rules (deny all)?
«
on:
September 04, 2021, 11:53:37 pm »
Dear reader,
I don't get my head around this problem
:
My network setup (simplified):
WWW -> FritzBox 7490 -> OPNsense Firewall -> FritzBox 4040 (one of two routers, the other router is for a different network) -> my client
My OPNsense version:
21.7.1
I want to use IPv6 on the client.
The following IP adresses are anonymized.
WWW (Deutsche Telekom AG, prefix: /56) -> FritzBox 7490
- delegated prefix: 2003:AABB:CCDD:4300::/56
- IP V6 adress: 2003:AABB:CCEE:FFFF:GGGG:HHHH:IIII:JJJJ
(connectivity fine -> check)
-> OPNsense Firewall
Configuration:
Interface WAN:
IPv6 Configuration Type: DHCPv6
DHCPv6 client configuration:
- Request only an IPv6 prefix checked
- Prefix deletation size: 57 (maximum possible)
- Send IPv6 prefix
Overview:
- delgated prefix: 2003:AABB:CCDD:4380::/57
- IPv6 address: 2003:AABB:CCDD:4300::GGGG:HHHH:IIII:JJJJ
(connectivity (trace route) fine -> check)
-> FritzBox 4040
- delgated prefix: 2003:AABB:CCDD:4364::/62
- IPv6 address: 2003:AABB:CCDD:4380::GGGG:HHHH:IIII:9023
(connectivity fine -> check)
-> my client
- IPv6 address: 2003:AABB:CCDD:4364::XABC::DEFG::YBDG::ABAD
So from that point of view, every device has an IPv6 address assigned.
But a tracert from my client does not work:
tracert -6 heise.de Routenverfolgung zu heise.de [2a02:2e0:3fe:1001:302::] über maximal 30 Hops: 1 2 ms 3 ms 2 ms fritz.box [2003:AABB:CCDD:4380::GGGG:HHHH:IIII:901f] (
this seems to be the 4040, despite beeing not the same address as shown in the admin panel of the FritzBox 4040
)
2 * * * Zeitüberschreitung der Anforderung.
...
So interestingly, the FritzBox 4040 has a slightly different address in the tracert, but the device seems plausible.
In the firewall logs (Live View) from the OPNsense, I find:
lan Sep 4 23:47:00 2003:AABB:CCDD:4364::XABC::DEFG::YBDG::ABAD (
my client
) 2a02:2e0:3fe:1001:302::
ipv6-icmp Default deny rule
So, a big part of my IPv6 traffic seams to be blocked by the default rule.
By the way, I did not change the firewall rules (all default or autogenerated).
At the same time my internet connectivity works with IPv4.
I don't understand why this legitimate traffic from my client is blocked.
Can you help me?
«
Last Edit: September 05, 2021, 12:00:20 am by Beowulf
»
Logged
Beowulf
Newbie
Posts: 4
Karma: 0
Re: Problems with IPv6 and Firewall rules (deny all)?
«
Reply #1 on:
September 05, 2021, 11:39:55 am »
I can only connect via IPv6 from my client, if I add two rules to OPNsense, see firewall-rules-lan.JPG:
LAN: Allow all IPv6 IPV6-ICMP incoming, Allow IPv6 TCP/UDP incoming
Why?
Logged
Beowulf
Newbie
Posts: 4
Karma: 0
Re: Problems with IPv6 and Firewall rules (deny all)?
«
Reply #2 on:
September 05, 2021, 11:40:55 am »
Attached, you'll find the floating rules (standard).
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Problems with IPv6 and Firewall rules (deny all)?