No access via IPv6 to the firewall it self, even though rules SHOULD permit it

[lrosenman]

In the current 22.1.8 the firewall will NOT allow SSH or HTTPS connections to it's LAN IP Addresses
even though there is an EXPLICIT rule allowing ANY IPv6 from my home block to "THIS FIREWALL" any / any.

This USED TO WORK.

Ideas?

What all do you need from me to diagnose?

FTR: IPv6 beyond the FW works just fine.  It's just access to the FW itself.

root@fw:~ # last -n 20
root       pts/1    76.250.255.117         Wed May 25 16:46   still logged in
root       pts/1    76.250.255.117         Wed May 25 16:46 - 16:46  (00:00)
root       pts/1    2602:fcdb:0:10::53:2   Wed May 25 16:23 - 16:24  (00:00)
ler        pts/1    76.250.255.117         Wed May 25 16:19 - 16:20  (00:00)
ler        pts/1    76.250.255.117         Wed May 25 15:55 - 15:55  (00:00)
root       pts/1    76.250.255.117         Wed May 25 15:24 - 15:25  (00:00)
root       pts/1    76.250.255.117         Wed May 25 15:07 - 15:08  (00:00)
root       pts/1    76.250.255.117         Wed May 25 15:05 - 15:05  (00:00)
root       pts/1    76.250.255.117         Wed May 25 15:03 - 15:04  (00:00)
root       pts/0    2602:fcdb:0:10::53:2   Wed May 25 15:00 - 16:47  (01:46)
root       pts/0    76.250.255.117         Wed May 25 14:54 - 14:55  (00:00)
root       pts/0    76.250.255.117         Wed May 25 12:43 - 12:43  (00:00)
root       pts/0    76.250.255.117         Wed May 25 12:42 - 12:42  (00:00)
root       pts/0    76.250.255.117         Wed May 25 12:41 - 12:41  (00:00)
root       pts/0    76.250.255.117         Wed May 25 12:19 - 12:34  (00:15)
root       pts/0    76.250.255.117         Wed May 25 12:18 - 12:18  (00:00)
shutdown time                              Wed May 25 12:14
root       pts/0    2600:1700:210:b18f:b92 Wed May 25 10:39 - 10:39  (00:00)
root       pts/0    2600:1700:210:b18f:b92 Wed May 25 10:39 - 10:39  (00:00)
root       ttyv0                           Wed May 25 09:05 - 09:07  (00:01)

Note prior to the shutdown, the 2600:1700 addresses, from the SAME mac at home after the reboot
it only works for the IPv4 address.

<SOMETHING> in 22.1.8 broke <SOMETHING>

[lrosenman]

with the 13.1-RELEASE OS, I can't ssh from outside AT ALL to the FW.

[lrosenman]

after 13.1-R was up for a while, IPv4 works again, still no luck with IPv6 ssh to the FW.

[opnfwb]

Running 22.1.8 here, while I haven't previously tried to SSH to the OPNsense LAN interface via IPv6 (I've only used IPv4), I can confirm I'm seeing similar.

I don't have any custom rules or MAC filtering in place on my LAN side to prevent this. And if I watch the real time log, OPNsense will show a green permit as if the connection were allowed, but it will time out. IPv4 works as it always did, and also shows the same green entry in the live view. Screenshot attached.

[opnfwb]

These are my SSH settings in the screenshot.

[lrosenman]

22.1.8_1 seems(!) to have fixed this.

[ralfonat]

Sorry for reviving this thread, but I did not find a suitable topic.

I have the same problem running OPNsense 22.7.10_2.

I have ipv4 and ipv6 setup on LAN interface.

This is my config in Administration:

Code Select Expand

Secure Shell Server [x] Enable Secure Shell
Login Group wheel, admins
Root Login [x] Permit root user login
Authentication Method [x] Permit password login
SSH port 22
Listen Interfaces LAN

Code Select Expand

:~ # netstat -an | grep 22
tcp4       0      0 192.168.1.1.22         *.*                    LISTEN
tcp4       0      0 127.0.0.1.22           *.*                    LISTEN
tcp6       0      0 ::1.22                 *.*                    LISTEN


Seems like it is only listening on the ipv4 LAN  address, not on the ipv6 address.

Code Select Expand

igb2: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether dc:58:bc:e0:24:7b
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::<redacted>:247b%igb2 prefixlen 64 scopeid 0x3
        inet6 2a00:<redacted>:247b prefixlen 64
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>


other than that, like OP my IPv6 generally works. Just not for ssh to the firewall.