Cannot forward link local ipv6 addresses on mobil phone

[YipieKaie]

The uppdate went well accept this?
Thx for a good joob

OPNsense 22.7_4-amd64
FreeBSD 13.1-RELEASE
OpenSSL 1.1.1q 5 Jul 2022

firewall: do not emit link-local address on IPv6 network outbound NAT

cannot forward src fe80:1::9c68:c6ff:fe81:a8b3 dst 2a03:2880:f00a:8:face:b00c:0:2 nxt 6 rcvif em0 outif em1

[franco]

Geez, I hate this issue. ;)

I think I know what's wrong if you can confirm the issue persists after a reboot of 22.7.


Cheers,
Franco

[YipieKaie]

Yes it does, dont help reboot

//Peter

[franco]

Hi Peter,

Untested patch at https://github.com/opnsense/core/commit/b5bda2bda

Will try to confirm on Monday.


Cheers,
Franco

[YipieKaie]

Thx Franco it will be interesting!
I hope it works

Tjoooo
//Peter

[franco]

Small typo there it seems:

https://github.com/opnsense/core/commit/fe52702a8b0

So patch command is:

# opnsense-patch b5bda2bda fe52702a8b0

After a filter reload the issue should be gone.


Cheers,
Franco

[YipieKaie]

Hello again Franco

I did the patch but sorry to say
same problem persists

//Peter

[franco]

Hi Peter,

Not sure if this applied correctly or was reconfigured properly or some other issue at play...

# grep -n 'inet6.*-to*fe80' /tmp/rules.debug

This would show all bad rules (if they still exist).


Cheers,
Franco

[YipieKaie]

Hello Franco

Here is the file

//Peter

[franco]

That's just the start of the file :D I simply need the output of "grep -n 'inet6.*-to*fe80' /tmp/rules.debug" (there may be none which is what should be the case).


Cheers,
Franco

[YipieKaie]

Did you get the file Franco?

//Peter

[YipieKaie]

Hi Franco
I have now a mismatch checksum in my Rule .php
after the patch?

//Peter

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 22.7_4 (amd64/OpenSSL) at Mon Aug  1 15:04:14 CEST 2022
>>> Check installed kernel version
Version 22.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 22.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense
>>> Check installed plugins
os-theme-cicada 1.29
os-theme-rebellion 1.8.8



>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: ....
opnsense-22.7_4: checksum mismatch for /usr/local/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php
Checking all packages......... done
>>> Check for core packages consistency
Core package "opnsense" has 63 dependencies to check.
Checking packages: .

[franco]

Where did you send it? The modification of Rule.php is expected at least.


Cheers,
Franco

[YipieKaie]

Sorry Franco missunderstand you about the file  ;D

I have now put back a backup and run the patch again
so fahr no fault really dont know what was going wrong
and no mismatch of the Rule.php any longer


//Peter

[franco]

Hi Peter,

Thanks, I cannot find any indication of the problem with the patch at hand.

The only rule where the patch still applies is:

pass in log quick on em0 inet6 from {(em0:network),fe80::/10} to {any} keep state label "b868871c1924b50b684c1addaeb35adb" # : Default allow LAN IPv6 to any rule

and that doesn't have a "route-to" or "reply-to".

It seems we either hit a dead end or an older issue.


Cheers,
Franco