Cannot forward link local ipv6 addresses on mobil phone

[YipieKaie]

I have now put back a backup and run the patch again
so fahr no fault really dont know what was going wrong
and no mismatch of the Rule.php any longer

20min now no more fault on screen i think its working

Thx alot Franco for the help

//Peter

[YipieKaie]

Crap now its back again

I post the Rule.php anyway if you wana take a look

//Peter

[muchacha_grande]

Hi, I have the same problem. It has been happening for a long time.
I use OPNSense virtualized on ESXi and the virtual console is filled with these messages.

[YipieKaie]

Hi muchacha_grande

Did you upd to OPNsense 2.7_4?
I did not have any problem before i upd

Did you read what Franco wrote?

Small typo there it seems:

https://github.com/opnsense/core/commit/fe52702a8b0

So patch command is:

# opnsense-patch b5bda2bda fe52702a8b0

After a filter reload the issue should be gone.


//Peter

[muchacha_grande]

Hi @YipieKaie

Did you upd to OPNsense 2.7_4?

I'm running 22.7_4 already.

Did you read what Franco wrote?

Small typo there it seems:

https://github.com/opnsense/core/commit/fe52702a8b0

So patch command is:

# opnsense-patch b5bda2bda fe52702a8b0

After a filter reload the issue should be gone.


//Peter

I'll give a try to these patches...

thank you.

[franco]

If the issue existed piror to 22.7 we might be chasing shadows here.

For one, conceptionally the message is just what it is: an information that link local packets cannot be forwarded to a global IPv6 address. This is a fact and probably not an operational issue.

Instead, let's try to pin down the message in the network stack:

https://github.com/opnsense/src/blob/3edcfbc578fd9df737aac660ea0aa85b680a8123/sys/netinet6/ip6_forward.c#L202-L231

This is very likely caused by the "route-to" (firewall rule gateway) setting, something that might need to be prevented inside pf code itself. If you set a gateway rule without a matching address link-local address on the interface could match as well causing this to happen in the first place (despite the explicit link-local handling we have added in 22.7).


Cheers,
Franco

[YipieKaie]

Hello again m8

After spending a bit more of time i know what my problem
is, its the mobile phones that dont get any IPV6 IP
only a link local address. so its something wrong
in OPNsense  i think. This was ok before upd to 22.7

//Peter

[franco]

I tend to disagree, unless you have a packet capture with a GUA destination and a link-local source but then it's the phone not the OPNsense? oO


Cheers,
Franco

[YipieKaie]

Yoo Franco

But something must have been changed in22.7
because it was working before and i have not
changed anything in the setup.

And the strange is that its only 2a03:2880 facebook
address that fuck this up no other addresses


//Peter

[franco]

Well, the basic question now is what device is fe80:1::9c68:c6ff:fe81:a8b3 and why does it insist on connecting to facebook using the wrong source address (scope)?


Cheers,
Franco

[YipieKaie]

If i take my old phone

fe80:1::4e66:41ff:fec4:aabd <get this lnik lokal
4c:66:41:c4:aa:bd < mac address


i dont know why the only thing i know is
it started after update 22.7

[franco]

So 22.7 makes the phone send invalid IPv6 packets by messing up its scope addressing? While I agree that it may not get a GUA to pull this off it shouldn't be sending this and I have the feeling a Facebook app is involved as well?


Cheers,
Franco

[YipieKaie]

Could be like you say an app but if its an app
it should give same problem when i use my pc
at facebook i presume, but it doesn´t

//Peter

[muchacha_grande]

In my case I can confirm that all link local addresses are from smart phones and tablets. All of them Lineage OS except for one that still has Android.
None of the devices gets IPv6 because I'm not using SLAAC, just DHCPv6.
But it seems that they are sending some IPv6 packets using the link local...

[YipieKaie]

Thx muchacha_grande for the input

I still think that its 22.7 makes the phone sending
invalid IPv6 packets by messing up its scope addressing

Or maybe it have been like this all the time but not
sending it to the console until the new upd 22.7.

But i am confused why its only the facebook Ip if
surfing on Tradera nothing happend but immediately
when starting facebook it pop up at the console

Even it looks like it send some check every 10-20 min
when facebook is not active (closed) on the phone

//Peter