[Workaround] IPv6: Access via browser not possible, ping6 and telnet are working

[Space]

Hi Everyone,

I have setup my first real firewall with OPNsense 16.7 and almost everything is working fine except connection to *some* IPv6 hosts. I have done the following steps:

- FritzBox: enabled "DNS-Server und IPv6-Präfix (IA_PD)zuweisen" (assign DNS server + IPv6 prefix) + OPNsense configured as "exposed host" inside Fritzbox
- OPNsense: DHCPv6 enabled on WAN + Request only a IPv6 prefix, Directly send SOLICIT, DHCPv6 Prefix Delegation size: 62, Send IPv6 prefix hint, on LAN I am running with Track Interface +  IPv6 Interface: WAN and IPv6 Prefix ID 3

Situation is like this:

- from a tablet connected to FritzBox WLAN I can access the external IPv6 address (provided by Cable provider) without problem --> ssh + https connection (on high port) possible
- from OPNsense itself both ping and test port (same high port) are successful
- from linux system (on LAN) ping and telnet to that port are possible, but browser times out. I only see "Connected" and that's it ...

Does anyone have an idea what might cause this? When I connect the Linux box to FritzBox https connection is working immediately.

Thank you for any hints ... if you need further infos just let me know!

Best regards,

   Jogi

[fabian]

Maybe your pass rule is IPv4 only.

[Space]

Hi fabian,

no, the default pass rules for LAN are available both for IPv4 and IPv6. Also strange is that e.g. https://ipv6.google.com works just fine. There are no entries in FW log and no entries in IDS alerts.

How can I trace this down?

Thanks for your help!

Best regards,

   Space

[fabian]

I think the packet capture is the most helpful page here...

[Space]

Hi,

it looks like this:

Code Select Expand

No. Time Source Destination Protocol Length Info
1 0 opnsense fritzbox TCP 94 47942  >  49214 [SYN] Seq=0 Win=28800 Len=0 MSS=1440 SACK_PERM=1 TSval=265396100 TSecr=0 WS=128
2 60522 fritzbox opnsense TCP 94 49214  >  47942 [SYN, ACK] Seq=0 Ack=1 Win=14280 Len=0 MSS=1440 SACK_PERM=1 TSval=26226420 TSecr=265396100 WS=16
3 60662 opnsense fritzbox TCP 86 47942  >  49214 [ACK] Seq=1 Ack=1 Win=28800 Len=0 TSval=265396118 TSecr=26226420
4 60989 opnsense fritzbox TCP 298 47942  >  49214 [PSH, ACK] Seq=1 Ack=1 Win=28800 Len=212 TSval=265396118 TSecr=26226420
5 100945 fritzbox opnsense TCP 86 49214  >  47942 [ACK] Seq=1 Ack=213 Win=15360 Len=0 TSval=26226426 TSecr=265396118
6 364398 fritzbox opnsense TCP 97 [TCP Previous segment not captured] 49214  >  47942 [PSH, ACK] Seq=1409 Ack=213 Win=15360 Len=11 TSval=26226451 TSecr=265396118
7 364582 opnsense fritzbox TCP 98 [TCP Window Update] 47942  >  49214 [ACK] Seq=213 Ack=1 Win=29952 Len=0 TSval=265396209 TSecr=26226426 SLE=1409 SRE=1420
8 10362150 opnsense fritzbox TCP 98 [TCP Keep-Alive] 47942  >  49214 [ACK] Seq=212 Ack=1 Win=29952 Len=0 TSval=265399209 TSecr=26226426 SLE=1409 SRE=1420
9 10406805 fritzbox opnsense TCP 86 [TCP Keep-Alive ACK] 49214  >  47942 [ACK] Seq=1420 Ack=213 Win=15360 Len=0 TSval=26227456 TSecr=265396209

The connection is setup but then nothing happens...

Best regards,

   Space

[Space]

Hi,

ok, I am confused now ... I have run a trace on the Fritzbox (my  internet GW) and I do not see *any* traffic of this connection in the package trace ... could this issue be causes by some 6to4 tunnel that is used by my provider? Do I have to configure OPNsense differently then?

Thanks,

   Space

[bartjsmit]

If your ISP doesn't provide native IPv6, it may be worthwhile trying a tunnel directly from OPNsense: https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html

Bart...

[Space]

Hi,

I took the simple road ... since this was the only host (so far) that is not reachable from the backend systems directly via https (maybe because of the high port + https combination) I just use the proxy of OPNsense to access it ... works fine ... Case closed :)

Best regards,

   Space