Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
[solved] IPv6 firewall log - Source and Destination are inverted
« previous
next »
Print
Pages: [
1
]
Author
Topic: [solved] IPv6 firewall log - Source and Destination are inverted (Read 1428 times)
fred.bloggs
Newbie
Posts: 8
Karma: 0
[solved] IPv6 firewall log - Source and Destination are inverted
«
on:
December 16, 2023, 07:45:58 pm »
Hi,
we are currently adding IPv6 to our setup. The basics work well so far. The OPNsense gets its IPv6 /56 net, RA is working and all the clients and servers succesfully get their IPv6 "global" and "unique local" addresses from /64 subnets and can surf the internet (IPv6 and IPv4) without any problems. The clients and servers also can get pingend by their global IPv6s from the internet, so far so good.
Problems start when trying to open inbound ports from the internet for our servers in the DMZ. We added a firewall rule to the DMZ:
--
Action: pass
Interface: DMZ
Direction: in
IP Version: IPv6
Protocol: TCP
Source: any
Destination: <global IPv6 address of web server in DMZ>
Destination port range: 80
--
The connection to port 80 from the internet does not work and the live view of the firewall log shows this:
--
State: Block
Interface: DMZ
Direction: in
Source: <global IPv6 address of web server in DMZ>:80
Destination: <global IPv6 address of internet client trying to connect>:17619
Label: Default deny / state violation rule
--
It seems that the "source" and "destination" are inverted?!
I do not understand why and what to do here to get inbound connections working. I hope that someone can give me a hint regarding this issue.
Version: 23.7.10_1
Architecture: amd64
«
Last Edit: January 04, 2024, 06:19:15 pm by fred.bloggs
»
Logged
tiermutter
Hero Member
Posts: 1097
Karma: 61
Re: IPv6 firewall log - Source and Destination are inverted
«
Reply #1 on:
December 16, 2023, 09:02:54 pm »
No idea why it is inverted in log, but allowing inbound v6 should be done on WAN interface even if the destination is in LAN / DMZ.
Logged
i am not an expert... just trying to help...
fred.bloggs
Newbie
Posts: 8
Karma: 0
Re: IPv6 firewall log - Source and Destination are inverted
«
Reply #2 on:
December 17, 2023, 02:44:59 pm »
Thanks for you reply. Setting the rule on the WAN interface did not help.
Are you sure it needs to be set on the WAN and not the DMZ? In firewall logs live view the connection attempt hits on DMZ and not WAN, though source and destination are inverted as described in the first post.
Logged
meyergru
Hero Member
Posts: 1684
Karma: 165
IT Aficionado
Re: IPv6 firewall log - Source and Destination are inverted
«
Reply #3 on:
December 17, 2023, 03:03:29 pm »
When you inspect the block log entries more closely, you may find that those are indeed blocks because of state violations for the answers going out, which also explains why they seem to have inverse source and destinations.
Sometimes, there are early ACK packets that cause this. Also, HTTP/3 is a problem - I have not yet found how to enable that with OpnSense.
And yes, you have to open the IPv6 ports on the WAN port.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
fred.bloggs
Newbie
Posts: 8
Karma: 0
Re: IPv6 firewall log - Source and Destination are inverted
«
Reply #4 on:
December 17, 2023, 03:46:26 pm »
Thank you for verifying that the rule needs to be set in WAN interface.
It is a very strange behaviour as this also happens with ssh access on port 22, so the problem should not only be related to HTTP/3.
Even if I delte all the inbound rules on WAN or DMZ (as non of them work anyway) and try to connect via ssh to the IPv6 of our server in the DMZ, the connection attepts are only shown on the DMZ interface, not on the WAN interface - but as stated - in reverse order.
Logged
meyergru
Hero Member
Posts: 1684
Karma: 165
IT Aficionado
Re: IPv6 firewall log - Source and Destination are inverted
«
Reply #5 on:
December 17, 2023, 04:08:19 pm »
You can enable logging in your incoming WAN allow rule to see if it is triggered at all.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
fred.bloggs
Newbie
Posts: 8
Karma: 0
Re: [solved] IPv6 firewall log - Source and Destination are inverted
«
Reply #6 on:
January 04, 2024, 06:24:31 pm »
It was no OPNsense problem, it was a routing Problem of IPv6 before the OPNsense.
Just for reference: The OPNsense is running on a Proxmox host on a hetzner dedicated server. When following the setup described in hetzner wiki
https://community.hetzner.com/tutorials/install-and-configure-proxmox_ve/de
for routed setup, the Proxmox host automatically adds a route to an internal vmbridge. Use "ip -6 r" to check. This route causes the trouble. Manually deleting the route on the Proxmox host solves the issue, but needs to be deleted manually after ever reboot.
To prevent this behaviour, edit /etc/network/interfaces:
pre-up sysctl -w net.ipv6.conf.default.accept_ra=0
pre-up sysctl -w net.ipv6.conf.default.autoconf=0
pre-up sysctl -w net.ipv6.conf.all.autoconf=0
pre-up sysctl -w net.ipv6.conf.all.forwarding=1
It is important to add ...default... with only ...all... it did not work.
«
Last Edit: January 04, 2024, 09:14:24 pm by fred.bloggs
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
[solved] IPv6 firewall log - Source and Destination are inverted