OPNsense blocking IP6 traffic

[Alpha_DE]

Hey!

A user of my system reported issues access my IMAP server by IPv6.

After some digging around, I found his IPv6 in the firewall-logs

Code Select Expand

17,,,02f4bab031b57d1e30553ce08e0ec131,vtnet4,match,block,in,6,0x00,0xeb111,64,tcp,6,40,2a01:XXXX:fe02::110,2a00:XXXX:ea05,993,61465,0,SA,3642631772,3523825403,21420,,mss;sackOK;TS;nop;wscale

Rule 17, label 02f4bab031b57d1e30553ce08e0ec131 is the global IPv4/6 Default deny / state violation rule

Code Select Expand

@16 block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131"
  [ Evaluations: 1886      Packets: 279       Bytes: 12488       States: 0     ]
  [ Inserted: uid 0 pid 79740 State Creations: 0     ]
@17 block drop in log inet6 all label "02f4bab031b57d1e30553ce08e0ec131"
  [ Evaluations: 1886      Packets: 427       Bytes: 45298       States: 0     ]
  [ Inserted: uid 0 pid 79740 State Creations: 0     ]

I inserted a specific rule for his addresses (beside that the mail server has it's v4/v6 rules allowing access to all mail ports). I see other v6 addresses with the same issue, on v4, it works.

OPNsense 24.1.9_4-amd64

Anybody a good idea how to solve that, I was told it started recently, might be around the 24.1.9 update.

[Alpha_DE]

I did some more checks and the firewall blocks *all* IPv6 traffic with the "Default deny / state violation rule" even when a matching global ACCEPT rule on all interfaces is defined.

@Franco Looks like the packet filter is not processing any IPv6 rules despite that they're shown in the GUI.

Of course, IPv6 is enabled in the Interface settings.

[abulafia]

I seem to be running into the same problem, I e. Opnsense blocking all ipv6 via "default deny" evev though there is ab express allow ipv6 to any rule.

[Patrick M. Hausen]

If you don't show your "allow" rules it's difficult to diaganose, what might be wrong with them.