Lost IPv6 on the router itself after upgrade

[Dronov]

OK, since I am not quite ready to give up my IPv6 connectivity yet, I spent some time looking at tcpdump output (for curl -6 http://google.com/), and here is what I see:

• Outbound packets are leaving with correct(ly NPT'ed) address, which corresponds to an externally visible IPv6 address on the opnsense box itself
• Response packets arrive to the same (correct external IPv6)
• But eventually packets never reach the curl socket, which to me means that either NPT does not catch them or some firewall rules block them directly

I suspect some changes either in NPT or default firewall rules broke my set up, but I have no idea how to troubleshoot it further. At the moment I do not have enough time to turn off NPT, and ultimately I do not want to do this either.

Could someone please give me an advice how to trace those incoming packets further, after I see them on ovpnc interface? Like I said they are clearly either not NPT'ed properly or reject by some new firewall rules.

[elektroinside]

There might be something wrong with the network stack (probably involving PPPoE links). It might not be related, but I'm also having intermittent IPv6 losses (my ISP has IPv6, so I'm not using tunnels). But if the stack gets broken somehow in some cases, might explain your issues (as well as mine).

The first thing to do is for Franco to figure out the culprit and confirm there is a stack issue, so this is the reason I'm not raising any red flags yet.

[marjohn56]

Could someone please give me an advice how to trace those incoming packets further, after I see them on ovpnc interface? Like I said they are clearly either not NPT'ed properly or reject by some new firewall rules.

So what else is working or not working on IPv6, can you ping an address? Do you have ipv6 addresses on the LAN side?

Use the Interfaces->Diagnostics, use both WAN and LAN IPv6 and make sure pings are working from both.

Once i understand what is and what is not working we can look deeper.

[Dronov]

Well, as far as I can test everything mostly works, except outbound v6 data transmission to the opnsense box itself. LAN is fully v6 enabled and LAN clients have no issues with v6 connectivity. Not a complete list, but some of the major cases I can think of:

• ping6 opnsense works from (any) LAN host
• ping6 google.com works from (any) LAN host
• traceroute6 google.com works from (any) LAN host
• curl -6 http://google.com/ works from (any) LAN host
• curl -6 http://LAN-PLEX-WEB/ works from a LAN host

• ping6 from opnsense to any LAN host works
• traceroute6 from opnsense to any LAN host works
• curl -6 http://LAN-PLEX-WEB/ works from opnbox

• ping6 google.com works from opnsense box
• traceroute6 google.com works from opnsense box

Pings work from command line (using the default source address), and from Interfaces -> Diagnostics:

• v4 ping works from default, LAN, localhost, OpenVPN
• v6 ping works from default, LAN
• v6 ping does NOT work from localhost (sendmsg: No route to host) and OpenVPN (0 packets received, but it's a site local address, not routable)

Code: [Select]

$ netstat -r
Internet6:
Destination        Gateway            Flags     Netif Expire
::1                link#5             UH          lo0
2000::/3           ovpnc2             US       ovpnc2
XXXX:YYY:ZZZ::/64  link#2             U          igb1
XXXX:YYY:ZZZ::8001 link#2             UHS         lo0
fd9d:a224:acef::/1 link#9             U        ovpnc2
fe80::%igb0/64     link#1             U          igb0
fe80::20d:b9ff:fe4 link#1             UHS         lo0
fe80::%igb1/64     link#2             U          igb1
fe80::20d:b9ff:fe4 link#2             UHS         lo0
fe80::%lo0/64      link#5             U           lo0
fe80::1%lo0        link#5             UHS         lo0
fe80::%ovpnc1/64   link#8             U        ovpnc1
fe80::20d:b9ff:fe4 link#8             UHS         lo0
fe80::20d:b9ff:fe4 link#9             UHS         lo0
fe80::%pppoe0/64   link#11            U        pppoe0
fe80::20d:b9ff:fe4 link#11            UHS         lo0
feed::/112         link#9             U        ovpnc2
feed::1002         link#9             UHS         lo0

XXXX:YYY:ZZZ -- internal prefix, NPT'ed to external one. XXXX:YYY:ZZZ::8001 -- opnsense box address

So the one of few things that does NOT work from opnsense box is curl -6 http://google.com/

Please let me know if I have missed any important pieces.

Thanks.

[marjohn56]

So from the shell, you don't get this

root@OPNsense:~ # curl -6 http://google.com/
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.co.uk/?gfe_rd=cr&amp;dcr=0&amp;ei=WDSEWpUOy9byB47XgZgN">here</A>.
</BODY></HTML>

[Dronov]

Right, from the shell on the opnsense box I only get

Code: [Select]

opnsense@OPNsense:~ % curl -6 http://google.com/
curl: (7) Failed to connect to google.com port 80: Operation timed out

P.S. the same for root user:

Code: [Select]

root@OPNsense:~ # curl -6 http://google.com/
curl: (7) Failed to connect to google.com port 80: Operation timed out


[marjohn56]

And what V6 rules do you have on the Lan?

[Dronov]

Unfortunately I an not sure what is the best way to pull that information (please let me know if grep SOMETHING /tmp/rules.debug will be better), here is what I have in GUI: Firewall -> Rules -> LAN (there are mostly default, IIRC):

• Anti-Lockout Rule (it's both v4 and v6 if I am not mistaken)
• Direct LAN IPV6 to Firewall (LAN net -> This Firewall)
• Default allow LAN IPv6 to any rule (LAN net -> any)

Thanks

[marjohn56]

• Direct LAN IPV6 to Firewall (LAN net -> This Firewall)

What's that rule for than?

On my LAN I have one V6 rule, allow any to any.

The WAN rules do all the hard work.

[Dronov]

Well, to be honest I do not remember why Direct LAN IPV6 to Firewall (LAN net -> This Firewall) rule is there. Perhaps some experiments I've done long time ago. It shouldn't do harm, though. Am I wrong?

At the moment I am thinking of bringing up an opnsense instance in a VM to see if I can reproduce it with minimal customisations, as the last option. Unfortunately, I won't happen any time soon. Any further troubshooting tips greatly appreciated.

[marjohn56]

Well, to be honest I do not remember why Direct LAN IPV6 to Firewall (LAN net -> This Firewall) rule is there. Perhaps some experiments I've done long time ago. It shouldn't do harm, though. Am I wrong?

Rules without a reason worry me.

At the very least disable it and find out what, if anything it's doing. I have only ever seen This Firewall rules on the WAN side, then again, that's just in my experience.