domingo, janeiro 13, 2019

PFsense Firewall rule: "Default deny rule IPv6" ipv6 traffic on lan blocking

I am sharing this experience as more of an FYI for others that may search the forums and less than a bug report as I wouldn't know how reproduce it.

Back ground:

My ISP provides me with an IPv4 address and a IPv6 address. I have configured the opnsense router WAN interface with "IPv4 Configuration Type": "DHCP and "IPv6 Configuration Type": "DHCPv6". I started using opnsense at version 15.7.11 and have upgraded each version since. 

I recently started witnessing "slow networking" which I eventually traced back to my LAN blocking outbound IPv6. I think it was "slow" as ipv6 was timing out (being blocked) and the device (Internet) that was "slow" would fall back to ipv4.

Example Firewall Logs:

             Time                     If     Source                              Destination                      Proto
Nov 29 01:01:16   LAN  []:52068    [

I was rather confused by this as I know I had rules allowing IPv6 outbound. 

Example Firewall rules:

            Proto     Source    Port       Destination   Port       Gateway Schedule   Description
IPv6 *   LAN net    *         *                     *            *                           LAN allow all IPv6

While browsing the logs through:

Status -> System Logs -> Firewall (filter: Block + LAN) 

I eventually click the "X" under Act and see:

The rule that triggered this action is:
@5 block drop in log inet6 all label "Default deny rule IPv6"

That gets me thinking.. huh there's an option somewhere that (not in the firewall rules) speaks to this. I go hunting and find this:

System: Settings: Networking -> Allow IPv6

I found this setting checked, I unchecked it, clicked save. I then rechecked it and clicked save again. 

Once I did this, the router stops blocking IPv6 outbound LAN traffic. (problem fixed)

Having fixed the problem I have some comments:

1. I suspect during some upgrade the bit behind "Allow IPv6" got flipped even though the UI still said it was "checked". If I could reproduce it we could call it a bug but I'm guessing i cannot so we'll write it off as a ghost in the machine. 

2. Being able to click the "X" in the firewall log viewer is not obvious, once I saw there was a rule blocking IPv6 traffic it at least gave me a clue why I was seeing IPv6 traffic being blocked in the firewall logs. It would be nice if there was a better visual clue for seeing the rule/data "behind" the "X". 

3. It would be nice if there was a clue in the firewall rules page that indicates that the "Allow IPv6" box isn't checked OR a rule has been applied to block IPv6 traffic. It's a big leap to see IPv6 traffic being blocked, going to the firewall rules page and seeing no rules that would block said traffic and then realizing that one needs to go to "System: Settings: Networking" to verify "Allow IPv6" is checked. 


A big thank you to everyone involved with OPNsense!

Nenhum comentário: