Bug #2598
closed
reply-to on IPv4+6 rules breaks v6
100%
Description
The auto-added reply-to on WAN rules in combination with IPv4+v6 rules breaks v6 connectivity, as the v4 IP is included as the reply-to address. Work around is just disabling the reply-to, at least where that's feasible. PF seems to ignore any v6 matching the rule if a v4 reply-to is specified, as it's not just being improperly routed, it's being logged as blocked.
There isn't a clean easy answer here. Splitting the rule, where it requires reply-to or route-to, into two separate rules in rules.debug is probably the best solution.
Updated by Ermal Luçi about 11 years ago
- % Done changed from 0 to 100
Applied in changeset f73e35319a7f36c761cadac132c2f3484103b88f.
Updated by Bernhard Lichtinger about 11 years ago
This works now for dualstack rules on WAN. But it also creates 2 separate rules on other (OPT) interfaces for dual-stack rules, which is not needed. But I think it does not harm either.
Checked on 2.1-BETA1 (amd64) built on Sun Feb 24 10:55:18 EST 2013
Updated by Jim Pingle about 11 years ago
- Status changed from Feedback to Resolved
It creates two rules because it has to. On WAN without the default gateway it needs to add reply-to on the rules separately, the IPv4 rule needs the IPv4 gateway, on IPv6 it needs the IPv6 gateway. Can't do that in a single rule, so it's working as intended.