Project

General

Profile

Feature #10454

OpenVPN+RADIUS+Cisco-AVPair IPv6 ACL

Added by Viktor Gurov 7 months ago. Updated 21 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
OpenVPN
Target version:
2.5.0
Start date:
04/14/2020
Due date:
% Done:

100%

Estimated time:

Description

openvpn.attributes.php currently only supports Cisco-AVPair IPv4 ACL parsing,

Need to add IPv6 ACL support, to parse rules like:
Cisco-AVPair = "ipv6:inacl#1=permit 2001:DB8:cc00:1::/48",
Cisco-AVPair = "ipv6:outacl#1=deny 2001:DB8::/10"

Associated revisions

Revision e8c2c6f2 (diff)
Added by Viktor Gurov about 2 months ago

OpenVPN+RADIUS+Cisco-AVPair IPv6 ACL. Issue #10454

History

#2 Updated by Viktor Gurov 7 months ago

I think is better to have one vpn.attributes.php for both OpenVPN and IPsec

#3 Updated by Jim Pingle 7 months ago

  • Status changed from New to Pull Request Review

Viktor Gurov wrote:

I think is better to have one vpn.attributes.php for both OpenVPN and IPsec

That should be its own PR. I'm not opposed to that, but there are differences in how they operate which must be maintained.

#4 Updated by Renato Botelho 29 days ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

#5 Updated by Steve Beaver 23 days ago

  • Assignee changed from Renato Botelho to Viktor Gurov

The confirm this fix and set to "Resolved" if appropriate

#6 Updated by Viktor Gurov 21 days ago

  • Status changed from Feedback to Resolved

works as expected on pfSense 2.5.0.a.20201006.1250

Example:

pfctl -a openvpn/ovpns1_raduser1_16748 -sr:

pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port < 566 no state
pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port != 899 no state
pass in quick on ovpns1 inet6 proto udp from 2001:db8::3333 to 2001:db8::7777 port < 566 no state
pass in quick on ovpns1 inet6 proto udp from 2001:db8::3333 to 2001:db8::7777 port != 899 no state
pass in quick on ovpns1 inet proto icmp from 2.2.2.2 to 5.5.5.5 no state
pass out quick on ovpns1 inet proto udp from 4.4.4.4 to 7.7.7.7 port 3109 >< 5001 no state
pass out quick on ovpns1 inet proto tcp from any to 7.7.7.7 port > 333 no state
block drop in quick on ovpns1 inet6 proto ipv6-icmp from 2001:db8:1234::/64 to 2001:db8:9999::/56
pass out quick on ovpns1 inet6 proto udp from 2001:db8::4444 to 2001:db8::7777 port 3109 >< 5001 no state
pass out quick on ovpns1 inet6 proto tcp from any to 2001:db8::7777 port > 333 no state

Also available in: Atom PDF