Project

General

Profile

Actions
Copy link

Feature #10454

closed

OpenVPN+RADIUS+Cisco-AVPair IPv6 ACL

Added by Viktor Gurov over 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
OpenVPN
Target version:
2.5.0
Start date:
04/14/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

openvpn.attributes.php currently only supports Cisco-AVPair IPv4 ACL parsing,

Need to add IPv6 ACL support, to parse rules like:
Cisco-AVPair = "ipv6:inacl#1=permit 2001:DB8:cc00:1::/48",
Cisco-AVPair = "ipv6:outacl#1=deny 2001:DB8::/10"

Actions
Copy link
 #2

Updated by Viktor Gurov over 4 years ago

I think is better to have one vpn.attributes.php for both OpenVPN and IPsec

Actions
Copy link
 #3

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Pull Request Review

Viktor Gurov wrote:

I think is better to have one vpn.attributes.php for both OpenVPN and IPsec

That should be its own PR. I'm not opposed to that, but there are differences in how they operate which must be maintained.

Actions
Copy link
 #4

Updated by Renato Botelho about 4 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions
Copy link
 #5

Updated by Anonymous about 4 years ago

  • Assignee changed from Renato Botelho to Viktor Gurov

The confirm this fix and set to "Resolved" if appropriate

Actions
Copy link
 #6

Updated by Viktor Gurov about 4 years ago

  • Status changed from Feedback to Resolved

works as expected on pfSense 2.5.0.a.20201006.1250

Example:

pfctl -a openvpn/ovpns1_raduser1_16748 -sr:

pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port < 566 no state
pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port != 899 no state
pass in quick on ovpns1 inet6 proto udp from 2001:db8::3333 to 2001:db8::7777 port < 566 no state
pass in quick on ovpns1 inet6 proto udp from 2001:db8::3333 to 2001:db8::7777 port != 899 no state
pass in quick on ovpns1 inet proto icmp from 2.2.2.2 to 5.5.5.5 no state
pass out quick on ovpns1 inet proto udp from 4.4.4.4 to 7.7.7.7 port 3109 >< 5001 no state
pass out quick on ovpns1 inet proto tcp from any to 7.7.7.7 port > 333 no state
block drop in quick on ovpns1 inet6 proto ipv6-icmp from 2001:db8:1234::/64 to 2001:db8:9999::/56
pass out quick on ovpns1 inet6 proto udp from 2001:db8::4444 to 2001:db8::7777 port 3109 >< 5001 no state
pass out quick on ovpns1 inet6 proto tcp from any to 2001:db8::7777 port > 333 no state

Actions
Copy link

Also available in: Atom PDF