Feature #10454: OpenVPN+RADIUS+Cisco-AVPair IPv6 ACL - pfSense - pfSense bugtracker

Feature #10454

OpenVPN+RADIUS+Cisco-AVPair IPv6 ACL

Added by Viktor Gurov 12 months ago. Updated 6 months ago.

Status:

Resolved

Priority:

Normal

Assignee:

Viktor Gurov

Category:

OpenVPN

Target version:

2.5.0

Start date:

04/14/2020

Due date:

% Done:

100%

Estimated time:

Release Notes:

Default

Description

openvpn.attributes.php currently only supports Cisco-AVPair IPv4 ACL parsing,

Need to add IPv6 ACL support, to parse rules like:
Cisco-AVPair = "ipv6:inacl#1=permit 2001:DB8:cc00:1::/48",
Cisco-AVPair = "ipv6:outacl#1=deny 2001:DB8::/10"

Associated revisions

Revision e8c2c6f2 (diff)
Added by Viktor Gurov 7 months ago

OpenVPN+RADIUS+Cisco-AVPair IPv6 ACL. Issue #10454

History

#1 Updated by Viktor Gurov 12 months ago

https://github.com/pfsense/pfsense/pull/4273

#2 Updated by Viktor Gurov 12 months ago

I think is better to have one vpn.attributes.php for both OpenVPN and IPsec

#3 Updated by Jim Pingle 12 months ago

Status changed from New to Pull Request Review

Viktor Gurov wrote:

I think is better to have one vpn.attributes.php for both OpenVPN and IPsec

That should be its own PR. I'm not opposed to that, but there are differences in how they operate which must be maintained.

#4 Updated by Renato Botelho 6 months ago

Status changed from Pull Request Review to Feedback
Assignee set to Renato Botelho
% Done changed from 0 to 100

PR has been merged. Thanks!

#5 Updated by Steve Beaver 6 months ago

Assignee changed from Renato Botelho to Viktor Gurov

The confirm this fix and set to "Resolved" if appropriate

#6 Updated by Viktor Gurov 6 months ago

Status changed from Feedback to Resolved

works as expected on pfSense 2.5.0.a.20201006.1250

Example:

pfctl -a openvpn/ovpns1_raduser1_16748 -sr:

pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port < 566 no state
pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port != 899 no state
pass in quick on ovpns1 inet6 proto udp from 2001:db8::3333 to 2001:db8::7777 port < 566 no state
pass in quick on ovpns1 inet6 proto udp from 2001:db8::3333 to 2001:db8::7777 port != 899 no state
pass in quick on ovpns1 inet proto icmp from 2.2.2.2 to 5.5.5.5 no state
pass out quick on ovpns1 inet proto udp from 4.4.4.4 to 7.7.7.7 port 3109 >< 5001 no state
pass out quick on ovpns1 inet proto tcp from any to 7.7.7.7 port > 333 no state
block drop in quick on ovpns1 inet6 proto ipv6-icmp from 2001:db8:1234::/64 to 2001:db8:9999::/56
pass out quick on ovpns1 inet6 proto udp from 2001:db8::4444 to 2001:db8::7777 port 3109 >< 5001 no state
pass out quick on ovpns1 inet6 proto tcp from any to 2001:db8::7777 port > 333 no state

Also available in: Atom PDF

Project

General

Profile

pfSense

Issues

Custom queries