Project

General

Profile

Bug #10712

"default allow LAN IPv6 to any" rule does not work right after boot when using IPv6 PD

Added by Viktor Gurov 4 months ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
06/29/2020
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.5-p1
Affected Architecture:

Description

https://forum.netgate.com/topic/154856/multiple-ipv6-bugs-quirks-in-pfsense:
Quite simply, you boot, you get an IPv6 PD and give it out through SLAAC on your LAN interface, machines get an IP but aren't able to connect to the internet over IPv6. If you check the firewall logs, you'll see the traffic gets dropped due to the default drop all rule.

Workaround : disable and enable any firewall rule to force a reload of the rules. After that, connectivity works.

My assumption for the root cause: the "LAN net" source does not get updated correctly when the PD gets assigned, since it does take a while to get the PD and assign it to all the needed interfaced. Because of this, the traffic from the PDd IPs is not recognised and dropped. Reloading the rules forced a reload of the "LAN net" source and thus makes it work.

History

#1 Updated by Offstage Roller 4 months ago

This can also be reproduced by reinstalling the Suricata package. In addition to the workaround posted in the bug, you can also fix this by renewing the DHCP lease on the WAN. Even though the lease values don't change, renewing the lease seems to update the "LAN net" source to include the needed IPv6 prefix.

Also available in: Atom PDF