Bug #10757
closedIPv6: NPt rules on 6rd enabled WAN interfaces don't get bound to wan_stf
100%
Description
I believe there is a bug in the handling of NPt rules when they need to be applied to 6rd enabled interfaces (which are split into the physical interface and a virtual wan_stf interface behind the scenes).
To recreate the issue:- Configure a WAN interface with IPv6 via 6rd
- Configure LAN for static IPv6 with a ULA prefix
- Default Gateway configuration for 6rd device
- DCPv6 configured to give out ULA addresses
- NPt configured on the WAN interface
- Ping from LAN to an IPv6 addresses and the ping fails
I was able to work around this issue and get IPv6 connectivity from LAN to WAN working by doing the following:
- In Interfaces/Assignments there will be an interface that can be added to Network Port "wan_stf. Add the interface and do NOT change any settings or enable the interface
- a) It should be noted that the adding of this interface shouldn't be allowed as upon reboot this will cause the boot sequence to hang due to the error "Warning: Configuration references interfaces that do not exist" because the 6rd interface isn't up yet. This issue is being resolved in 2.5.0 under bug but this fix will prevent my workaround: https://redmine.pfsense.org/issues/10626#change-46806
- Next in Interfaces/Interface Groups add the newly created Interface with the 6rd connection to an Interface group also containing the physical WAN interface.
- Update the previously created NPt rule to use the newly created interface group instead of the physical WAN interface
- Ping from LAN to an IPv6 address and the ping is successful
What led me to try the above steps was that when looking in Diagnostics/States and filtering on v6 I did not see appropriate NPt entries for the WAN interface. I did however see "wan_stf" in the interface list with IPv6 source/destination that I would have expected to see listed for the WAN interface.
Based on the above to me the problem appears to be that NPT rules that should get bound the the virtual 6rd interface when an NPT rule is configured for the physical WAN interface do not get applied. I thought this might be resolved by the bug fix outlined in this bug report: https://redmine.pfsense.org/issues/7142
But when I updated my "etc/inc/filter.inc" file to match the change outlined in the commit for the above bug report and reverted my workaround for the issue I was still unable to get IPv6 traffic routed to my LAN via the 6rd interface.
I suspect the issue may be in /etc/inc/filter.inc/filter_nat_rules_generate() as I do not see the expansion of the physical WAN interface to attach the NPt filter rules to virtual interfaces that may be associated with it.
I initially came across this when trying to do a Multi-WAN configuration which I've outlined in the below forum post, but this issue also occurs in a single WAN configuration.
Updated by Viktor Gurov about 4 years ago
- Status changed from Rejected to New
pfctl creates binat rule only for the first binat rule interface, i.e.:
OPT1 = "{ vtnet2 opt1_stf }" ... binat on $OPT1 inet6 from fc00:4444::/64 to any -> 2000:bbbb::/64 binat on $OPT1 inet6 from any to 2000:bbbb::/64 -> fc00:4444::/64
but 'pfctl -s nat' shows NAT only for vtnet2:
binat on vtnet2 inet6 from fc00:4444::/64 to any -> 2000:bbbb::/64 binat on vtnet2 inet6 from any to 2000:bbbb::/64 -> fc00:4444::/64
Updated by Viktor Gurov about 4 years ago
Updated by Jim Pingle about 4 years ago
- Status changed from New to Pull Request Review
- Target version set to 2.5.0
Updated by Renato Botelho about 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Anonymous almost 4 years ago
- Status changed from Feedback to Resolved