Project

General

Profile

Actions

Bug #12164

open

IPv6 policy routing does not work if an IPsec tunnel phase 2 remote network is configured for ``::/0``

Added by Sietse van Zanen about 2 months ago. Updated 26 days ago.

Status:
Feedback
Priority:
Normal
Category:
Rules / NAT
Target version:
Start date:
07/25/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
21.09
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:
amd64

Description

Policy routes through firewall rules do not work for IPv6, traffic is routed through default routes.

Selecting a gateway for an IPv6 rule has no effect, traffic is routed normally.
Log for the traffic shows:
Jul 25 16:40:21 ► INTERNET let out anything IPv6 from firewall host itself (1000048866) [::1]:52040 [2a00:1450:400e:80c::200e]:25 TCP:S
Jul 25 16:40:21 RDDMZ NEGATE_ROUTE: Negate policy routing for destination (10000001) [::1]:52040 [2a00:1450:400e:80c::200e]:25 TCP:S **

Jul 25 16:41:24 ► VPS let out anything IPv4 from firewall host itself (1000048865) .1:58570 1.2.3.4:25 TCP:S
Jul 25 16:41:24 RDDMZ SMTP-IPv4 (1627228080) .1:58570 1.2.3.4:25 TCP:S

The IPv6 rule is named SMTP-IPv6 and is set to route out the same interface as the IPv4 rule.

Actions #1

Updated by Sietse van Zanen about 2 months ago

in rules.debug:
pass in log quick on $Untrust inet6 proto tcp from $RDEGW01 to <negate_networks> port 25 tracker 10000001 flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in log quick on $Untrust $GWVPS_TUNNELV6 inet6 proto tcp from $RDEGW01 to any port 25 tracker 1627229557 flags S/SA keep state label "USER_RULE: SMTP-Pv6"
pass in log quick on $Untrust inet proto tcp from $RDEGW01 to <negate_networks> port 25 tracker 10000002 flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in log quick on $Untrust $GWVPS_TUNNELV4 inet proto tcp from $RDEGW01 to any port 25 tracker 1627228080 flags S/SA keep state label "USER_RULE: SMTP-Pv4"

The gateway is up, the alias resolves to the right address. I also tried the ipv6 address of the host explicitely and any, but the result is the same, IPv4 traffic is routed correctly, IPv6 is not.

The VPS interface is GRE tunnel that uses the INTERNET interface.

Actions #2

Updated by Sietse van Zanen about 2 months ago

IPv6 Rule:
<rule>
<id></id>
<tracker>1627229557</tracker>
<type>pass</type>
<interface>Untrust</interface>
<ipprotocol>inet6</ipprotocol>
<tag></tag>
<tagged></tagged>
<max></max>
<max-src-nodes></max-src-nodes>
<max-src-conn></max-src-conn>
<max-src-states></max-src-states>
<statetimeout></statetimeout>
<statetype><![CDATA[keep state]]></statetype>
<os></os>
<protocol>tcp</protocol>
<source>
<address>RDEGW01</address>
</source>
<destination>
<any></any>
<port>25</port>
</destination>
<log></log>
<descr><![CDATA[SMTP-IPv6]]></descr>
<gateway>VPS_TUNNELV6</gateway>
<created>
<time>1627229557</time>
<username><![CDATA[]]></username>
</created>
<updated>
<time>1627233972</time>
<username><![CDATA[]]></username>
</updated>
</rule>

IPv4 Rule:
<rule>
<id></id>
<tracker>1627228080</tracker>
<type>pass</type>
<interface>Untrust</interface>
<ipprotocol>inet</ipprotocol>
<tag></tag>
<tagged></tagged>
<max></max>
<max-src-nodes></max-src-nodes>
<max-src-conn></max-src-conn>
<max-src-states></max-src-states>
<statetimeout></statetimeout>
<statetype><![CDATA[keep state]]></statetype>
<os></os>
<protocol>tcp</protocol>
<source>
<address>RDEGW01</address>
</source>
<destination>
<any></any>
<port>25</port>
</destination>
<log></log>
<descr><![CDATA[SMTP-IPv4]]></descr>
<gateway>VPS_TUNNELV4</gateway>
<created>
<time>1627228080</time>
<username><![CDATA[]></username>
</created>
<updated>
<time>1627230159</time>
<username><![]></username>
</updated>
</rule>

Actions #3

Updated by Sietse van Zanen about 2 months ago

table <negate_networks> { 10.0.23.0/24 ::/0 }
If I remove ::/0 it works. Where is this table coming from?

Only thning i can find related in my config is the mobile client ip pools, but that has a perfectly fine IPv6 prefix:
<ipsec>
<client>
<enable></enable>
<radiusaccounting>enabled</radiusaccounting>
<user_source>...</user_source>
<group_source>enabled</group_source>
<auth_groups>Domain Admins</auth_groups>
<pool_address>10.0.23.0</pool_address>
<pool_netbits>24</pool_netbits>
<pool_address_v6>:0300::</pool_address_v6>
<pool_netbits_v6>64</pool_netbits_v6>
<net_list></net_list>
<save_passwd></save_passwd>
<dns_domain>wizdom.nu</dns_domain>
<dns_split>wizdom.nu</dns_split>
<dns_server1>::aaaa</dns_server1>
<dns_server2>::bbbb</dns_server2>
<dns_server3>.30</dns_server3>
<dns_server4>.31</dns_server4>
</client>

Actions #4

Updated by Sietse van Zanen about 2 months ago

More important question, where does pfsense get the idea that it should make untransparent unlogged routing decisions?

Actions #5

Updated by Jim Pingle about 2 months ago

  • Status changed from New to Rejected

Not enough information here to prove it's a bug and this site is not for support or diagnostic discussion.

You need to provide a lot more information in a Netgate Forum thread about what exactly you are testing and how, with specific examples of traffic sources (source address and location) and complete rulesets, state table entries, and so on.

If a specific repeatable bug can be identified that isn't already addressed on Plus 21.09 or CE 2.6.0 snapshots, then a new issue can be made with more accurate and concise information.

See Reporting Issues with pfSense Software for more information.

Actions #6

Updated by Sietse van Zanen about 2 months ago

https://github.com/pfsense/pfsense/pull/4534
It is not ok to require end users who are not usually software developers to fix blatently obvious bugs in your software.

I gave you the exact information to locate this within 15 minutes, unless either:
a. You do not know the inner workings of your own software.
b. You are not willing to admit to such obvious bugs.

Actions #7

Updated by Jim Pingle about 2 months ago

  • Status changed from Rejected to Pull Request Review
  • Target version set to 2.6.0
  • Plus Target Version set to 21.09
Actions #8

Updated by Renato Botelho about 1 month ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho

PR has been merged. Thanks!

Actions #9

Updated by Jim Pingle 26 days ago

  • Subject changed from IPv6 policy routing firewall rules do not work to IPv6 policy routing does not work if an IPsec tunnel P2 remote network is configured for ``::/0``

Updating subject for release notes.

Actions #10

Updated by Jim Pingle 26 days ago

  • Subject changed from IPv6 policy routing does not work if an IPsec tunnel P2 remote network is configured for ``::/0`` to IPv6 policy routing does not work if an IPsec tunnel phase 2 remote network is configured for ``::/0``
Actions

Also available in: Atom PDF