Project

General

Profile

Actions

Bug #2412

closed

inbound 6to4 traffic does not work in pf

Added by Seth Mos over 12 years ago. Updated over 11 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Ermal Luçi
Category:
Operating System
Target version:
Start date:
05/06/2012
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1-IPv6
Affected Architecture:

Description

With the WAN configured as 6to4 it is possible to browse the internet but it is not possible to initiate traffic from the internet to the 6to4 prefix.

Bjoern performed some debugging and it appears to be a issue in pf. Even with a allow all pf rule for IPv6 it was not possible to ping any 6to4 prefix IPv6 address from the internet. The pf rule even logged that it allowed the traffic.

Disable pf with pfctl -d and the ping6 starts replying. As soon as pf is enabled again it will stop response.

Bjoern mentioned in IRC that it does see a reply being crafted, but it is never seen on the stf0 interface with tcpdump.

Here is the note from Bjoern

pfctl -d  and it works
pfctl -e  and it stops again

it's the pfil hook in ip6_output

a very first pf rule to log all icmp6 does not see the packet at all;  I'd say a pf issue and defer to the pf experts at pfsense;-)

/bz

Actions

Also available in: Atom PDF