Bug #3033
closed
Static IPv6 route to OpenVPN tunnel ignored
0%
Description
I have an openvpn tunnel to a remote server which works correctly for IPv4 traffic but not for IPv6. When the remote sends IPv6 traffic over the tunnel I can see (via traceroute) that the openvpn packets arrive on the wan interface but I don't see them arrive on the tun interface (ovpnc2).
When I traceroute6 a remote IPv6 address on the pfsense box the packets go out the WAN (not ovpnc2). When I do any IPv6 to the remote from the LAN side I get "No route to host". The static route to the destination is clearly in the route table so I can see no reason why pfsense would route that traffic to 'default' or why it would send back 'no route to host' to LAN devices.
I am quite sure this used to work (~3-4 months ago) and the only change has been to pfsense (updating to latest RC0 snapshot). I've tried 'pfctl -d' but that didn't make any difference.
I'm running:
2.1-RC0 (amd64)
built on Sat Jun 8 09:20:03 EDT 2013
FreeBSD 8.3-RELEASE-p8
The remote server is CentOS release 6.4 running OpenVPN 2.3.2
pfsense client2.conf:
dev ovpnc2 dev-type tun tun-ipv6 dev-node /dev/tun2 writepid /var/run/openvpn_client2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local XXX.XXX.248.236 lport 0 management /var/etc/openvpn/client2.sock unix remote titan.XXXX.com 1194 ifconfig 10.0.8.2 10.0.8.1 ifconfig-ipv6 fe80::2 fe80::1 route XXX.XXX.96.186 255.255.255.255 route-ipv6 2607:XXXX:a404::1:0/112 secret /var/etc/openvpn/client2.secret route XXX.XXX.96.187 255.255.255.255
server conf:
dev ovpnc0 dev-type tun tun-ipv6 proto udp ifconfig 10.0.8.1 10.0.8.2 ifconfig-ipv6 fe80::1 fe80::2 secret home.key cipher AES-128-CBC keepalive 10 60 ping-timer-rem persist-tun persist-key #route all of home network route 10.0.0.0 255.255.255.0 route-ipv6 2002:XXXX:f8ec::/64
pfsense routes:
Internet6: Destination Gateway Flags Netif Expire default 2002:XXXX:6301:: UGS wan_stf ::1 ::1 UH lo0 2002::/16 link#8 U wan_stf 2002:XXXX:f8ec:: link#8 UHS lo0 => 2002:XXXX:f8ec::/64 link#3 U re1 2002:XXXX:f8ec::1 link#3 UHS lo0 2607:XXXX:a404::1:0/112 ovpnc2 US ovpnc2 2607:XXXX:a404::3:0/112 ovpnc3 US ovpnc3 fe80::%re0/64 link#1 U re0 fe80::230:18ff:fea8:da5f%re0 link#1 UHS lo0 fe80::%re1/64 link#3 U re1 fe80::1:1%re1 link#3 UHS lo0 fe80::%lo0/64 link#6 U lo0 fe80::1%lo0 link#6 UHS lo0 fe80::2%ovpnc2 link#9 UHS lo0 fe80::230:18ff:fea8:da5f%ovpnc2 link#9 UHS lo0 fe80::2%ovpnc3 link#10 UHS lo0 fe80::230:18ff:fea8:da5f%ovpnc3 link#10 UHS lo0 ff01::%re0/32 fe80::230:18ff:fea8:da5f%re0 U re0 ff01::%re1/32 fe80::1:1%re1 U re1 ff01::%lo0/32 ::1 U lo0 ff01::%ovpnc2/32 fe80::230:18ff:fea8:da5f%ovpnc2 U ovpnc2 ff01::%ovpnc3/32 fe80::230:18ff:fea8:da5f%ovpnc3 U ovpnc3 ff02::%re0/32 fe80::230:18ff:fea8:da5f%re0 U re0 ff02::%re1/32 fe80::1:1%re1 U re1 ff02::%lo0/32 ::1 U lo0 ff02::%ovpnc2/32 fe80::230:18ff:fea8:da5f%ovpnc2 U ovpnc2 ff02::%ovpnc3/32 fe80::230:18ff:fea8:da5f%ovpnc3 U ovpnc3
Traceroute showing the traffic to 2607:XXXX:a404::1:0 is not going out the tunnel:
[2.1-RC0][root@router.XXXX.com]/var/etc/openvpn(84): traceroute6 -n 2607:XXXX:a404::1:0 traceroute6 to 2607:XXXX:a404::1:0 (2607:XXXX:a404::1:0) from 2002:XXXX:f8ec::, 64 hops max, 12 byte packets 1 2002:XXXX:6301:: 32.798 ms 35.819 ms 38.400 ms 2 2001:XXXX:fe16:1::1 35.254 ms 32.235 ms 32.371 ms 3 2001:XXXX:d0:7::2 34.637 ms 35.470 ms 31.939 ms 4 2001:XXXX:d0:4001::1 37.673 ms 35.178 ms 35.770 ms 5 2001:XXXX:0:f851::1 37.526 ms 35.963 ms 47.988 ms ...
No route to host when trying to SSH to 2607:XXXX:a404::1:0 from a host on the LAN:
# ssh -6 2607:XXXX:a404::1:0 ssh: connect to host 2607:XXXX:a404::1:0 port 22: No route to host
Updated by Chris Buechler over 10 years ago
- Status changed from New to Rejected
not a bug, config issue somewhere.