Bug #3074
closed
DHCPv6 traffic blocked on LAN with DHCPv6 relay enabled
100%
Description
@
- allow access to DHCPv6 server on {$oc['descr']}
- We need inet6 icmp for stateless autoconfig and dhcpv6
pass quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to fe80::/10 port = 546 label "allow access to DHCPv6 server"
pass quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 546 label "allow access to DHCPv6 server"
pass quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 547 label "allow access to DHCPv6 server"
pass quick on \${$oc['descr']} inet6 proto udp from ff02::/16 to fe80::/10 port = 547 label "allow access to DHCPv6 server"
if ((is_array($config['dhcpdv6'][$on]) && isset($config['dhcpdv6'][$on]['enable'])) || isset($oc['track6-interface'])) {
$ipfrules .= <<<EODEOD;
if (is_ipaddrv6($oc['ipv6'])) {
$ipfrules .= <<<EOD
pass in quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 546 label "allow access to DHCPv6 server"
pass out quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 label "allow access to DHCPv6 server"
EOD;
@
Regardless, traffic from fe80::/10 port 546 to ff02::/16 port 547 gets blocked. The LAN is configured with static IPv6.
Relevant part of the configuration:
<dhcpdv6>
<lan>
<ramode>assist</ramode>
<rapriority>medium</rapriority>
<rainterface/>
</lan>
</dhcpdv6>
<dhcrelay6>
<enable/>
<interface>lan</interface>
<server>2001:470:6f:xxx:yyy::zzz</server>
</dhcrelay6>
Files
Updated by Doktor Notor over 11 years ago
Related forum thread: http://forum.pfsense.org/index.php/topic,64168.0.html
Updated by Jim Pingle over 11 years ago
- File dhcprelay-fix-test.patch dhcprelay-fix-test.patch added
The attached patch should fix it, but it would be better to test it before committing. Let us know if it helps.
Updated by Doktor Notor over 11 years ago
All good now... thumbs up! :) Proper rules generated and DHCPv6 traffic no longer blocked on ifaces with relay enabled:
@47 pass quick on vr0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server" @48 pass quick on vr0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server" @49 pass quick on vr0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server" @50 pass quick on vr0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server" @51 pass in quick on vr0 inet6 proto udp from fe80::/10 to 2001:470:6f:x:y::z port = dhcpv6-client keep state label "allow access to DHCPv6 server" @52 pass out quick on vr0 inet6 proto udp from 2001:470:6f:x:y::z port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server" @61 pass quick on ath0_wlan0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server" @62 pass quick on ath0_wlan0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server" @63 pass quick on ath0_wlan0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server" @64 pass quick on ath0_wlan0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server" @65 pass in quick on ath0_wlan0 inet6 proto udp from fe80::/10 to 2001:470:u:v:w:x:y:z port = dhcpv6-client keep state label "allow access to DHCPv6 server" @66 pass out quick on ath0_wlan0 inet6 proto udp from 2001:470:u:v:w:x:y:z port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"
Updated by Jim Pingle over 11 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 86573a248608ff5b166eb77e962f97e91df159d2.
Updated by Jim Pingle over 11 years ago
Applied in changeset 0ee96a458ab93ff451c9bb32b1b8bc20e13866e6.
Updated by Chris Buechler over 10 years ago
- Status changed from Feedback to Resolved