Bug #3074: DHCPv6 traffic blocked on LAN with DHCPv6 relay enabled - pfSense - pfSense bugtracker

Actions

Copy link

Bug #3074

closed

DHCPv6 traffic blocked on LAN with DHCPv6 relay enabled

Added by Doktor Notor almost 11 years ago. Updated about 10 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Target version:

Start date:

07/05/2013

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.1-IPv6

Affected Architecture:

Description

Looking at this part of filter.inc, I don't think it deals with this configuration correctly.
@

allow access to DHCPv6 server on {$oc['descr']}
We need inet6 icmp for stateless autoconfig and dhcpv6
pass quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to fe80::/10 port = 546 label "allow access to DHCPv6 server"
pass quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 546 label "allow access to DHCPv6 server"
pass quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 547 label "allow access to DHCPv6 server"
pass quick on \${$oc['descr']} inet6 proto udp from ff02::/16 to fe80::/10 port = 547 label "allow access to DHCPv6 server"

if ((is_array($config['dhcpdv6'][$on]) && isset($config['dhcpdv6'][$on]['enable'])) || isset($oc['track6-interface'])) {
                $ipfrules .= <<&lt;EOD

EOD;
if (is_ipaddrv6($oc['ipv6'])) {
$ipfrules .= <<<EOD
pass in quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 546 label "allow access to DHCPv6 server"
pass out quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 label "allow access to DHCPv6 server"

EOD;
@

Regardless, traffic from fe80::/10 port 546 to ff02::/16 port 547 gets blocked. The LAN is configured with static IPv6.

Relevant part of the configuration:
<dhcpdv6> <lan> <ramode>assist</ramode> <rapriority>medium</rapriority> <rainterface/> </lan> </dhcpdv6>

<dhcrelay6> <enable/> <interface>lan</interface> <server>2001:470:6f:xxx:yyy::zzz</server> </dhcrelay6>

Files

dhcprelay-fix-test.patch (725 Bytes) dhcprelay-fix-test.patch

Jim Pingle, 07/05/2013 09:54 AM

Actions

Copy link

Updated by Doktor Notor almost 11 years ago

Related forum thread: http://forum.pfsense.org/index.php/topic,64168.0.html

Actions

Copy link

Updated by Jim Pingle almost 11 years ago

File dhcprelay-fix-test.patch dhcprelay-fix-test.patch added

The attached patch should fix it, but it would be better to test it before committing. Let us know if it helps.

Actions

Copy link

Updated by Doktor Notor almost 11 years ago

All good now... thumbs up! :) Proper rules generated and DHCPv6 traffic no longer blocked on ifaces with relay enabled:

@47 pass quick on vr0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server" 
@48 pass quick on vr0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server" 
@49 pass quick on vr0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server" 
@50 pass quick on vr0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server" 
@51 pass in quick on vr0 inet6 proto udp from fe80::/10 to 2001:470:6f:x:y::z port = dhcpv6-client keep state label "allow access to DHCPv6 server" 
@52 pass out quick on vr0 inet6 proto udp from 2001:470:6f:x:y::z port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server" 
@61 pass quick on ath0_wlan0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server" 
@62 pass quick on ath0_wlan0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server" 
@63 pass quick on ath0_wlan0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server" 
@64 pass quick on ath0_wlan0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server" 
@65 pass in quick on ath0_wlan0 inet6 proto udp from fe80::/10 to 2001:470:u:v:w:x:y:z port = dhcpv6-client keep state label "allow access to DHCPv6 server" 
@66 pass out quick on ath0_wlan0 inet6 proto udp from 2001:470:u:v:w:x:y:z port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"

Actions

Copy link