Bug #3074
closed
DHCPv6 traffic blocked on LAN with DHCPv6 relay enabled
Added by Doktor Notor almost 11 years ago.
Updated about 10 years ago.
Affected Version:
2.1-IPv6
Description
Looking at this part of filter.inc, I don't think it deals with this configuration correctly.
@
- allow access to DHCPv6 server on {$oc['descr']}
- We need inet6 icmp for stateless autoconfig and dhcpv6
pass quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to fe80::/10 port = 546 label "allow access to DHCPv6 server"
pass quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 546 label "allow access to DHCPv6 server"
pass quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 547 label "allow access to DHCPv6 server"
pass quick on \${$oc['descr']} inet6 proto udp from ff02::/16 to fe80::/10 port = 547 label "allow access to DHCPv6 server"
if ((is_array($config['dhcpdv6'][$on]) && isset($config['dhcpdv6'][$on]['enable'])) || isset($oc['track6-interface'])) {
$ipfrules .= <<<EOD
EOD;
if (is_ipaddrv6($oc['ipv6'])) {
$ipfrules .= <<<EOD
pass in quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 546 label "allow access to DHCPv6 server"
pass out quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 label "allow access to DHCPv6 server"
EOD;
@
Regardless, traffic from fe80::/10 port 546 to ff02::/16 port 547 gets blocked. The LAN is configured with static IPv6.
Relevant part of the configuration:
<dhcpdv6>
<lan>
<ramode>assist</ramode>
<rapriority>medium</rapriority>
<rainterface/>
</lan>
</dhcpdv6>
<dhcrelay6>
<enable/>
<interface>lan</interface>
<server>2001:470:6f:xxx:yyy::zzz</server>
</dhcrelay6>
Files
The attached patch should fix it, but it would be better to test it before committing. Let us know if it helps.
All good now... thumbs up! :) Proper rules generated and DHCPv6 traffic no longer blocked on ifaces with relay enabled:
@47 pass quick on vr0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
@48 pass quick on vr0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
@49 pass quick on vr0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
@50 pass quick on vr0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
@51 pass in quick on vr0 inet6 proto udp from fe80::/10 to 2001:470:6f:x:y::z port = dhcpv6-client keep state label "allow access to DHCPv6 server"
@52 pass out quick on vr0 inet6 proto udp from 2001:470:6f:x:y::z port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"
@61 pass quick on ath0_wlan0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
@62 pass quick on ath0_wlan0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
@63 pass quick on ath0_wlan0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
@64 pass quick on ath0_wlan0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
@65 pass in quick on ath0_wlan0 inet6 proto udp from fe80::/10 to 2001:470:u:v:w:x:y:z port = dhcpv6-client keep state label "allow access to DHCPv6 server"
@66 pass out quick on ath0_wlan0 inet6 proto udp from 2001:470:u:v:w:x:y:z port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"
- Status changed from New to Feedback
- % Done changed from 0 to 100
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by Doktor Notor 
Updated by 
Updated by