pfSense

Hi,

I had problems with Multi-WAN and two IPv6 tunnelbrokers - incoming traffic would "work" only when coming through the interface, which had the "default gateway" checkbox ticked on its gateway under System: Gateways.

Some search in the forums brought me to the "reply-to" feature, and pfctl -sr showed the following rule:

pass in quick on gif0 inet6 proto ipv6-icmp from any to 2001:xxx:xxxx::/48 icmp6-type echoreq keep state label "USER_RULE: Allow ICMPv6 echo requests"

instead of:

pass in quick on gif0 reply-to (gif0 2001:xxx:xx:xx::1) inet6 proto ipv6-icmp from any to 2001:xxx:xxxx::/48 icmp6-type echoreq keep state label "USER_RULE: Allow ICMPv6 echo requests"

My search brought me to filter_generate_address in filter.inc, where the if-block responsible for the reply-to did check for an IPv4 gateway, but did not check for an IPv6 gateway.

I added the check for an IPv6 gateway, and all IPv6 rules on these interfaces had the "reply-to" added, and incoming traffic would also pass through the secondary gif interface successfully.

I would be happy if my fix proposal is helpful and would be included in some way in the next update release.

My version is 2.1.3-RELEASE (i386).

Regards,
Marc