Bug #6451
closed
IPv6 GIF tunnels to HE broken since 2.3-RELEASE
0%
Description
I've just confirmed that since upgrading from 2.2.x to 2.3-RELEASE (and subsequently to 2.3.x-whatever's current) none of my firewalls that had working IPv6 GIF tunnels to HE have, well, working tunnels to HE any more.
I can only confirm this for 32-bit, since none of the 64-bit instances have/need a tunnel.
I see GIF packets leaving the firewall WAN interface, but nothing coming back. Typically, in my experience, this is because of malformed or incorrect packets reaching HE, but since I no longer have a 2.2 instance to compare pcaps against, I'm having difficulty narrowing down the problem.
Marking as high priority, because in one case (the one that made me notice this!) the only way I can get NTP service is over IPv6. (Thanks, stupid "business grade" ISP for "protecting" me from NTP attacks...)
Hopefully I'm just doing something wrong or missed something in the release notes.
Files
Updated by Adam Thompson almost 8 years ago
So far, my searching has only uncovered one other person complaining: https://www.reddit.com/r/PFSENSE/comments/4iupzc/ipv6_tunnel_no_internet_access/ but I have no idea if he's having the same problem.
BTW, the two firewalls I refer two above are connected to different ISPs and are targeting different HE endpoints.
Updated by Adam Thompson almost 8 years ago
Oh, and both connections support full 1500-byte packets; no PPoE or anything like that in either case.
Updated by Adam Thompson almost 8 years ago
(Sorry, keep hitting Submit and then thinking of something else to add.)
Both connections do have a static IP address configured on the WAN interface, and both are single-WAN setups. One of the two affected instances has the default gateway pointing out OPT1 instead of WAN (which is now disconnected).
Configs are available if desired.
Updated by Chris Buechler almost 8 years ago
- Status changed from New to Feedback
subject is definitely not true. If it were even just true on 32 bit it's a certainty we would have heard of it by now, at least several tens of thousands of systems have been upgraded to 2.3.x via auto-update alone. The linked reddit thread was confirmed resolved with the root cause being a wrong config.
Can you ping the opposite side v6 IP inside the tunnel? If not, what does your gif config look like?
Updated by Adam Thompson almost 8 years ago
- File config-remote.avant.ca-20160605201826.xml config-remote.avant.ca-20160605201826.xml added
- File config-pfSense.localdomain-20160610010853.xml config-pfSense.localdomain-20160610010853.xml added
No, I can't - and I don't see any responses from HE if I sniff the WAN interface, either.
The last bug I ran into was 32-bit only, and I didn't think it was all that much of a corner case, so I figured... well, no-one else is complaining, maybe I've hit another only-person-in-the-world-doing-exactly-this-thing problem??
If you have definite, concrete knowledge of 32-bit systems that had HE tunnels up and working in 2.2 that continue to work properly after upgrading to 2.3, just close this as NOTABUG or whatever Redmine calls it.
But then we'd better update the docs, because following the existing docs in the wiki to the letter doesn't work anymore. (It's also possible that I'm making the same dumb mistake on two different systems, but... one of them was definitely working pre-upgrade, and definitely not post-upgrade.
I think/hope I've removed all the really sensitive bits from the two config files I'm attaching... the HE tunnel on "remote.avant.ca" was definitely working properly pre-upgrade and definitely broken post-upgrade. And I was (obviously) mistaken - the WAN interface is pseudo-static: it really is static, but the DSL modem runs in an idiotic hybrid "DMZ+" mode where it basically does 1:1 NAT for inbound traffic, and hands out its own public IP to the internal device via DHCP. And... well... it worked before? shrug
Without getting any replies back from HE at all, it's really hard to figure out what the problem is.
I can attach pcaps if that's useful.
Updated by Kill Bill almost 8 years ago
Adam Thompson wrote:
If you have definite, concrete knowledge of 32-bit systems that had HE tunnels up and working in 2.2 that continue to work properly after upgrading to 2.3, just close this as NOTABUG or whatever Redmine calls it.
We have multiple Alix nanoBSD boxes (i386) upgraded to 2.3.x with HE tunels, all working. Have a box upgraded from Alix 32bit nanoBSD to amd64 full install (apu2c4) with 2.2.x config backup configuration imported and working as well. So, hmmmmm.
Updated by Adam Thompson almost 8 years ago
Blew away all GIF and interface configuration, re-configured on both of the affected firewalls. One now works, one still doesn't. At this point I'm going to blame either the ISP or their stupid *&^%$#@! DSL modem, and bring it up with them. Apparently I'm not the only person to have issues with various types of VPNs running through these DSL modems on this version of modem firmware.
Please close as NOTABUG.
Updated by Chris Buechler almost 8 years ago
- Status changed from Feedback to Not a Bug
thanks for the feedback