Project

General

Profile

Actions
Copy link

Bug #8665

closed

ipv6: ULA adresses on different VLAN inaccesible after pfsense restart

Added by Tanya Severeyns over 5 years ago. Updated over 4 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
07/20/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Description

To further check some issues I'm having with ipv6 ULA addresses, I created a test setup.
(see here: https://forum.netgate.com/topic/132747/ipv6-can-ping-gua-address-in-different-vlan-but-not-ula)

After some configuration, I could ping a VM on another VLAN by its ULA v6 address.
(And the other way around: from that machine to me as well)

After a reboot of pfSense (without further config changes) this functionality stopped working and I never got it working again.

This is in line with the original problem I was facing on our 'production' pfSense: ULA ipv6 don't work across VLANs.

I don't know if pfSense changes something in its configuration when it reboots, or reads configuration rules in a specific order when it boots, or if it is something specific to the ipv6 ULAs

Either way, a setup is working and after a reboot it no longer works. That's surely not how it should be?

--

Details of the setup:

3 virtual machines

  • a new pfSense (version 2.4.3)
  • a Windows client (Win7, firewall disabled)
  • a 2nd Windows client (Win7, firewall disabled)

These 3 are totally isolated from the rest of my network.
I tried to setup pfSense with as little changes as possible (no VPN, ...), just the ipv6 stuff.

  • The WAN is set to auto (DHCP) but not connected (so track interface won't work)
  • LAN with Static IPv6: fddd:666:666:90::1
  • VLAN91 with Static IPv6: fddd:666:666:91::1
  • VLAN92 with Static IPv6: fddd:666:666:92::1
  • LAN: RA = assisted
  • VLAN92: RA = Stateless DHCP

I put 1 Win client on LAN and one on VLAN92.

The client on LAN:
  • got ping replies from the client on VLAN92
The client on VLAN92:
  • got ping timeout from the client on LAN
  • got ping timeout from the pfSense's interface ipv6 address on LAN

When I copied the "Default Allow LAN IPv6 to any rule" from LAN to VLAN92, both ping commands from VLAN92 started giving replies (I left them running while applying the firewall rule)

...

And then ... I rebooted the firewall.

After the reboot, none of the ping commands seem to work anymore, all just give timeout. (I left them running while rebooting the firewall)

Strange thing is:

  • no configuration was changed on the firewall
  • no configuration was changed on any of the virtual machines

I can see no changes in the config before the reboot, and the config after the reboot.
Still, it worked before and it doesn't after.
Whatever I do, I can no longer get it to work.

Actions
Copy link
 #1

Updated by Jim Pingle over 4 years ago

  • Category set to Rules / NAT
  • Status changed from New to Not a Bug

Some of your issue was a lack of firewall rules, and because of how pf states work with ICMP it appeared to behave inconsistently when it was actually working as expected given your procedure.

The other parts I can't seem to reproduce. If you still have issues like this on a current release, please start a fresh forum thread with a pointer here and to the old thread, and include more detail about your exact ruleset, client addresses at each step, etc.

Actions
Copy link

Also available in: Atom PDF