Project

General

Profile

Actions
Copy link

Bug #8665

closed

ipv6: ULA adresses on different VLAN inaccesible after pfsense restart

Added by Tanya Severeyns almost 6 years ago. Updated over 4 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
07/20/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Description

To further check some issues I'm having with ipv6 ULA addresses, I created a test setup.
(see here: https://forum.netgate.com/topic/132747/ipv6-can-ping-gua-address-in-different-vlan-but-not-ula)

After some configuration, I could ping a VM on another VLAN by its ULA v6 address.
(And the other way around: from that machine to me as well)

After a reboot of pfSense (without further config changes) this functionality stopped working and I never got it working again.

This is in line with the original problem I was facing on our 'production' pfSense: ULA ipv6 don't work across VLANs.

I don't know if pfSense changes something in its configuration when it reboots, or reads configuration rules in a specific order when it boots, or if it is something specific to the ipv6 ULAs

Either way, a setup is working and after a reboot it no longer works. That's surely not how it should be?

--

Details of the setup:

3 virtual machines

  • a new pfSense (version 2.4.3)
  • a Windows client (Win7, firewall disabled)
  • a 2nd Windows client (Win7, firewall disabled)

These 3 are totally isolated from the rest of my network.
I tried to setup pfSense with as little changes as possible (no VPN, ...), just the ipv6 stuff.

  • The WAN is set to auto (DHCP) but not connected (so track interface won't work)
  • LAN with Static IPv6: fddd:666:666:90::1
  • VLAN91 with Static IPv6: fddd:666:666:91::1
  • VLAN92 with Static IPv6: fddd:666:666:92::1
  • LAN: RA = assisted
  • VLAN92: RA = Stateless DHCP

I put 1 Win client on LAN and one on VLAN92.

The client on LAN:
  • got ping replies from the client on VLAN92
The client on VLAN92:
  • got ping timeout from the client on LAN
  • got ping timeout from the pfSense's interface ipv6 address on LAN

When I copied the "Default Allow LAN IPv6 to any rule" from LAN to VLAN92, both ping commands from VLAN92 started giving replies (I left them running while applying the firewall rule)

...

And then ... I rebooted the firewall.

After the reboot, none of the ping commands seem to work anymore, all just give timeout. (I left them running while rebooting the firewall)

Strange thing is:

  • no configuration was changed on the firewall
  • no configuration was changed on any of the virtual machines

I can see no changes in the config before the reboot, and the config after the reboot.
Still, it worked before and it doesn't after.
Whatever I do, I can no longer get it to work.

Actions
Copy link

Also available in: Atom PDF