I'm having an issue with IPv6 state tracking, I think.
I run a fully dual-stacked environment.
pfSense 2.1-RELEASE acts as the gateway between two subnets (two VLANs,
but I don't think that makes any difference here).
In IPv4, one subnet ("A") is publicly-routable address space, the other
("B") is RFC1918.
In IPv6, both subnets are publicly-routable address space.
I have a management workstation on subnet A that needs to reach servers
in subnet B.
I've added two static routes on the router for subnet A, one IPv4, one
IPv6, pointing to pfSense as the next-hop.
I've disabled automatic outbound NAT, and modified the three
automatically-generated rules to have Destination NOT subnet A, in other
words, I don't NAT between subnets A and B, only between B and the
outside world (via A). There are no port forwards in place.
On the WAN interface, I have four rules:
1. allow all IPv6 to WAN interface
2. allow all IPv4 to WAN interface
3. allow all IPv6 from A to B
4. allow all IPv4 from A to B
That's it - the simplest possible configuration I could come up with for
this role. (Incidentally, the reason I'm using pfSense at all is
because the two routers for subnet A provide non-stateful HA, which
makes NAT quite problematic.)
What I see is that when I ssh from A to B using IPv4, everything works
fine. The session shows up in the firewall state table as expected, and
performs as expected.
If I ssh from A to B using IPv6, however, the session connects, I log
in, and after a short while, the ssh session stalls. The session does
NOT show up in the state table, ever, even while it's still working
properly.
I can restart the SSH session immediately, and it again will work for a
while, failing after ~50 packets have been exchanged.
I've run simultaneous packet captures on the pfSense WAN and LAN
interfaces, but they show me nothing of interest. I looked at
filter.log, but it's so noisy I didn't get any value out of it yet.
Any ideas or thoughts? How can my session work in the first place
without a state table entry, why does it die after ~50-100 packets? Why
is only IPv6 affected? Have I missed something fundamental?
--
-Adam Thompson
[email protected]
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
