IPV6 doesn't work unless reload PF.

So I've gotten IPV6 to work on my router (11 Release) but every time I reboot the router my windows machine doesn't get an V6 IP until I reload my PF rules.

What would cause this. Is something not starting in the right order or could it be my PF rules.

Here are my rules.

pf.conf

Code:
#------------------------------------------------------------------------
# macros
#------------------------------------------------------------------------
# interfaces
ext_if  = "re0"
int_if  = "vr0"


#protocol
icmp_types = "{ echoreq, unreach }"

#hosts
Xbox360 = "192.168.1.105"
pass in log on $ext_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass in log on $ext_if inet proto tcp from any to $Xbox360 port $Xlive_tcp keep state tagged XBOX360
pass out log on $int_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass out log on $int_if inet proto tcp from any to $Xbox360 port $Xlive_tcp keep state tagged XBOX360
pass in log on $int_if inet proto udp  from $Xbox360 to any port $Xlive_udp keep state
pass in log on $int_if inet proto tcp  from $Xbox360 to any port $Xlive_tcp keep state
block in quick on $int_if inet proto igmp all
pass quick on { $ext_if $int_if } inet proto tcp from any port 67:68 to any port 67:68 keep state flags S/SA
pass quick on { $int_if $ext_if } inet proto udp from any port 67:68 to any port 67:68 keep state


pass in log on $ext_if inet6 proto udp from fe80::/8 to ($ext_if) port dhcpv6-client
pass in quick on $ext_if inet6 proto udp from fe80::/8 to ($ext_if) port dhcpv6-client modulate state
pass in quick on $ext_if inet6 proto icmp6 from any to any modulate state
pass out quick on $ext_if inet6 from any to any modulate state
pass out quick on $int_if inet6 from any to any modulate state
pass inet proto icmp all icmp-type $icmp_types keep state
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp,icmp } all keep state
pass in  from $lan_net to $lan_net keep state
pass out from $lan_net to $lan_net keep state
pass out from any to any keep state
pass out log on $int_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass out log on $int_if inet proto tcp from any to $Xbox360 port $Xlive_tcp keep state tagged XBOX360
pass in log on $int_if inet proto udp  from $Xbox360 to any port $Xlive_udp keep state
pass in log on $int_if inet proto tcp  from $Xbox360 to any port $Xlive_tcp keep state
block in quick on $int_if inet proto igmp all
pass quick on { $ext_if $int_if } inet proto tcp from any port 67:68 to any port 67:68 keep state flags S/SA
pass quick on { $int_if $ext_if } inet proto udp from any port 67:68 to any port 67:68 keep state



pass in log on $ext_if inet6 proto udp from fe80::/8 to ($ext_if) port dhcpv6-client
pass in quick on $ext_if inet6 proto udp from fe80::/8 to ($ext_if) port dhcpv6-client modulate state
pass in quick on $ext_if inet6 proto icmp6 from any to any modulate state
pass out quick on $ext_if inet6 from any to any modulate state
pass out quick on $int_if inet6 from any to any modulate state

pass inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp,icmp } all keep state

pass in  from $lan_net to $lan_net keep state
pass out from $lan_net to $lan_net keep state
pass out from any to any keep state
 
Code:
pass in log on $ext_if inet6 proto udp from fe80::/8 to ($ext_if) port dhcpv6-client
pass in quick on $ext_if inet6 proto udp from fe80::/8 to ($ext_if) port dhcpv6-client modulate state
Rules are the same but have different options.

There's no need for "keep state", it's implied.

These show up more than once:
Code:
pass out quick on $ext_if inet6 from any to any modulate state
pass out quick on $int_if inet6 from any to any modulate state
 
Rules are the same but have different options.

There's no need for "keep state", it's implied.

These show up more than once:
Code:
pass out quick on $ext_if inet6 from any to any modulate state
pass out quick on $int_if inet6 from any to any modulate state



Ok I removed

Code:
pass in log on $ext_if inet6 proto udp from fe80::/8 to ($ext_if) port dhcpv6-client


Code:
pass out quick on $ext_if inet6 from any to any modulate state
pass out quick on $int_if inet6 from any to any modulate state

One is for $ext_if the other is for $int_if. Not sure if I need both.

Still not getting an IP after rebooting until I reload my pf rules.
 
One is for $ext_if the other is for $int_if.
Yes, but both rules show up more than once. And any outgoing filtering after these rules is never going to hit. The quick keyword will prevent any further outgoing rules from being evaluated.

For example:
Code:
#1: pass out quick on $ext_if from any to any
#2: pass out on $ext_if from 1.1.1.1 to 2.2.2.2
Rule #2 will never be reached because rule #1 'short-circuits' any further processing.
 
I see. Ok thanks. I didn't realize I had double rules. I removed them. Still have to reload the rules to get V6 IP. Could it be my dnsmasq.conf or dhcp6c.conf it's the only thing I can think of.

dnsmasq.conf

Code:
dhcp-range=192.168.1.10,192.168.1.200,12h
dhcp-range=::,constructor:vr0,ra-only,slaac,ra-names,12h
interface=vr0

enable-ra

dhcp6c.conf

Code:
interface re0 {
 send ia-pd 1;
 send ia-na 1;
};

id-assoc na 1 {};

id-assoc pd 1 {
 prefix ::/56 infinity;
 prefix-interface vr0 {
  sla-id 1;
  sla-len 8;
 };
};
 
I have no idea why, but I would start with an empty ruleset. Then block all incoming traffic from the outside. Test it and fix whatever needs to be opened. I also recommend cleaning up a bit, group all IPv6 rules together. Try and keep a bit of logic in there. By having different types of rules and traffic intermingled it's difficult for humans to read and understand the rules. A messy ruleset makes it easier for mistakes to creep in.
 
That will definitely help. Use remarks to add some explanations what the rule is for. After a few months you won't remember why you added certain rules. Adding comments will help.

Here's part of my ruleset to give you some ideas:
Code:
# HTTP   
pass in on $ext_if proto tcp from any to ($ext_if) port 80 label "ipv4 http"
pass in on $ext_if inet6 proto tcp from any to ($ext_if) port 80 label "ipv6 http"
                                                                 
# HTTPS                                                                  
pass in on $ext_if proto tcp from any to ($ext_if) port 443 label "ipv4 https"
pass in on $ext_if inet6 proto tcp from any to ($ext_if) port 443 label "ipv6 https"
                                                                            
# SMTP                                                                        
pass in on $ext_if proto tcp from any to $mail_host port 25 label "ipv4 smtp"    
pass in on $ext_if proto tcp from any to $mail_host port 465 label "ipv4 ssmtp"     
pass in on $ext_if proto tcp from any to $mail_host port 587 label "ipv4 esmtp"      
# IMAP                                                                                
pass in on $ext_if proto tcp from any to $mail_host port 143 label "ipv4 imap"          
pass in on $ext_if proto tcp from any to $mail_host port 993 label "ipv4 imaps"            
# POP3                                                                                      
pass in on $ext_if proto tcp from any to $mail_host port 110 label "ipv4 pop3"

As you can see I've grouped everything according to function. I can quickly see what's opened and what not. When the rules are clear it'll be easier to troubleshoot.
 
Back
Top