core
core copied to clipboard
opnsense
Interface 'Block bogon networks' Blocking Legitimate ipv6 ICMP Traffic
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
- [X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
- [X] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue
Describe the bug
I recently enabled ipv6 support and noticed some weird firewall traffic logs. A lot of traffic from my ISPs default gateway link local address was being blocked by the WAN block bogons rule. I reviewed the logs and realized the traffic is being blocked because it appears to be using the ICMPv4 protocol number even though the network is IPv6 (it shows as 'icmp' instead of 'ipv6-icmp').
At first I assumed it was an ISP configuration issue (sending the wrong protocol number). However, when I turn off bogon blocking the traffic disappears. My assumption was after passing the initial bogus packets the ISP router started using the correct protocol. However, there are no entries showing that traffic was ever passed (or even dropped after disabling Bogon blocking) for the bad protocol number, the traffic simply disappears.
Image bottom is with bogon blocking on and top is after disabling it. Since the traffic disappears as opposed to getting passed and then the gateway behaving differently, this makes me wonder if it might be an opnsense bug.
https://ibb.co/txqS6cw
Additionally, disabling block bogons on the WAN interface and then manually recreating the block bogon rules at the top of my fireawall rule list using the built in bogon aliases (both a v4 and v6 rule) also makes all of the "icmp" (wrong protocol number) traffic disappear too and all of the traffic in the logs shows as ipv6-icmp and is passed.
I did not use ipv6 on opnsense in a prior version.
To Reproduce
Enable WAN block bogons and watch the firewall logs. Unsurue if this might be ISP/gateway hardware specific though.
Expected behavior
ICMPv6 traffic should show up with the correct protocol name and be passed.
Describe alternatives you considered
Manually creating block bogons rules in the Firewall makes the issue go away.
Screenshots
Image bottom is with bogon blocking on and top is after disabling it. Since the traffic disappears as opposed to getting passed and then the gateway behaving differently, this makes me wonder if it might be an opnsense bug.
https://ibb.co/txqS6cw
Relevant log files
Additional context
Environment
Running virtualized on xcp-ng.
Versions OPNsense 23.7.11-amd64 FreeBSD 13.2-RELEASE-p7 OpenSSL 1.1.1w
CPU type Intel(R) Xeon(R) CPU E3-1231 v3 @ 3.40GHz (6 cores, 6 threads)
We have the same problem. Did you find any solution to fix this? Some more information: This seems to happen if the recorder is directly stopped after starting the recording, i.e. not holding the recording button.
https://user-images.githubusercontent.com/29095487/203602109-9a10da0d-f08a-4cb7-8575-95263176e49f.mp4
Could you try adding requestLegacyExternalStorage = "true" on AndroidManifest.xml?
Related to https://github.com/react-native-cameraroll/react-native-cameraroll/issues/192#issuecomment-679122972
Could you try adding
requestLegacyExternalStorage = "true"onAndroidManifest.xml?Related to react-native-cameraroll/react-native-cameraroll#192 (comment)
I tried but it didn't work
