-
Notifications
You must be signed in to change notification settings - Fork 707
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Firewall Shaper causes IPv6 address loss on WAN #7342
Comments
I have shaping working on both my WAN links - and both have IPv6 enabled. The only difference between my rules and the rules in the guide, is that I do not have a mask set on the queue, and only use direction on the rule. Could you test what that does? |
Since @Wireheadbe's question was posed and did not receive an answer, I will follow up since this issue seemingly gets no activity (for a rather large issue if I can say so): Just so you can rule out any hardware issues... Hardware setup:
You simply turn on any My running theory is that the packets are getting fragmented by the shaper and not reassembled correctly. This much I can confirm by seeing the solicit packets missing bytelengths in the system logs, then restarting the solicit process to get a valid packet. The most obvious answer to this would simply exclude ALL ICMP traffic from the shaper when using the Let me know if I just said a lot of nothing, but this isn't my first rodeo fighting ICMP solicit issues with traffic shaping on opnSense. For some reason on my previous pfSense install, that was never an issue. |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
If one uses the traffic shaper like described here: https://maltechx.de/en/2021/03/opnsense-setup-traffic-shaping-and-reduce-bufferbloat/ and elsewhere, the IPv6 address of the WAN interfaces gets lost when an outbound congestion occurs. IPv4 works fine.
This is especially problematic with dynamic IPv6 prefixes and CG-NAT / DS-Lite. The german ISP Deutsche Glasfaser is a prominent example of this.
To Reproduce
There are multiple reports of this behaviour on the OpnSense forums:
https://forum.opnsense.org/index.php?topic=27247.0
https://forum.opnsense.org/index.php?topic=39624.0
https://forum.opnsense.org/index.php?topic=32912
Expected behavior
The IPv6 connectivity should not be disturbed by traffic shaping.
Describe alternatives you considered
In two of the threads, a potential workaround is to use specific IPv6 ranges for the source of the rules, which is impossible with dynamic IPv6 prefixes, though.
Relevant log files
See links...
Environment
OPNsense 22.x to 24.1.4
The text was updated successfully, but these errors were encountered: