IPv6

I am using a SixXs Tunnel for IPv6 Connectivity and have some issues reaching certain Servers.
It seems to be an MTU issue, but I'm not sure yet. However, I noticed tons of entries in the Firewall log that say ipv6 traffic from or to local computers was blocked, where the protocol in the last column is stated as IPV6-FRAG.
What exactly does that mean? Plus, I added two rules on LAN and WAN allowing all "IPV6-FRAG" traffic, I even checked the "allow fragmented packets" option in those two rules. Still I'm seeing blocked entries in the log.

It looks like there may be some bugs in the ipfilter version that m0n0wall currently uses that are causing issues:
http://www.freebsd.org/cgi/query-pr.cgi?pr=145733

Sorry, been offline for a while.

m0n0wall uses ipfilter, it only uses ipfw for captive portal (which isn't ipv6 enabled).

I can't replicate your problem, my few tunnels work fine and don't give me any frag problems.

can you PM me the output of /status.php or  your firewall rules from that page and the ipmon deny entries you see ?

Well I had some time to investigate further after posting here, and it turned out that this indeed has to to with MTU sizes.
I am using Windows XP/2003 machines on the LAN, so I don't know if this also happens with *nix OSes.
The SixXS tunnel has an MTU of 1280 by default, while Windows is using the default 1500.

As soon as I set the MTU for IPv6 to 1280 on the Windows machines, the IPV6-FRAG blocked entries disappear.
This mostly happened with UDP packets. I'm running a freenet 0.7 node.

Just in case you still want to know, here's the ipv6 filters from /status.php - I hope this is enough. Changed my Tunnel's address to 1234:5678:200... and the subnet to 1234:5678:5c1::/48 in this copy

Code:

unparsed IPv6 ipfilter rules
# loopback
pass in quick on lo0 all
pass out quick on lo0 all

# allow link-local traffic on LAN
pass in quick on vr0 from fe80::/10 to fe80::/10
pass out quick on vr0 from fe80::/10 to fe80::/10

# allow access to DHCPv6 server on LAN
pass in quick on vr0 proto udp from any port = 546 to ff02::1:2 port = 547
# allow link-local traffic on opt1
pass in quick on fxp1 from fe80::/10 to fe80::/10
pass out quick on fxp1 from fe80::/10 to fe80::/10

# allow access to DHCP server on opt1
pass in quick on fxp1 proto udp from any port = 546 to ff02::1:2 port = 547

# allow essential ICMPv6 messages: router and neighbor soliciation/advertisement
pass in quick proto ipv6-icmp from any to any icmp-type 133
pass in quick proto ipv6-icmp from any to any icmp-type 134
pass in quick proto ipv6-icmp from any to any icmp-type 135
pass in quick proto ipv6-icmp from any to any icmp-type 136
pass out quick proto ipv6-icmp from any to any icmp-type 133
pass out quick proto ipv6-icmp from any to any icmp-type 134
pass out quick proto ipv6-icmp from any to any icmp-type 135
pass out quick proto ipv6-icmp from any to any icmp-type 136

# also allow ICMPv6 destination unreachable, packet too big (PMTUD) and time exceeded
pass in quick proto ipv6-icmp from any to any icmp-type 1
pass out quick proto ipv6-icmp from any to any icmp-type 1
pass in quick proto ipv6-icmp from any to any icmp-type 2
pass out quick proto ipv6-icmp from any to any icmp-type 2
pass in quick proto ipv6-icmp from any to any icmp-type 3
pass out quick proto ipv6-icmp from any to any icmp-type 3

# allow ping to make tunnel broker happy
pass in quick proto ipv6-icmp from any to 1234:5678:200:831::2 icmp-type 128
pass out quick proto ipv6-icmp from 1234:5678:200:831::2 to any icmp-type 129

# WAN spoof check
block in log quick on gif0 from 1234:5678:5c1:0:0:0:0:0/64 to any
block in log quick on gif0 from 1234:5678:5c1:1:0:0:0:0/64 to any
block in log quick on vr0 from ! 1234:5678:5c1:0:0:0:0:0/64 to any
block in log quick on fxp1 from ! 1234:5678:5c1:1:0:0:0:0/64 to any

# Stop site-local on the outside interface
block in log quick on gif0 from fec0::/10 to any
block in log quick on gif0 from any to fec0::/10

# Disallow "internal" addresses to appear on the wire.
block in log quick on gif0 from ::ffff:0.0.0.0/96 to any
block in log quick on gif0 from any to ::ffff:0.0.0.0/96

# Disallow packets to malicious IPv4 compatible prefix.
block in log quick on gif0 from ::224.0.0.0/100 to any
block in log quick on gif0 from any to ::224.0.0.0/100
block in log quick on gif0 from ::127.0.0.0/104 to any
block in log quick on gif0 from any to ::127.0.0.0/104
block in log quick on gif0 from ::0.0.0.0/104 to any
block in log quick on gif0 from any to ::0.0.0.0/104
block in log quick on gif0 from ::255.0.0.0/104 to any
block in log quick on gif0 from any to ::255.0.0.0/104

block in log quick on gif0 from ::0.0.0.0/96 to any
block in log quick on gif0 from any to ::0.0.0.0/96

# Disallow packets to malicious 6to4 prefix.
block in log quick on gif0 from 2002:e000::/20 to any
block in log quick on gif0 from any to 2002:e000::/20
block in log quick on gif0 from 2002:7f00::/24 to any
block in log quick on gif0 from any to 2002:7f00::/24
block in log quick on gif0 from 2002:0000::/24 to any
block in log quick on gif0 from any to 2002:0000::/24
block in log quick on gif0 from 2002:ff00::/24 to any
block in log quick on gif0 from any to 2002:ff00::/24
block in log quick on gif0 from 2002:0a00::/24 to any
block in log quick on gif0 from any to 2002:0a00::/24
block in log quick on gif0 from 2002:ac10::/28 to any
block in log quick on gif0 from any to 2002:ac10::/28
block in log quick on gif0 from 2002:c0a8::/32 to any
block in log quick on gif0 from any to 2002:c0a8::/32

block in log quick on gif0 from ff05::/16 to any
block in log quick on gif0 from any to ff05::/16

# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all

#---------------------------------------------------------------------------
# group head 10100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on vr0 all head 10100

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on vr0 all keep state

#---------------------------------------------------------------------------
# group head 10200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on gif0 all head 10200

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on gif0 all keep state

#---------------------------------------------------------------------------
# group head 10300 - opt1 interface
#---------------------------------------------------------------------------
block in log quick on fxp1 all head 10300

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp1 all keep state

# make sure the user cannot lock himself out of the webGUI
pass in quick from 1234:5678:5c1:0:0:0:0:0/64 to 1234:5678:5c1::1 keep state group 10100

# User-defined rules follow
pass in log first quick proto ipv6-frag from any to any keep state keep frags group 10200
pass in quick proto ipv6-icmp from any to any keep state group 10200
pass in quick proto tcp/udp from any to any port >= 1050 keep state keep frags group 10200
pass in log first quick proto tcp/udp from any to any port <= 1024 keep state group 10300
pass in log first quick proto ipv6-icmp from any to any icmp-type 128 keep state group 10300
pass in quick proto ipv6-icmp from any to any icmp-type 129 keep state group 10300
pass in quick proto ipv6-frag from any to any keep state keep frags group 10100
pass in quick from any to any keep state keep frags group 10100

#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all

I think the user defined rules should allow pretty much anything in this config.

 I'll see if I can replicate from home.

path MTU and fragmentation is a little different in ipv6,  see the heading

Path MTU Discovery and Fragmentation

here http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-3/ipv6_internals.html

I don't see why m0n0wall would care about the ipv6-frag header to cause a deny in your configuration, but if you can send me a sample output of the deny you see and the output of

/status.php#ipfstat -6 -nio

it might give a hint. 

you mention freenet, where does this fit in ?  can you exclude this and see if you have the same problems ?

Actually, this wasn't to hard to replicate :-(

it matches this bug, but the fix should be in m0n0wall looking at revisions

http://sourceforge.net/tracker/index.php?func=detail&aid=1794544&group_id=169098&atid=849053

Well freenet is just a P2P application using UDP for all communication and data exchange, so I guess it should't do anything fancy, except for producing large amounts of UDP traffic.
If I'm not mistaken the bug you've linked to should have been fixed about 3 years ago... So that's still odd.
Do you still need my logs or could you fully reproduce?

it's as easy to reproduce as having a windows 7 system behind m0n0wall and doing

Code:

ping ipv6.google.com -l 1233

which gives this in m0n0wall

Aug 31 21:24:01 m0n0wall ipmon[117]: 21:24:01.155584 vr1 @10100:4 b 2001:770:1b4:ff:ff:be0c:ddfc:e347 -> 2a00:1450:8006::63 PR ipv6-frag len 48 (1280) IN
Aug 31 21:24:01 m0n0wall ipmon[117]: 21:24:01.155608 vr1 @10100:4 b 2001:770:1b4:ff:ff:be0c:ddfc:e347 -> 2a00:1450:8006::63 PR ipv6-frag len 48 (57) IN


which corresponds to

@4 pass in quick from any to any keep state keep frags group 10100

There is another potential bug listed that looks fixed in 4.1.31 (m0n0 is 4.1.28 currently) that I'll have a look and see can I patch into m0n0, but it will probably be easier (?) to bring m0n0 forward to 4.1.31

http://sourceforge.net/tracker/index.php?func=detail&aid=2214661&group_id=169098&atid=849053

Can you test

http://m0n0.ch/temp/embedded-1.33-pre1.img

http://m0n0.ch/temp/generic-pc-1.33-pre1.img

it has 4.1.33 as it's ipfilter version

I should have the time to do so this evening.
(Need a few minutes before to boot up my BSD box to modify the image first. interfaces.inc must not set the link0 flag, otherwise I'd have locked myself out)

I've the same issue.
(IPV6-FRAG packets are blocked in firewall even if I made a firewall rule to explicit allow the traffic)

Are there any news ?

Thx

J0F3

I haven't had feedback on the images which hopefully fix this, such as

http://m0n0.ch/temp/embedded-1.33-pre3.img

maybe you can test it and confirm if fixed ?

I updated my installation to embedded-1.33-pre3.img and it seems to be fixed! Nice work 

The problematic IPv6 Connection works now and the blocks of all IPV6-FRAG packets are gone.

Are there any plans if the final version of 1.33 will be released?

Thank you very much!

J0F3

This has now become a beta http://m0n0.ch/wall/beta.php

Mk did the work here in patching the kernel for the newest version of  ipfilter to. Work.  The fix for this frag issue is in the new version of ipfilter