Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

IPv6 Country Block WAN to LAN strangeness

Hello,

Since the XG Firewall does not have countries for IPv6, I have created my own countries based on published IPv6 address ranges which can be found here https://www.ipdeny.com/

I created a LAN to WAN rule to block access to a country and a WAN to LAN rule to block incoming connections.  I based these rules on the guide available for IPv4 country blocking but using the IPv6 addresses for the country instead of the country names.  My IPv4 country blocking rules work perfectly fine without interrupting wanted traffic, so I figured my IPv6 rule would too.

My IPv6 LAN to WAN rule registers no traffic.  It is 100% unused, which is reasonable since that means that there is likely no traffic to drop.  The WAN to LAN firewall rule registers incoming and outgoing traffic which is similar to how my IPv4 country blocking works (no strangeness there).

Then I discovered that I not longer had any IPv4 connections.  When I disable the WAN to LAN IPv6 blocking rule, my IPv4 starts working again.  For some reason, the IPv6 WAN to LAN drop rule drops IPv4 traffic.

This has completely perplexed me.

I can understand the IPv6 rule blocking IPv6 traffic but how does it interfere with IPv4 traffic?  Specifically, my DNS server cannot connect resolve any domains if the list of servers include IPv4 addresses.  It will only resolve domains when I remove the IPv4 addresses from the DNS server list and use only IPv6 addresses.  If I disable the IPv6 WAN to LAN rule, my DNS server resolves domains using a list of both IPv4 and IPv6 DNS servers.  

I should add that I am using an internal DNS server configured to use DNS-over-TLS.

I am running: SFVH (SFOS 21.0.0 GA-Build169)



Added TAGs
[edited by: Raphael Alganes at 7:17 AM (GMT -8) on 19 Nov 2024]
  • I have solved this issue.  If I put WAN with the relevant source and destination rules the country blocking works without interfering with IPv4.

  • Seems like I'm beating a dead horse here, but the issue is not resolved.

    After much frustration and troubleshooting, In a nutshell:

    • My network runs dual stack with an internal DNS server that uses DNS over TLS
    • I have country block lists working correctly for IPv4
    • I created my own IPv6 Group for a country
    • When I add IPv6 block rules using the Source or Destination as "Any" the DNS server looses all IPv4 ability
    • When I change the IPv6 Source or Destination to WAN for the respective incoming or outgoing rule, things appear to work but they actually get worse
    • Testing the connection on internet.nl it now get a rating of 2.  IPv4 and IPv6 both fail.  DNSSEC fails too but If I run a separate DNSSEC test, DNSSEC works
    • My DNS server shows a very large number of "Server Failures".  What is very large, well 40% and more
    • if I redirect to my other internal DNS server that does not use DNS over TLS, then things start to work again as the DNS caches clear up
    • If I disable ALL blocking rules for IPv6, DNS over TLS works perfectly once again with a 100% score on internet.nl

    So, from this, it seems that the XG Firewall (I'm running v21) has severe issues with DNS over TLS and IPv6 block rules.