RE: IPv6 Country Block WAN to LAN strangeness

Casual_User — Sat, 30 Nov 2024 20:03:32 GMT

Seems like I'm beating a dead horse here, but the issue is not resolved.

After much frustration and troubleshooting, In a nutshell:

My network runs dual stack with an internal DNS server that uses DNS over TLS
I have country block lists working correctly for IPv4
I created my own IPv6 Group for a country
When I add IPv6 block rules using the Source or Destination as "Any" the DNS server looses all IPv4 ability
When I change the IPv6 Source or Destination to WAN for the respective incoming or outgoing rule, things appear to work but they actually get worse
Testing the connection on internet.nl it now get a rating of 2. IPv4 and IPv6 both fail. DNSSEC fails too but If I run a separate DNSSEC test, DNSSEC works
My DNS server shows a very large number of "Server Failures". What is very large, well 40% and more
if I redirect to my other internal DNS server that does not use DNS over TLS, then things start to work again as the DNS caches clear up
If I disable ALL blocking rules for IPv6, DNS over TLS works perfectly once again with a 100% score on internet.nl

So, from this, it seems that the XG Firewall (I'm running v21) has severe issues with DNS over TLS and IPv6 block rules.

Casual_User — Fri, 22 Nov 2024 20:04:05 GMT

I have solved this issue. If I put WAN with the relevant source and destination rules the country blocking works without interfering with IPv4.