XG v18.0.3 IPv6 firewall rules don't match hosts as source only networks

Hi,

I've been tinkering with this rule for a couple of days, I'm now at a point where I believe I might have hit a bug.

I have two /80 networks, one on Port1 (LAN) and one on Port2 (WAN). I'm trying to allow my mail host on the LAN to allow accessing my mail-out host on the WAN interface.

As long as I specify the IP address of the mail host (IP/128) as source, the connection is not allowed. When I change to source to the /80 network of the mail host the packets are allowed.

tcpdumps on the XG show that the packets come in but are not forwarded on Port2

12:08:09.365500 Port1, IN: IP6 2a01:4f8:10a:3543::25:3.49257 > 2a01:4f8:10a:3543:ffff:0:25:11.2525: Flags [S], seq 1337294474, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2606464250 ecr 0], length 0
12:08:10.374906 Port1, IN: IP6 2a01:4f8:10a:3543::25:3.49257 > 2a01:4f8:10a:3543:ffff:0:25:11.2525: Flags [S], seq 1337294474, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2606465259 ecr 0], length 0
12:08:12.605178 Port1, IN: IP6 2a01:4f8:10a:3543::25:3.49257 > 2a01:4f8:10a:3543:ffff:0:25:11.2525: Flags [S], seq 1337294474, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2606467487 ecr 0], length 0

Working case with the /80 as source in FW rules

10:49:06.263394 Port1, IN: IP6 2a01:4f8:10a:3543::25:3.62506 > 2a01:4f8:10a:3543:ffff:0:25:11.2525: Flags [S], seq 3006813089, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2786339357 ecr 0], length 0
10:49:06.263715 Port2, OUT: IP6 2a01:4f8:10a:3543::25:3.62506 > 2a01:4f8:10a:3543:ffff:0:25:11.2525: Flags [S], seq 3006813089, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2786339357 ecr 0], length 0
10:49:06.265126 Port2, IN: IP6 2a01:4f8:10a:3543:ffff:0:25:11.2525 > 2a01:4f8:10a:3543::25:3.62506: Flags [S.], seq 784369048, ack 3006813090, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 3444151001 ecr 2786339357], length 0
10:49:06.265229 Port1, OUT: IP6 2a01:4f8:10a:3543:ffff:0:25:11.2525 > 2a01:4f8:10a:3543::25:3.62506: Flags [S.], seq 784369048, ack 3006813090, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 3444151001 ecr 2786339357], length 0
10:49:06.266999 Port1, IN: IP6 2a01:4f8:10a:3543::25:3.62506 > 2a01:4f8:10a:3543:ffff:0:25:11.2525: Flags [.], ack 1, win 1035, options [nop,nop,TS val 2786339357 ecr 3444151001], length 0
10:49:06.267064 Port2, OUT: IP6 2a01:4f8:10a:3543::25:3.62506 > 2a01:4f8:10a:3543:ffff:0:25:11.2525: Flags [.], ack 1, win 1035, options [nop,nop,TS val 2786339357 ecr 3444151001], length 0

Working rule: (all additional features like IPS and so on are disabled)

Working rule

Non working rule

Non working rule

Hosts and network definitions, I tried both mail as IP address object and as IP subnet with /128 mask

Interfaces

Gateway

The dropped/lost packets are not in the logviewer, only when I set VM_network as source do I see the allowed packets. In the timeframe below I changed the source of the rule back and forth and tested the connection numerous times. If the packets were blocked they should show up here.

I have the same problem with a second rule, where my IRC VM is trying to connect to IRC servers on the internet. It only works when I specify the VM_network as source, not with the IP of the VM as source.

I hope someone has an Idea, or maybe it's a bug?!

Thanks,
Florian

Parents
  • Hi Florian,

    I think the solution is very simple and is a limitation in the current v18.0 of XG, you need a NAT for every IPv6 firewall rule. One general NAT will do unless you have specific requirements like hairpin etc.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hi Ian,

    thank you for taking the time to look into this. Is this limitation documented somewhere? I kind of have a hard time believing that IPv6 requires NAT!? I have all NAT rules disabled for v6, even the default one, and except for this issue my v6 only VMs behind the XG work pretty well. And that also doesn't explain why it works with the network as source in the rule but not with the IP, in both cases without NAT rule.

    Thanks,

    Florian

  • Hi Florian,

    a very frustrating lack of functionality. Also you cannot use fqdns in network destinations only ip addresses. Unsubstantiated rumour has these items will be fixed or added in v18.5.x

    If you check the XG FQDN lists you will not find any IPv6 resolved addresses.

    ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.


    added notes about lack of FQDN resolution in IPv6.
    [edited by: rfcat_vk at 1:30 AM (GMT -8) on 22 Nov 2020]
Reply
  • Hi Florian,

    a very frustrating lack of functionality. Also you cannot use fqdns in network destinations only ip addresses. Unsubstantiated rumour has these items will be fixed or added in v18.5.x

    If you check the XG FQDN lists you will not find any IPv6 resolved addresses.

    ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.


    added notes about lack of FQDN resolution in IPv6.
    [edited by: rfcat_vk at 1:30 AM (GMT -8) on 22 Nov 2020]
Children
No Data