This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG v18.0.3 IPv6 firewall rules don't match hosts as source only networks

Hi,

I've been tinkering with this rule for a couple of days, I'm now at a point where I believe I might have hit a bug.

I have two /80 networks, one on Port1 (LAN) and one on Port2 (WAN). I'm trying to allow my mail host on the LAN to allow accessing my mail-out host on the WAN interface.

As long as I specify the IP address of the mail host (IP/128) as source, the connection is not allowed. When I change to source to the /80 network of the mail host the packets are allowed.

tcpdumps on the XG show that the packets come in but are not forwarded on Port2

12:08:09.365500 Port1, IN: IP6 2a01:4f8:10a:3543::25:3.49257 > 2a01:4f8:10a:3543:ffff:0:25:11.2525: Flags [S], seq 1337294474, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2606464250 ecr 0], length 0
12:08:10.374906 Port1, IN: IP6 2a01:4f8:10a:3543::25:3.49257 > 2a01:4f8:10a:3543:ffff:0:25:11.2525: Flags [S], seq 1337294474, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2606465259 ecr 0], length 0
12:08:12.605178 Port1, IN: IP6 2a01:4f8:10a:3543::25:3.49257 > 2a01:4f8:10a:3543:ffff:0:25:11.2525: Flags [S], seq 1337294474, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2606467487 ecr 0], length 0

Working case with the /80 as source in FW rules

10:49:06.263394 Port1, IN: IP6 2a01:4f8:10a:3543::25:3.62506 > 2a01:4f8:10a:3543:ffff:0:25:11.2525: Flags [S], seq 3006813089, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2786339357 ecr 0], length 0
10:49:06.263715 Port2, OUT: IP6 2a01:4f8:10a:3543::25:3.62506 > 2a01:4f8:10a:3543:ffff:0:25:11.2525: Flags [S], seq 3006813089, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2786339357 ecr 0], length 0
10:49:06.265126 Port2, IN: IP6 2a01:4f8:10a:3543:ffff:0:25:11.2525 > 2a01:4f8:10a:3543::25:3.62506: Flags [S.], seq 784369048, ack 3006813090, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 3444151001 ecr 2786339357], length 0
10:49:06.265229 Port1, OUT: IP6 2a01:4f8:10a:3543:ffff:0:25:11.2525 > 2a01:4f8:10a:3543::25:3.62506: Flags [S.], seq 784369048, ack 3006813090, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 3444151001 ecr 2786339357], length 0
10:49:06.266999 Port1, IN: IP6 2a01:4f8:10a:3543::25:3.62506 > 2a01:4f8:10a:3543:ffff:0:25:11.2525: Flags [.], ack 1, win 1035, options [nop,nop,TS val 2786339357 ecr 3444151001], length 0
10:49:06.267064 Port2, OUT: IP6 2a01:4f8:10a:3543::25:3.62506 > 2a01:4f8:10a:3543:ffff:0:25:11.2525: Flags [.], ack 1, win 1035, options [nop,nop,TS val 2786339357 ecr 3444151001], length 0

Working rule: (all additional features like IPS and so on are disabled)

Working rule

Non working rule

Non working rule

Hosts and network definitions, I tried both mail as IP address object and as IP subnet with /128 mask

Interfaces

Gateway

The dropped/lost packets are not in the logviewer, only when I set VM_network as source do I see the allowed packets. In the timeframe below I changed the source of the rule back and forth and tested the connection numerous times. If the packets were blocked they should show up here.

I have the same problem with a second rule, where my IRC VM is trying to connect to IRC servers on the internet. It only works when I specify the VM_network as source, not with the IP of the VM as source.

I hope someone has an Idea, or maybe it's a bug?!

Thanks,
Florian



This thread was automatically locked due to age.