Conversation
`ipv6allow` is now enabled by default which means if it's unset, it's enabled. See: * opnsense/core@6e6369a * opnsense/core@44dbcd1
…6 address Note that this will still not include virtual IPs but only the main IPs.
…nges Underlying issue: IPv6 features multiple scopes restricting where the IP address is valid [1]. ::1 belongs to link-local scope which is not allowed to be routed. As result FreeBSD will reject the connection after rewriting, as it will come from global scope (the internet) and going to ::1 [2]. This isn't allowed. The fix / workaround: Instead of redirecting to ::1, the following is tried: * If there is a WAN interface with an IPv6 address defined, redirect to this address. I expect most setup with IPv6 to have a WAN interface with a suitable (=allowed scope) IPv6 address. * Else, only redirect the port and leave the address unchanged. This will only work if we are issuing a certificate for ourselves (rather than a host behind the firewall). A better solution would be to pick an arbitrary IPv6 address of the host with a suitable scope. However, I believe this would be considerably more complex to implement and test. I propose we use this simplified approach, at least for now, which should already work for the vast majority of users. [1]: https://en.wikipedia.org/wiki/IPv6_address#Address_scopes [2]: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193568
|
|
||
| // Check if IPv6 support is enabled | ||
| if (isset($configObj->system->ipv6allow) && ($configObj->system->ipv6allow == '1')) { | ||
| if (!isset($configObj->system->ipv6allow) || ($configObj->system->ipv6allow == '1')) { |
There was a problem hiding this comment.
It does not exist in this configuration spot anymore
There was a problem hiding this comment.
I'm not sure I understand. Are you saying a later commit removes this? Yes, that intentional to ensure commit is consistent in itself. This way you can revert one of the later commits and don't end up in a broken state where this change is missing. Even if the revert no longer applies cleanly you should still see that you need to touch this file.
There was a problem hiding this comment.
There was a problem hiding this comment.
I see. I guess I never actually tested with IPv6 disabled, who would in 2026. Let me see if I can setup IPv4-based access to my test OPNsense instance to actually test it.
There was a problem hiding this comment.
Yep, I missed that a plugin might use it. The flip of the meaning was intended to address your first point here. I think you just need to chase these new locations. The inversion of the logic is already a good step :)
2 participants
Important notices
Before you submit a pull request, we ask you kindly to acknowledge the following:
If AI was used, please disclose:
n/a
Related issue
Fixes #5228
Describe the problem
Issuing certificates for IPv6-only hosts failed.
Describe the proposed solution
See commit messages.