Hello :)
Sure it is strange, can you launch ssh server in debug mode (non
detaching daemon) and check /var/log/message or secure in B ?
Can you also provide a packet capture with tcp flags ?
It may be different causes ...
maybe the cause is located on B, or on pfsense ...not sure ...
Best regards
Nicolas
Le 05/01/2014 17:28, Adam Thompson a écrit :
> I'm having an issue with IPv6 state tracking, I think.
>
> I run a fully dual-stacked environment.
> pfSense 2.1-RELEASE acts as the gateway between two subnets (two
> VLANs, but I don't think that makes any difference here).
> In IPv4, one subnet ("A") is publicly-routable address space, the
> other ("B") is RFC1918.
> In IPv6, both subnets are publicly-routable address space.
> I have a management workstation on subnet A that needs to reach
> servers in subnet B.
>
> I've added two static routes on the router for subnet A, one IPv4, one
> IPv6, pointing to pfSense as the next-hop.
> I've disabled automatic outbound NAT, and modified the three
> automatically-generated rules to have Destination NOT subnet A, in
> other words, I don't NAT between subnets A and B, only between B and
> the outside world (via A). There are no port forwards in place.
> On the WAN interface, I have four rules:
> 1. allow all IPv6 to WAN interface
> 2. allow all IPv4 to WAN interface
> 3. allow all IPv6 from A to B
> 4. allow all IPv4 from A to B
>
> That's it - the simplest possible configuration I could come up with
> for this role. (Incidentally, the reason I'm using pfSense at all is
> because the two routers for subnet A provide non-stateful HA, which
> makes NAT quite problematic.)
>
> What I see is that when I ssh from A to B using IPv4, everything works
> fine. The session shows up in the firewall state table as expected,
> and performs as expected.
> If I ssh from A to B using IPv6, however, the session connects, I log
> in, and after a short while, the ssh session stalls. The session does
> NOT show up in the state table, ever, even while it's still working
> properly.
> I can restart the SSH session immediately, and it again will work for
> a while, failing after ~50 packets have been exchanged.
>
> I've run simultaneous packet captures on the pfSense WAN and LAN
> interfaces, but they show me nothing of interest. I looked at
> filter.log, but it's so noisy I didn't get any value out of it yet.
>
> Any ideas or thoughts? How can my session work in the first place
> without a state table entry, why does it die after ~50-100 packets?
> Why is only IPv6 affected? Have I missed something fundamental?
>
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
