# IPV6 doesn't work unless reload PF.



## WibbleWobble (May 3, 2017)

So I've gotten IPV6 to work on my router (11 Release) but every time I reboot the router my windows machine doesn't get an V6 IP until I reload my PF rules.

What would cause this. Is something not starting in the right order or could it be my PF rules.

Here are my rules.

`pf.conf`


```
#------------------------------------------------------------------------
# macros
#------------------------------------------------------------------------
# interfaces
ext_if  = "re0"
int_if  = "vr0"


#protocol
icmp_types = "{ echoreq, unreach }"

#hosts
Xbox360 = "192.168.1.105"
pass in log on $ext_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass in log on $ext_if inet proto tcp from any to $Xbox360 port $Xlive_tcp keep state tagged XBOX360
pass out log on $int_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass out log on $int_if inet proto tcp from any to $Xbox360 port $Xlive_tcp keep state tagged XBOX360
pass in log on $int_if inet proto udp  from $Xbox360 to any port $Xlive_udp keep state
pass in log on $int_if inet proto tcp  from $Xbox360 to any port $Xlive_tcp keep state
block in quick on $int_if inet proto igmp all
pass quick on { $ext_if $int_if } inet proto tcp from any port 67:68 to any port 67:68 keep state flags S/SA
pass quick on { $int_if $ext_if } inet proto udp from any port 67:68 to any port 67:68 keep state


pass in log on $ext_if inet6 proto udp from fe80::/8 to ($ext_if) port dhcpv6-client
pass in quick on $ext_if inet6 proto udp from fe80::/8 to ($ext_if) port dhcpv6-client modulate state
pass in quick on $ext_if inet6 proto icmp6 from any to any modulate state
pass out quick on $ext_if inet6 from any to any modulate state
pass out quick on $int_if inet6 from any to any modulate state
pass inet proto icmp all icmp-type $icmp_types keep state
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp,icmp } all keep state
pass in  from $lan_net to $lan_net keep state
pass out from $lan_net to $lan_net keep state
pass out from any to any keep state
pass out log on $int_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass out log on $int_if inet proto tcp from any to $Xbox360 port $Xlive_tcp keep state tagged XBOX360
pass in log on $int_if inet proto udp  from $Xbox360 to any port $Xlive_udp keep state
pass in log on $int_if inet proto tcp  from $Xbox360 to any port $Xlive_tcp keep state
block in quick on $int_if inet proto igmp all
pass quick on { $ext_if $int_if } inet proto tcp from any port 67:68 to any port 67:68 keep state flags S/SA
pass quick on { $int_if $ext_if } inet proto udp from any port 67:68 to any port 67:68 keep state



pass in log on $ext_if inet6 proto udp from fe80::/8 to ($ext_if) port dhcpv6-client
pass in quick on $ext_if inet6 proto udp from fe80::/8 to ($ext_if) port dhcpv6-client modulate state
pass in quick on $ext_if inet6 proto icmp6 from any to any modulate state
pass out quick on $ext_if inet6 from any to any modulate state
pass out quick on $int_if inet6 from any to any modulate state

pass inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp,icmp } all keep state

pass in  from $lan_net to $lan_net keep state
pass out from $lan_net to $lan_net keep state
pass out from any to any keep state
```


----------



## SirDice (May 3, 2017)

> ```
> pass in log on $ext_if inet6 proto udp from fe80::/8 to ($ext_if) port dhcpv6-client
> pass in quick on $ext_if inet6 proto udp from fe80::/8 to ($ext_if) port dhcpv6-client modulate state
> ```


Rules are the same but have different options.

There's no need for "keep state", it's implied.

These show up more than once:

```
pass out quick on $ext_if inet6 from any to any modulate state
pass out quick on $int_if inet6 from any to any modulate state
```


----------



## WibbleWobble (May 3, 2017)

SirDice said:


> Rules are the same but have different options.
> 
> There's no need for "keep state", it's implied.
> 
> ...





Ok I removed


```
pass in log on $ext_if inet6 proto udp from fe80::/8 to ($ext_if) port dhcpv6-client
```



```
pass out quick on $ext_if inet6 from any to any modulate state
pass out quick on $int_if inet6 from any to any modulate state
```

One is for $ext_if the other is for $int_if. Not sure if I need both.

Still not getting an IP after rebooting until I reload my pf rules.


----------



## SirDice (May 4, 2017)

WibbleWobble said:


> One is for $ext_if the other is for $int_if.


Yes, but both rules show up more than once. And any outgoing filtering _after_ these rules is never going to hit. The quick keyword will prevent any further outgoing rules from being evaluated.

For example:

```
#1: pass out quick on $ext_if from any to any
#2: pass out on $ext_if from 1.1.1.1 to 2.2.2.2
```
Rule #2 will never be reached because rule #1 'short-circuits' any further processing.


----------



## WibbleWobble (May 4, 2017)

I see. Ok thanks. I didn't realize I had double rules. I removed them. Still have to reload the rules to get V6 IP. Could it be my dnsmasq.conf or dhcp6c.conf it's the only thing I can think of.

`dnsmasq.conf`


```
dhcp-range=192.168.1.10,192.168.1.200,12h
dhcp-range=::,constructor:vr0,ra-only,slaac,ra-names,12h
interface=vr0

enable-ra
```

`dhcp6c.conf`


```
interface re0 {
 send ia-pd 1;
 send ia-na 1;
};

id-assoc na 1 {};

id-assoc pd 1 {
 prefix ::/56 infinity;
 prefix-interface vr0 {
  sla-id 1;
  sla-len 8;
 };
};
```


----------



## SirDice (May 4, 2017)

I have no idea why, but I would start with an empty ruleset. Then block all incoming traffic from the outside. Test it and fix whatever needs to be opened. I also recommend cleaning up a bit, group all IPv6 rules together. Try and keep a bit of logic in there. By having different types of rules and traffic intermingled it's difficult for humans to read and understand the rules. A messy ruleset makes it easier for mistakes to creep in.


----------



## WibbleWobble (May 4, 2017)

Yea my rule set is a mess. Ok thanks I'll try that.


----------



## SirDice (May 4, 2017)

That will definitely help. Use remarks to add some explanations what the rule is for. After a few months you won't remember why you added certain rules. Adding comments will help.

Here's part of my ruleset to give you some ideas:

```
# HTTP   
pass in on $ext_if proto tcp from any to ($ext_if) port 80 label "ipv4 http"
pass in on $ext_if inet6 proto tcp from any to ($ext_if) port 80 label "ipv6 http"
                                                                 
# HTTPS                                                                  
pass in on $ext_if proto tcp from any to ($ext_if) port 443 label "ipv4 https"
pass in on $ext_if inet6 proto tcp from any to ($ext_if) port 443 label "ipv6 https"
                                                                            
# SMTP                                                                        
pass in on $ext_if proto tcp from any to $mail_host port 25 label "ipv4 smtp"    
pass in on $ext_if proto tcp from any to $mail_host port 465 label "ipv4 ssmtp"     
pass in on $ext_if proto tcp from any to $mail_host port 587 label "ipv4 esmtp"      
# IMAP                                                                                
pass in on $ext_if proto tcp from any to $mail_host port 143 label "ipv4 imap"          
pass in on $ext_if proto tcp from any to $mail_host port 993 label "ipv4 imaps"            
# POP3                                                                                      
pass in on $ext_if proto tcp from any to $mail_host port 110 label "ipv4 pop3"
```

As you can see I've grouped everything according to function. I can quickly see what's opened and what not. When the rules are clear it'll be easier to troubleshoot.


----------



## WibbleWobble (May 4, 2017)

Thank you. That looks a lot easier to read. I'll clean my rules up.


----------

