Issue with "Default deny rule IPv6 (1000000105)" Blocking All IPv6 Traffic
Hello everyone,
I am experiencing an issue with my PfSense configuration where all IPv6 traffic is being blocked by the default rule "Default deny rule IPv6 (1000000105)". Here are the details of my setup and the steps I have already taken:
Infrastructure Context
OVH Server: Baremetal RISE
Hypervisor: Proxmox with two interfaces (WAN - vmbr0 and LAN - vmbr1)
Firewall: VM PfSense with a WAN interface configured with an IPv4 Failover having a virtual MAC generated in the OVH Manager
IPv6 Information Provided by OVH
IPv6 block: 2001:db8:534:d5a4::/64
Gateway: 2001:db8:534:d5ff:00ff:00ff:00ff:00ff
Current Configuration
Proxmox:
Interface vmbr0 (WAN):
iface vmbr0 inet6 static
address 2001:db8:534:d5a4:1000::1/80
gateway 2001:db8:534:d5ff:00ff:00ff:00ff:00ff
post-up ip -6 route add 2001:db8:534:d5a4:2000::/80 via 2001:db8:534:d5a4:1000::2
post-down ip -6 route del 2001:db8:534:d5a4:2000::/80 via 2001:db8:534:d5a4:1000::2
IPv6 Forwarding enabled in /etc/sysctl.conf:
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
PfSense:
WAN Interface: 2001:db8:534:d5a4:1000::2/80
LAN Interface: 2001:db8:534:d5a4:2000::1/80
WAN Firewall Rules:
Allow all incoming IPv6 traffic
Example rule:
Action: Pass
Interface: WAN
Protocol: IPv6
Source: Any
Destination: Any
Description: Allow all IPv6 traffic on WAN
LAN Firewall Rules:
Allow all outgoing IPv6 traffic
Example rule:
Action: Pass
Interface: LAN
Protocol: IPv6
Source: LAN net
Destination: Any
Description: Allow all LAN IPv6 traffic
Issue
Despite these configurations, all IPv6 traffic is being blocked by the rule "Default deny rule IPv6 (1000000105)", as shown in the firewall logs (see attached screenshots).
What I Have Tried So Far
Checked and adjusted firewall rules on the WAN and LAN interfaces to ensure IPv6 traffic is allowed.
Enabled IPv6 forwarding on Proxmox.
Used an NDP proxy (ndppd) to handle NDP announcements on Proxmox.
Screenshots
Firewall logs showing IPv6 packet blocks
Firewall rule configurations on WAN and LAN interfaces
c0f0c19b-e79d-4948-9066-08319eac0206-image.png
595a1731-bf03-4054-86da-00b2fde4d8cc-image.png
cefe5001-6b9e-4e74-b3bd-7916f0758d75-image.png