Our location has been using IPV6 for about 2 years now, we have had little trouble overall.
We have had some problems with Microsoft’s online services after Microsoft upgraded them to Office365. Which included there hosts started supporting IPV6.
We have had some problems with outlook.com’s connection for outlook now that IPV6 was enabled on there end. Also webapps will never connect unless we disable ipv6 on the hosts web browser.
The host for some of the apps is usc-word-edit.officeapps.live.com
The lookup looks like this.
usc-word-edit.officeapps.live.com is an alias for usc-word-edit.officeapps.live.com.akadns.net.
usc-word-edit.officeapps.live.com.akadns.net has address 65.54.54.55
usc-word-edit.officeapps.live.com.akadns.net has IPv6 address 2a01:111:f406:3000::55
So the web browser by default will use the ipv6 address to connect.
I will begin a request to open a document from off of the Live Drive site, during that time I will look in my logs and see this below:
firewall,info DROP FORWARD forward: in:sixxs out:vrrp4_ipv6, proto TCP (ACK,RST), 2a01:111:f406:3000::55:443->2604:8800:100:81a0:6506:975e:92f8:30f1:50497, len 20
The 8800:100:81a0:6506:975e:92f8:30f1 is my machine.
After some time the broweser will say that the site could not be connected to and stop trying.
If I disable IPV6 in the browser (via a plugin for Firefox or Chrome) I am able to connect.
Below are my rules for IPV6 firewall, we do not have any mangle rules.
add action=accept chain=forward comment="Allow Internal to access VPN" disabled=no dst-address-list=VPN src-address-list=Internal
add action=accept chain=forward comment="Allow from Admin's Network" disabled=no src-address-list="Admin's Network"
add action=accept chain=forward comment="Allow from VPN Network" disabled=no src-address-list=VPN
add action=accept chain=forward comment="Allow Internal net to access External/DMZ" disabled=no dst-address-list=External/DMZ src-address-list=Internal
add action=accept chain=forward comment="Allow VPN to access Internal" disabled=no dst-address-list=Internal src-address-list=VPN
add action=accept chain=forward comment="Allow VPN2 to access Internal" disabled=no dst-address-list=Internal src-address-list=VPN2
add action=accept chain=forward comment="Allow New Network to access Internal" disabled=no in-interface=10_10_NET out-interface=vrrp4_ipv6
add action=accept chain=forward comment="Indigo Old Network" disabled=yes src-address=2001:470:1f10:63b::2/128
add action=accept chain=forward comment="Allow DNS requests to DNS server" disabled=no dst-address=2604:8800:161:1::4/128 dst-port=53 protocol=udp
add action=accept chain=forward comment="Allow OpenVPN 1194 requests to openvpn server" disabled=no dst-address=2604:8800:161:1::2/128 dst-port=1194 \
protocol=udp
add action=accept chain=forward comment="Allow sftp/ssh requests to sftpserver" disabled=no dst-address=2604:8800:161:1::3/128 dst-port=22 protocol=udp
add action=accept chain=forward comment="Allow DNS requests to DNS server" disabled=no dst-address=2604:8800:161:1::4/128 dst-port=53 protocol=tcp
add action=accept chain=forward comment="Allow radius from secondary VPN server to otp01" disabled=no dst-address=2604:8800:100:81a0:20c:29ff:fe3e:8e43/128 \
dst-port=1812 protocol=udp src-address=2604:8800:161:1::5/128
add action=accept chain=forward comment="Allow radius-acct from secondary VPN server to otp01" disabled=no dst-address=\
2604:8800:100:81a0:20c:29ff:fe3e:8e43/128 dst-port=1813 protocol=udp src-address=2604:8800:161:1::5/128
add action=accept chain=forward comment="Allow ping requests to DNS server" disabled=no dst-address=2604:8800:161:1::4/128 in-interface=sixxs protocol=\
icmpv6
add action=accept chain=forward comment="Allow ping requests to VPN server" disabled=no dst-address=2604:8800:161:1::2/128 in-interface=sixxs protocol=\
icmpv6
add action=accept chain=forward comment="Allow established connections" connection-state=established disabled=no
add action=accept chain=forward comment="Allow related connections" connection-state=related disabled=no
add action=accept chain=forward comment="Allow any to internet" disabled=no out-interface=sixxs
add action=log chain=forward disabled=no log-prefix="DROP FORWARD"
add action=drop chain=forward disabled=no
add action=accept chain=input comment="Indog Old network" disabled=yes src-address=2001:470:1f10:63b::2/128
add action=accept chain=input comment="Allow to Firewall from Admin's network" disabled=no src-address=2604:8800:100:8182::/64 src-address-list=\
"Admin's Network"
add action=accept chain=input comment="Allow established connections" connection-state=established disabled=no
add action=accept chain=input comment="Allow related connections" connection-state=related disabled=no
add action=accept chain=input comment="Allow UDP" disabled=no protocol=udp
add action=accept chain=input comment="Allow limited ICMP" disabled=no limit=50/5s,5 protocol=icmpv6
add action=log chain=input disabled=no log-prefix="DROP INPUT"
add action=drop chain=input disabled=no
I am not sure if I have given enough information to get the right amount of help. Let me know if I should post more information or not.
Are there any suggestions to what I need to change for my rules to allow the packets to pas back through?
Thanks