Page MenuHomeVyOS Platform
Create Task
Maniphest T927

IPv6 GRE packets not being forwarded
Closed, InvalidPublicBUG
Actions

Description

Hi there,
for some reason IPV6 GRE traffic is not being routed on VyOS 1.2.0-rolling+201804060337

this packets are reaching the vyos on interfaces eth3 (LAN):
13:37:38.061975 IP6 2001:ba0:2020:8016::1 > 2001:ba0:2020:e::1: GREv0, length 88: IP 10.10.10.2 > 10.10.10.1: ICMP echo request, id 779, seq 44, length 64
13:37:39.085848 IP6 2001:ba0:2020:8016::1 > 2001:ba0:2020:e::1: GREv0, length 88: IP 10.10.10.2 > 10.10.10.1: ICMP echo request, id 779, seq 45, length 64
13:37:40.109703 IP6 2001:ba0:2020:8016::1 > 2001:ba0:2020:e::1: GREv0, length 88: IP 10.10.10.2 > 10.10.10.1: ICMP echo request, id 779, seq 46, length 6

and should be sent over the interface eth1.1401 since is on the routing table:

vyos@es-lgr-lp6ngp1fw06-01:/var/log$ show ipv6 route 2001:ba0:2020:e::1
Routing entry for ::/0

Known via "static", distance 210, metric 0, best
* 2001:ba0:0:1401::1, via eth1.1401

but nothing is being sent.
Packet is being silent dropped. Same issue if firewall is not active on the device. Just routing.
For example icmp traffic between the IPV6 host works fine:
vyos@es-lgr-lp6ngp1fw06-01:/var/log$ sudo tcpdump -i any host 2001:ba0:2020:e::
13:36:21.187923 IP6 2001:ba0:2020:e::1 > 2001:ba0:2020:8016::1: ICMP6, echo request, seq 1, length 64
13:36:21.188024 IP6 2001:ba0:2020:e::1 > 2001:ba0:2020:8016::1: ICMP6, echo request, seq 1, length 64
13:36:21.188227 IP6 2001:ba0:2020:8016::1 > 2001:ba0:2020:e::1: ICMP6, echo reply, seq 1, length 64
13:36:21.188250 IP6 2001:ba0:2020:8016::1 > 2001:ba0:2020:e::1: ICMP6, echo reply, seq 1, length 64

So seems an issue related just routing IPV6 GRE traffic.
Could you give a hand to us with this?

Thanks in advance.
Regards.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

jjcordon created this task.Oct 22 2018, 12:00 PM
syncer added a subscriber: syncer.Oct 22 2018, 12:04 PM

@jjcordon update it to something fresh and retest, please
201804060337 it's kind of long time ago :)

daniel.arconada added a subscriber: daniel.arconada.Oct 22 2018, 12:11 PM

Ok @syncer We are going to update and we will let you know.

syncer added a comment.Oct 22 2018, 12:12 PM

@daniel.arconada you can use
https://downloads.vyos.io/?dir=testing/1.2.0-rc3

daniel.arconada added a comment.Oct 22 2018, 12:45 PM

@syncer Already tested with latest version.

vyos@es-lgr-lp6ngp1fw06-01:~$ sh version
Version: VyOS 1.2.0-rolling+201810220337

We are seeing the same behavior ..Nothing changed.

syncer added a project: VyOS 1.2 Crux (VyOS 1.2.0-rc5).Oct 23 2018, 8:17 AM
syncer changed the subtype of this task from "Task" to "Bug".Oct 23 2018, 8:17 AM
syncer assigned this task to oleksandr.mamenko.Oct 26 2018, 7:29 PM
syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc6); removed VyOS 1.2 Crux (VyOS 1.2.0-rc5).Oct 29 2018, 6:16 PM
pasik added a subscriber: pasik.Nov 4 2018, 11:21 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc7); removed VyOS 1.2 Crux (VyOS 1.2.0-rc6).Nov 6 2018, 12:57 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc8); removed VyOS 1.2 Crux (VyOS 1.2.0-rc7).Nov 13 2018, 3:48 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc9); removed VyOS 1.2 Crux (VyOS 1.2.0-rc8).Nov 20 2018, 12:44 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc10); removed VyOS 1.2 Crux (VyOS 1.2.0-rc9).Nov 27 2018, 12:03 AM
syncer edited projects, added VyOS 1.2 Crux ( VyOS 1.2.0-rc11); removed VyOS 1.2 Crux (VyOS 1.2.0-rc10).Dec 5 2018, 11:58 PM
syncer edited projects, added VyOS 1.2 Crux ( VyOS 1.2.0-EPA); removed VyOS 1.2 Crux ( VyOS 1.2.0-rc11).Dec 21 2018, 10:07 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-EPA2); removed VyOS 1.2 Crux ( VyOS 1.2.0-EPA).Jan 1 2019, 6:10 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-EPA3); removed VyOS 1.2 Crux (VyOS 1.2.0-EPA2).Jan 3 2019, 1:54 PM
syncer changed the task status from Open to Needs testing.Feb 8 2019, 12:15 AM
syncer reassigned this task from oleksandr.mamenko to zsdc.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux (VyOS 1.2.0-EPA3).
syncer added a subscriber: oleksandr.mamenko.
zsdc added a comment.Feb 26 2019, 4:19 PM

@jjcordon can you provide the full configuration and test again with a latest rolling version?
In our test with 1.2.0-rolling+201902250337 everything works fine:

routing table:
C>* 2001:XXXX:YYYY:11::/64 is directly connected, eth1, 00:27:06
C>* 2001:XXXX:YYYY:12::/64 is directly connected, eth2, 00:14:28

dump:
16:12:35.959532 08:00:27:a0:75:4f > 08:00:27:66:1e:1a, ethertype IPv6 (0x86dd), length 114: 2001:XXXX:YYYY:11::2 > 2001:XXXX:YYYY:12::2: GREv0, proto IPv4 (0x0800), length 60: 192.168.57.1 > 192.168.57.2: ICMP echo request, id 7937, seq 6400, length 36
16:12:35.960504 08:00:27:66:1e:1a > 08:00:27:a0:75:4f, ethertype IPv6 (0x86dd), length 114: 2001:XXXX:YYYY:12::2 > 2001:XXXX:YYYY:11::2: GREv0, proto IPv4 (0x0800), length 60: 192.168.57.2 > 192.168.57.1: ICMP echo reply, id 7937, seq 6400, length 36
16:12:36.965045 08:00:27:a0:75:4f > 08:00:27:66:1e:1a, ethertype IPv6 (0x86dd), length 114: 2001:XXXX:YYYY:11::2 > 2001:XXXX:YYYY:12::2: GREv0, proto IPv4 (0x0800), length 60: 192.168.57.1 > 192.168.57.2: ICMP echo request, id 7937, seq 6656, length 36
16:12:36.965969 08:00:27:66:1e:1a > 08:00:27:a0:75:4f, ethertype IPv6 (0x86dd), length 114: 2001:XXXX:YYYY:12::2 > 2001:XXXX:YYYY:11::2: GREv0, proto IPv4 (0x0800), length 60: 192.168.57.2 > 192.168.57.1: ICMP echo reply, id 7937, seq 6656, length 36
jjcordon added a comment.Feb 27 2019, 8:21 AM

Hi @zsdc,

let me check that with latest rolling version.
Will update.

Regards,
Jorge.

jjcordon added a comment.Feb 27 2019, 11:19 AM

Hi @zsdc,

just tested, still same behaviour.
GRE packet is entering on "LAN" interface (eth3) but is not being forwarded to uplink (eth1, route to ::/0)
Any firewall on eth3 has been removed during testing.

Source machine starting GRE is reacheable by static route to interface:
"set protocols static interface-route6 2001:ba0:2020:8016::/64 next-hop-interface eth3"

 vyos@es-lgr-lp6ngp1fw06-02:~$ ping  2001:ba0:2020:8016::1
 PING 2001:ba0:2020:8016::1(2001:ba0:2020:8016::1) 56 data bytes
 64 bytes from 2001:ba0:2020:8016::1: icmp_seq=1 ttl=64 time=0.239 ms
 64 bytes from 2001:ba0:2020:8016::1: icmp_seq=2 ttl=64 time=0.197 ms 

 IPv6 Connectivity looks good from that machine (eth3 packet forwarded to GW on eth1):

vyos@es-lgr-lp6ngp1fw06-02:~$ sudo tcpdump -ni eth1 host 2001:ba0:2020:8016::1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
11:22:31.950513 IP6 2001:ba0:2020:8016::1 > 2001:ba0:2020:e::1: ICMP6, echo request, seq 330, length 64
11:22:31.951111 IP6 2001:ba0:2020:e::1 > 2001:ba0:2020:8016::1: ICMP6, echo reply, seq 330, length 64
11:22:32.974539 IP6 2001:ba0:2020:8016::1 > 2001:ba0:2020:e::1: ICMP6, echo request, seq 331, length 64
11:22:32.975195 IP6 2001:ba0:2020:e::1 > 2001:ba0:2020:8016::1: ICMP6, echo reply, seq 331, length 64


But, GRE packet arriving on eth3 is not present on eth1:

vyos@es-lgr-lp6ngp1fw06-02:~$ sudo tcpdump -ni eth3 host 2001:ba0:2020:8016::1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 262144 bytes
11:25:34.957681 IP6 2001:ba0:2020:8016::1 > 2001:ba0:2020:e::1: GREv0, length 88: IP 10.10.10.2 > 10.10.10.1: ICMP echo request, id 25127, seq 167, length 64
11:25:35.981676 IP6 2001:ba0:2020:8016::1 > 2001:ba0:2020:e::1: GREv0, length 88: IP 10.10.10.2 > 10.10.10.1: ICMP echo request, id 25127, seq 168, length 64
11:25:37.005700 IP6 2001:ba0:2020:8016::1 > 2001:ba0:2020:e::1: GREv0, length 88: IP 10.10.10.2 > 10.10.10.1: ICMP echo request, id 25127, seq 169, length 64

Assuming that there is not firewall applied on eth3 (source interface), which set of configuration do you need to check in order to forward to you?
 
Regards.
zsdc added a comment.Feb 27 2019, 4:22 PM

Can you disable this GRE tunnel and make a dump of a moment when a tunnel being established?
Also, send output of:

sudo ip6tables -t raw -L -n -v
sudo ip6tables -t filter -L -n -v
sudo ip6tables -t mangle -L -n -v
sudo ip6tables -t nat -L -n -v
jjcordon added a comment.EditedFeb 27 2019, 4:55 PM

Hi,

output of ip6tables commands (with firewall rules applied):

vyos@es-lgr-lp6ngp1fw06-02:~$ sudo ip6tables -t raw -L -n -v

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
85M 6943M VYATTA_CT_PREROUTING_HOOK  all      *      *       ::/0                 ::/0
85M 6943M FW_CONNTRACK  all      *      *       ::/0                 ::/0
  8   560 FW_STATE_POLICY_CONNTRACK  all      *      *       ::/0                 ::/0
 16  1120 CT         all      *      *       ::/0                 ::/0                 NOTRACK

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
50M 4537M VYATTA_CT_OUTPUT_HOOK  all      *      *       ::/0                 ::/0
50M 4537M FW_CONNTRACK  all      *      *       ::/0                 ::/0
  8   560 FW_STATE_POLICY_CONNTRACK  all      *      *       ::/0                 ::/0
 16  1120 CT         all      *      *       ::/0                 ::/0                 NOTRACK

Chain FW_CONNTRACK (2 references)
pkts bytes target     prot opt in     out     source               destination
134M   11G ACCEPT     all      *      *       ::/0                 ::/0

Chain FW_STATE_POLICY_CONNTRACK (2 references)
pkts bytes target     prot opt in     out     source               destination
 16  1120 ACCEPT     all      *      *       ::/0                 ::/0

Chain VYATTA_CT_OUTPUT_HOOK (1 references)
pkts bytes target     prot opt in     out     source               destination
50M 4537M RETURN     all      *      *       ::/0                 ::/0

Chain VYATTA_CT_PREROUTING_HOOK (1 references)
pkts bytes target     prot opt in     out     source               destination
85M 6943M RETURN     all      *      *       ::/0                 ::/0

vyos@es-lgr-lp6ngp1fw06-02:~$ sudo ip6tables -t filter -L -n -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination
  84M 6895M VYATTA_PRE_FW_IN_HOOK  all      *      *       ::/0                 ::/0
  26M 1648M VYATTA_FW_LOCAL_HOOK  all      *      *       ::/0                 ::/0
  25M 1603M VYATTA_POST_FW_IN_HOOK  all      *      *       ::/0                 ::/0

  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination
  609K   48M VYATTA_PRE_FW_FWD_HOOK  all      *      *       ::/0                 ::/0
  422K   33M VYATTA_FW_IN_HOOK  all      *      *       ::/0                 ::/0
  215K   21M VYATTA_FW_OUT_HOOK  all      *      *       ::/0                 ::/0
  215K   21M VYATTA_POST_FW_FWD_HOOK  all      *      *       ::/0                 ::/0

  Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination
  50M 4537M VYATTA_PRE_FW_OUT_HOOK  all      *      *       ::/0                 ::/0
  1842K  125M VYATTA_POST_FW_OUT_HOOK  all      *      *       ::/0                 ::/0

  Chain LAN-INBOUND (1 references)
  pkts bytes target     prot opt in     out     source               destination
   96  9668 DROP       all      *      *       ::/0                 ::/0                 /* LAN- INBOUND-10 */ ! match-set CLUSTER_ADDRESSES src
    8   576 DROP       all      *      *       ::/0                 ::/0                 /* LAN-INBOUND-20 */ match-set CLUSTER_ADDRESSES src match-set DC_MICRO dst
   42  3736 DROP       all      *      *       fd8b::/64            ::/0                 /* LAN-INBOUND-400 */ MAC ! 00:50:56:9D:B4:4A
    0     0 DROP       all      *      *       fd8b::/64            ::/0                 /* LAN-INBOUND-410 */ MAC ! 00:50:56:9D:8E:04
    0     0 DROP       all      *      *       fd8b::/64            ::/0                 /* LAN-INBOUND-420 */ MAC ! 00:50:56:B1:1B:55
    0     0 DROP       all      *      *       fd8b::/64            ::/0                 /* LAN-INBOUND-430 */ MAC ! 00:50:56:B1:17:3C
    0     0 DROP       all      *      *       2001:ba0:203f:8000::3  ::/0                 /* LAN-INBOUND-440 */ MAC ! 00:50:56:B1:2B:C2
    0     0 DROP       all      *      *       2001:ba0:203f:8000::4  ::/0                 /* LAN-INBOUND-450 */ MAC ! 00:50:56:B1:55:4E
    0     0 DROP       all      *      *       2001:ba0:2020:6019::/64  ::/0                 /* LAN-INBOUND-500 */ MAC ! 00:50:56:12:FA:8B
    0     0 DROP       all      *      *       2001:ba0:2020:6259::/64  ::/0                 /* LAN-INBOUND-501 */ MAC ! 00:50:56:16:F4:11
    0     0 DROP       all      *      *       2001:ba0:2020:3::/64  ::/0                 /* LAN-INBOUND-502 */ MAC ! 00:50:56:37:25:F2
    0     0 DROP       all      *      *       2001:ba0:2020:f4c4::/64  ::/0                 /* LAN-INBOUND-503 */ MAC ! 44:A8:42:2A:0E:82
    0     0 DROP       all      *      *       2001:ba0:2020:aa7f::/64  ::/0                 /* LAN-INBOUND-504 */ MAC ! 00:50:56:38:EF:4C
    0     0 DROP       all      *      *       2001:ba0:2020:4771::/64  ::/0                 /* LAN-INBOUND-505 */ MAC ! 00:50:56:01:DE:08
    0     0 DROP       all      *      *       2001:ba0:2020:1eb7::/64  ::/0                 /* LAN-INBOUND-507 */ MAC ! 00:50:56:12:68:AD
    0     0 DROP       all      *      *       2001:ba0:2020:800b::/64  ::/0                 /* LAN-INBOUND-508 */ MAC ! 50:9A:4C:84:BA:50
    0     0 DROP       all      *      *       2001:ba0:2020:1082::/64  ::/0                 /* LAN-INBOUND-509 */ MAC ! 14:18:77:55:B5:5D
    0     0 DROP       all      *      *       2001:ba0:2020:8010::/64  ::/0                 /* LAN-INBOUND-510 */ MAC ! 00:50:56:0D:2A:10
    0     0 DROP       all      *      *       2001:ba0:2020:dd3c::/64  ::/0                 /* LAN-INBOUND-511 */ MAC ! 44:A8:42:2A:0E:82
    0     0 DROP       all      *      *       2001:ba0:2020:8012::/64  ::/0                 /* LAN-INBOUND-512 */ MAC ! 00:50:56:05:CD:F6
    0     0 DROP       all      *      *       2001:ba0:2020:4f6c::/64  ::/0                 /* LAN-INBOUND-513 */ MAC ! 00:50:56:04:32:28
    0     0 DROP       all      *      *       2001:ba0:2020:bce5::/64  ::/0                 /* LAN-INBOUND-514 */ MAC ! 00:50:56:13:EC:68
    0     0 DROP       all      *      *       2001:ba0:2020:a50f::/64  ::/0                 /* LAN-INBOUND-515 */ MAC ! 00:50:56:23:4D:5C
    0     0 DROP       all      *      *       2001:ba0:2020:800f::/64  ::/0                 /* LAN-INBOUND-516 */ MAC ! 50:9A:4C:85:DC:16
    0     0 DROP       all      *      *       2001:ba0:2020:66f1::/64  ::/0                 /* LAN-INBOUND-517 */ MAC ! 00:50:56:2C:CA:3F
    0     0 DROP       all      *      *       2001:ba0:2020::/64   ::/0                 /* LAN-INBOUND-518 */ MAC ! 44:A8:42:2A:0E:82
    0     0 DROP       all      *      *       2001:ba0:2020:8008::/64  ::/0                 /* LAN-INBOUND-520 */ MAC ! 00:50:56:31:7F:11
    0     0 DROP       all      *      *       2001:ba0:2020:801e::/64  ::/0                 /* LAN-INBOUND-521 */ MAC ! 00:50:56:3D:0D:0E
    0     0 DROP       all      *      *       2001:ba0:2020:c::/64  ::/0                 /* LAN-INBOUND-522 */ MAC ! 00:50:56:25:00:8B
    0     0 DROP       all      *      *       2001:ba0:2020:8015::/64  ::/0                 /* LAN-INBOUND-524 */ MAC ! 00:50:56:10:68:7B
    0     0 DROP       all      *      *       2001:ba0:2020:8016::/64  ::/0                 /* LAN-INBOUND-525 */ MAC ! 00:50:56:1C:78:29
    0     0 DROP       udp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-1500 */ udp spt:11211 match-set CLUSTER_ADDRESSES src
    0     0 DROP       all      *      *       ::/0                 ::/0                 /* LAN-INBOUND-1510 */ match-set DT_BLOCKED src ! match-set NAS_BCK_NETWORKS dst
    0     0 DROP       tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-1520 */ match-set DT_SMTP_BLOCKED src tcp dpt:25
 207K   12M DROP       tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-1600 */ state NEW recent: UPDATE seconds: 1 hit_count: 250 name: DEFAULT side: source mask: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
84334 8253K            tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-1600 */ state NEW recent: SET name: DEFAULT side: source mask: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-1610 */ match-set CLUSTER_ADDRESSES src tcp dpt:53 match-set DNSCACHE_SERVERS dst
92070 8597K RETURN     udp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-1610 */ match-set CLUSTER_ADDRESSES src udp dpt:53 match-set DNSCACHE_SERVERS dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2000 */ tcp dpt:22 match-set G-22-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2001 */ tcp dpt:3389 match-set G-3389-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2002 */ tcp dpt:80 match-set G-80-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2003 */ tcp dpt:443 match-set G-443-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2004 */ tcp dpt:53 match-set G-53-TCP dst
    0     0 RETURN     udp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2005 */ udp dpt:53 match-set G-53-UDP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2006 */ tcp dpt:25 match-set G-25-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2007 */ tcp dpt:143 match-set G-143-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2008 */ tcp dpt:110 match-set G-110-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2009 */ tcp dpt:1433 match-set G-1433-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2010 */ tcp dpt:3306 match-set G-3306-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2011 */ tcp dpt:20 match-set G-20-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2012 */ tcp dpt:21 match-set G-21-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2013 */ tcp dpt:465 match-set G-465-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2014 */ tcp dpt:587 match-set G-587-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2015 */ tcp dpt:993 match-set G-993-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2016 */ tcp dpt:995 match-set G-995-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2017 */ tcp dpt:8080 match-set G-8080-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2018 */ tcp dpt:8443 match-set G-8443-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2019 */ tcp dpt:10000 match-set G-10000-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2020 */ tcp dpt:8447 match-set G-8447-TCP dst
    0     0 RETURN     all      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2040 */ match-set G-ALL_OPEN dst
    0     0 RETURN     icmpv6    *      *       ::/0                 ::/0                 /* LAN-INBOUND-2050 */ match-set G-ICMP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2500 */ multiport dports 2087,5900 match-set DT_FW29612_10 dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2501 */ tcp dpt:5985 match-set DT_FWF560B_22 dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2502 */ multiport dports 555,777,5985 match-set DT_FW0D522_34 dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2503 */ tcp dpt:666 match-set DT_FWB614B_40 dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* LAN-INBOUND-2504 */ tcp dpt:5985 match-set DT_FW29612_13 dst
 122K   12M RETURN     all      *      *       ::/0                 ::/0                 /* LAN-INBOUND-8500 */ match-set CLUSTER_ADDRESSES src ! match-set CLUSTER_ADDRESSES dst
    0     0 DROP       all      *      *       ::/0                 ::/0                 /* LAN-INBOUND-10000 default-action drop */

Chain LOCAL-LAN (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     icmpv6    *      *       ::/0                 fe80::1              /* LOCAL-LAN-10 */ match-set CLUSTER_ADDRESSES src
    0     0 RETURN     all      *      *       ::/0                 ::/0                 /* LOCAL-LAN-20 */ match-set LAN_ADDRESSES src match-set LAN_ADDRESSES dst
37320 2603K RETURN     icmpv6    *      *       fe80::/10            fe80::/10            /* LOCAL-LAN-30 */
4934K  316M RETURN     icmpv6    *      *       fe80::/10            ff02::/64            /* LOCAL-LAN-40 */
3730K  239M RETURN     112      *      *       ::/0                 ff02::/96            /* LOCAL-LAN-50 */ MAC 00:50:56:9D:B4:4A
   47  3384 RETURN     icmpv6    *      *       ::/0                 ff02::/64            /* LOCAL-LAN-60 */ match-set CLUSTER_ADDRESSES src
 1854  134K DROP       all      *      *       ::/0                 ::/0                 /* LOCAL-LAN-10000 default-action drop */

Chain LOCAL-WAN (1 references)
 pkts bytes target     prot opt in     out     source               destination
47658 3433K RETURN     all      *      *       2001:ba0:0:1401::/64  2001:ba0:0:1401::/64  /* LOCAL-WAN-10 */
 631K   43M RETURN     all      *      *       fe80::/10            fe80::/10            /* LOCAL-WAN-20 */
3882K  248M RETURN     icmpv6    *      *       fe80::/10            ff02::/64            /* LOCAL-WAN-30 */
 206K   15M RETURN     icmpv6    *      *       ::/0                 ff02::/64            /* LOCAL-WAN-40 */ match-set SITE_MICRO src
    0     0 RETURN     all      *      *       ::/0                 ::/0                 /* LOCAL-WAN-50 */ match-set MANAGEMENT_NETWORKS src
 259K   17M RETURN     icmpv6    *      *       ::/0                 fe80::/10            /* LOCAL-WAN-60 */ match-set SITE_MICRO src
 617K   44M DROP       all      *      *       ::/0                 ::/0                 /* LOCAL-WAN-10000 default-action drop */

Chain VYATTA_FW_IN_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination
  195 15440 WAN-INBOUND  all      eth1.1401 *       ::/0                 ::/0
 422K   33M LAN-INBOUND  all      eth3   *       ::/0                 ::/0

Chain VYATTA_FW_LOCAL_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination
5642K  370M LOCAL-WAN  all      eth1.1401 *       ::/0                 ::/0
  20M 1277M LOCAL-LAN  all      eth3   *       ::/0                 ::/0

Chain VYATTA_FW_OUT_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain VYATTA_POST_FW_FWD_HOOK (3 references)
 pkts bytes target     prot opt in     out     source               destination
 215K   21M ACCEPT     all      *      *       ::/0                 ::/0

Chain VYATTA_POST_FW_IN_HOOK (3 references)
 pkts bytes target     prot opt in     out     source               destination
  83M 6850M ACCEPT     all      *      *       ::/0                 ::/0

Chain VYATTA_POST_FW_OUT_HOOK (3 references)
 pkts bytes target     prot opt in     out     source               destination
  50M 4521M ACCEPT     all      *      *       ::/0                 ::/0

Chain VYATTA_PRE_FW_FWD_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination
 609K   48M VYATTA_STATE_POLICY_FWD_HOOK  all      *      *       ::/0                 ::/0
 422K   33M RETURN     all      *      *       ::/0                 ::/0

Chain VYATTA_PRE_FW_IN_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination
  84M 6895M VYATTA_STATE_POLICY_IN_HOOK  all      *      *       ::/0                 ::/0
  26M 1648M RETURN     all      *      *       ::/0                 ::/0

Chain VYATTA_PRE_FW_OUT_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination
  50M 4537M VYATTA_STATE_POLICY_OUT_HOOK  all      *      *       ::/0                 ::/0
1842K  125M RETURN     all      *      *       ::/0                 ::/0

Chain VYATTA_STATE_POLICY_FWD_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination
 187K   15M DROP       all      *      *       ::/0                 ::/0                 state INVALID
  103 17543 VYATTA_POST_FW_FWD_HOOK  all      *      *       ::/0                 ::/0                 state ESTABLISHED
    5  1695 VYATTA_POST_FW_FWD_HOOK  all      *      *       ::/0                 ::/0                 state RELATED
 422K   33M RETURN     all      *      *       ::/0                 ::/0

Chain VYATTA_STATE_POLICY_IN_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination
   26  3495 DROP       all      *      *       ::/0                 ::/0                 state INVALID
  58M 5247M VYATTA_POST_FW_IN_HOOK  all      *      *       ::/0                 ::/0                 state ESTABLISHED
    2   280 VYATTA_POST_FW_IN_HOOK  all      *      *       ::/0                 ::/0                 state RELATED
  26M 1648M RETURN     all      *      *       ::/0                 ::/0

Chain VYATTA_STATE_POLICY_OUT_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination
89378   17M DROP       all      *      *       ::/0                 ::/0                 state INVALID
  48M 4396M VYATTA_POST_FW_OUT_HOOK  all      *      *       ::/0                 ::/0                 state ESTABLISHED
 1263  164K VYATTA_POST_FW_OUT_HOOK  all      *      *       ::/0                 ::/0                 state RELATED
1842K  125M RETURN     all      *      *       ::/0                 ::/0

Chain WAN-INBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all      *      *       ::/0                 ::/0                 /* WAN-INBOUND-10 */ match-set MANAGEMENT_NETWORKS src
  170 13440 RETURN     all      *      *       ::/0                 ::/0                 /* WAN-INBOUND-20 */ match-set NLB_ADDRESSES src match-set CLUSTER_ADDRESSES dst
    0     0 RETURN     all      *      *       ::/0                 ::/0                 /* WAN-INBOUND-30 */ match-set EXTERNAL_PROBES src
    0     0 DROP       tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-1100 */ ! match-set RECENT-SYNs-WAN-Exception src recent: UPDATE seconds: 1 hit_count: 250 name: DEFAULT side: source mask: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
   25  2000            tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-1100 */ ! match-set RECENT-SYNs-WAN-Exception src recent: SET name: DEFAULT side: source mask: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
   21  1680 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2000 */ tcp dpt:22 match-set G-22-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2001 */ tcp dpt:3389 match-set G-3389-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2002 */ tcp dpt:80 match-set G-80-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2003 */ tcp dpt:443 match-set G-443-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2004 */ tcp dpt:53 match-set G-53-TCP dst
    0     0 RETURN     udp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2005 */ udp dpt:53 match-set G-53-UDP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2006 */ tcp dpt:25 match-set G-25-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2007 */ tcp dpt:143 match-set G-143-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2008 */ tcp dpt:110 match-set G-110-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2009 */ tcp dpt:1433 match-set G-1433-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2010 */ tcp dpt:3306 match-set G-3306-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2011 */ tcp dpt:20 match-set G-20-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2012 */ tcp dpt:21 match-set G-21-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2013 */ tcp dpt:465 match-set G-465-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2014 */ tcp dpt:587 match-set G-587-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2015 */ tcp dpt:993 match-set G-993-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2016 */ tcp dpt:995 match-set G-995-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2017 */ tcp dpt:8080 match-set G-8080-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2018 */ tcp dpt:8443 match-set G-8443-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2019 */ tcp dpt:10000 match-set G-10000-TCP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2020 */ tcp dpt:8447 match-set G-8447-TCP dst
    0     0 RETURN     all      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2040 */ match-set G-ALL_OPEN dst
    0     0 RETURN     icmpv6    *      *       ::/0                 ::/0                 /* WAN-INBOUND-2050 */ match-set G-ICMP dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2500 */ multiport dports 2087,5900 match-set DT_FW29612_10 dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2501 */ tcp dpt:5985 match-set DT_FWF560B_22 dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2502 */ multiport dports 555,777,5985 match-set DT_FW0D522_34 dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2503 */ tcp dpt:666 match-set DT_FWB614B_40 dst
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* WAN-INBOUND-2504 */ tcp dpt:5985 match-set DT_FW29612_13 dst
    4   320 DROP       all      *      *       ::/0                 ::/0                 /* WAN-INBOUND-10000 default-action drop */

vyos@es-lgr-lp6ngp1fw06-02:~$ sudo ip6tables -t mangle -L -n -v

Chain PREROUTING (policy ACCEPT 85M packets, 6943M bytes)
 pkts bytes target     prot opt in     out     source               destination
  85M 6943M VYOS_DNPT_HOOK  all      *      *       ::/0                 ::/0

Chain INPUT (policy ACCEPT 84M packets, 6895M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 609K packets, 48M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 50M packets, 4537M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 50M packets, 4582M bytes)
 pkts bytes target     prot opt in     out     source               destination
  50M 4582M VYOS_SNPT_HOOK  all      *      *       ::/0                 ::/0

Chain VYOS_DNPT_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination
  85M 6943M RETURN     all      *      *       ::/0                 ::/0

Chain VYOS_SNPT_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination
  50M 4582M RETURN     all      *      *       ::/0                 ::/0

vyos@es-lgr-lp6ngp1fw06-02:~$ sudo ip6tables -t nat -L -n -v

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
zsdc added a comment.Mar 6 2019, 4:47 PM

Thank you! This was made the situation much more apparent. Provide, please, an output of the next command:

sudo ipset list
jjcordon added a comment.Mar 6 2019, 5:20 PM

Hi!

yes sure:

vyos@es-lgr-lp6ngp1fw06-02:~$ sudo ipset list

Name: CLUSTER_ADDRESSES
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 3752
References: 10
Members:
2001:ba0:2020:4823:5476:86b5:5c35:eb82
2001:ba0:2020:2673:9ab8:4083:314:5aed
2001:ba0:2020:801e::1
2001:ba0:2020:aa7f:8314:139:e998:25d6
2001:ba0:203f:8000::4
2001:ba0:2020:8011::1
2001:ba0:2020:8008::1
2001:ba0:2020:66f1:f0be:5157:5709:3fd
2001:ba0:2020:c::1
2001:ba0:2020:4771:738:4731:2f5:db01
fd8b::a
2001:ba0:2020:dd3c:bd6c:d0b3:eb1e:cc88
2001:ba0:2020:ba8c:16b9:8753:47d:b14a
2001:ba0:2020::1
2001:ba0:2020:aa7f:2040:6f66:b7f7:ddea
2001:ba0:2020:bce5:cdb:a034:601e:e952
2001:ba0:2020:8016::1
2001:ba0:2020:4f6c:1889:50b2:673b:d6fe
2001:ba0:2020:3fef:ac8a:5b2f:fbdc:ef38
2001:ba0:2020:1eb7:f4e1:b1cc:ea8b:e5a3
2001:ba0:2020:f9ca:cb38:19f7:5260:6544
2001:ba0:2020:bce5:678f:bcca:b152:a6ae
2001:ba0:2020:a50f:8137:bde4:3c37:5b5e
2001:ba0:2020:a50f:67e4:799:2230:3d9f
2001:ba0:2020:4f6c::1
fd8b::b
2001:ba0:2020:8012::1
2001:ba0:2020:f4c4:74ed:7107:4c6e:cf20
2001:ba0:2020:800b::1
2001:ba0:2020:8015::1
2001:ba0:2020:c3ea:79df:b56f:69a5:8383
2001:ba0:2020:1082:d246:c56f:e95c:1739
2001:ba0:2020:19::1
ffff::f
2001:ba0:2020:6259:45c7:f67:b35b:f429
2001:ba0:2020:8f98:8dfe:6b9d:2709:afdd
2001:ba0:2020:3::1
2001:ba0:2020:8010::1
2001:ba0:2020:4f6c:1111:1111:1111:1111
2001:ba0:203f:8000::3
2001:ba0:2020:dd3c:1234:5678:90ab:cdef

Name: DT_FW29612_13
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
2001:ba0:2020:3::1

Name: G-20-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
ffff::f

Name: G-3389-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1448
References: 2
Members:
2001:ba0:2020:3::1
2001:ba0:2020:8012::1
2001:ba0:2020:a50f:8137:bde4:3c37:5b5e
2001:ba0:2020:4f6c:1889:50b2:673b:d6fe
ffff::f
2001:ba0:2020:66f1:f0be:5157:5709:3fd
2001:ba0:2020:8010::1
2001:ba0:2020:800b::1
2001:ba0:2020:a50f:67e4:799:2230:3d9f
2001:ba0:2020:8011::1
2001:ba0:2020:8015::1
2001:ba0:2020:801e::1
2001:ba0:2020:4771:738:4731:2f5:db01
2001:ba0:2020::1

Name: G-3306-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
ffff::f

Name: G-ICMP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 584
References: 2
Members:
2001:ba0:2020:4f6c:1889:50b2:673b:d6fe
2001:ba0:2020:800b::1
ffff::f
2001:ba0:2020::1
2001:ba0:2020:8008::1

Name: G-1433-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 296
References: 2
Members:
2001:ba0:2020:3::1
ffff::f

Name: INTERNAL_PROBES
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1240
References: 0
Members:
2001:ba0:203f:8000::/64

Name: G-995-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
ffff::f

Name: DT_FW29612_10
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
2001:ba0:2020:8010::1

Name: G-ALL_OPEN
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
ffff::f

Name: G-993-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
ffff::f

Name: G-587-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
ffff::f

Name: EXTERNAL_PROBES
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 584
References: 1
Members:
2606:2e00:8014:2:216:3eff:feaa:5e29
2606:2e00:8003:0:216:3eff:fe69:6d98
2a02:2498:f000:0:216:3eff:fe14:7dfe
2401:c900:1101:4b:216:3eff:feaa:5e29
2401:c900:1101:d4:216:3eff:feaa:5e29

Name: G-465-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
ffff::f

Name: G-443-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1736
References: 2
Members:
2001:ba0:2020:8016::1
2001:ba0:2020:aa7f:2040:6f66:b7f7:ddea
2001:ba0:2020:8010::1
2001:ba0:2020:4771:738:4731:2f5:db01
2001:ba0:2020:aa7f:8314:139:e998:25d6
2001:ba0:2020:bce5:678f:bcca:b152:a6ae
2001:ba0:2020:a50f:67e4:799:2230:3d9f
2001:ba0:2020:8012::1
2001:ba0:2020:8008::1
2001:ba0:2020:1eb7:f4e1:b1cc:ea8b:e5a3
ffff::f
2001:ba0:2020:66f1:f0be:5157:5709:3fd
2001:ba0:2020:a50f:8137:bde4:3c37:5b5e
2001:ba0:2020:bce5:cdb:a034:601e:e952
2001:ba0:2020:6259:45c7:f67:b35b:f429
2001:ba0:2020:3::1
2001:ba0:2020:8015::1

Name: DT_SMTP_BLOCKED
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 680
References: 1
Members:
2001:ba0:2020:c::1
2001:ba0:2020:a50f:8137:bde4:3c37:5b5e
2001:ba0:2020:3::1
2001:ba0:2020:8011::1
ffff::f
2001:ba0:2020:a50f:67e4:799:2230:3d9f

Name: G-143-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
ffff::f

Name: G-110-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 392
References: 2
Members:
2001:ba0:2020:a50f:8137:bde4:3c37:5b5e
ffff::f
2001:ba0:2020:a50f:67e4:799:2230:3d9f

Name: SITE_MICRO
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1240
References: 2
Members:
2001:ba0:0:1401::/64

Name: DT_FW0D522_34
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
2001:ba0:2020:4f6c:1889:50b2:673b:d6fe

Name: G-80-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 2408
References: 2
Members:
2001:ba0:2020:a50f:8137:bde4:3c37:5b5e
2001:ba0:2020:19::1
2001:ba0:2020:8010::1
2001:ba0:2020:8015::1
2001:ba0:2020:3::1
ffff::f
2001:ba0:2020:8016::1
2001:ba0:2020:c::1
2001:ba0:2020:8011::1
2001:ba0:2020:800b::1
2001:ba0:2020:8012::1
2001:ba0:2020:66f1:f0be:5157:5709:3fd
2001:ba0:2020:1eb7:f4e1:b1cc:ea8b:e5a3
2001:ba0:2020:4f6c:1889:50b2:673b:d6fe
2001:ba0:2020:6259:45c7:f67:b35b:f429
2001:ba0:2020:aa7f:8314:139:e998:25d6
2001:ba0:2020:a50f:67e4:799:2230:3d9f
2001:ba0:2020:bce5:cdb:a034:601e:e952
2001:ba0:2020:801e::1
2001:ba0:2020::1
2001:ba0:2020:aa7f:2040:6f66:b7f7:ddea
2001:ba0:2020:8008::1
2001:ba0:2020:bce5:678f:bcca:b152:a6ae
2001:ba0:2020:4771:738:4731:2f5:db01

Name: NLB_ADDRESSES
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1240
References: 1
Members:
2001:ba0:0:1400::80/121

Name: NAS_BCK_NETWORKS
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1240
References: 1
Members:
2001:ba0:203f::/65

Name: DT_FWFB7EA_22
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
2001:ba0:2020:8011::1

Name: MANAGEMENT_NETWORKS
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1240
References: 2
Members:
2001:8d8:1ff:60::/64

Name: G-53-UDP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
ffff::f

Name: DT_BLOCKED
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 1
Members:
ffff::f

Name: DT_FWF560B_22
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
2001:ba0:2020:3::1

Name: G-53-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
ffff::f

Name: DNSCACHE_SERVERS
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1240
References: 2
Members:
fd8b::a/127

Name: DC_MICRO
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1240
References: 1
Members:
2001:ba0:0:1400::/64

Name: G-25-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
ffff::f

Name: RECENT-SYNs-WAN-Exception
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
ffff::f

Name: LAN_ADDRESSES
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 296
References: 2
Members:
fd8b::3
fd8b::2

Name: DT_FWB614B_40
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
2001:ba0:2020::1

Name: G-22-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1640
References: 2
Members:
2001:ba0:2020:8011::1
2001:ba0:2020:8016::1
2001:ba0:2020:800b::1
2001:ba0:2020:8010::1
2001:ba0:2020:bce5:cdb:a034:601e:e952
ffff::f
2001:ba0:2020:1eb7:f4e1:b1cc:ea8b:e5a3
2001:ba0:2020:801e::1
2001:ba0:2020:3::1
2001:ba0:2020:aa7f:8314:139:e998:25d6
2001:ba0:2020:aa7f:2040:6f66:b7f7:ddea
2001:ba0:2020:6259:45c7:f67:b35b:f429
2001:ba0:2020::1
2001:ba0:2020:8008::1
2001:ba0:2020:4f6c:1889:50b2:673b:d6fe
2001:ba0:2020:bce5:678f:bcca:b152:a6ae

Name: G-10000-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
ffff::f

Name: G-8447-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 296
References: 2
Members:
2001:ba0:2020:3::1
ffff::f

Name: G-21-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
ffff::f

Name: G-8443-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 776
References: 2
Members:
2001:ba0:2020:3::1
2001:ba0:2020:4771:738:4731:2f5:db01
2001:ba0:2020:8010::1
2001:ba0:2020:1eb7:f4e1:b1cc:ea8b:e5a3
2001:ba0:2020:800b::1
ffff::f
2001:ba0:2020:8016::1

Name: G-8080-TCP
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 2
Members:
ffff::f
Viacheslav added a subscriber: Viacheslav.Oct 19 2020, 2:29 PM

@jjcordon can you test the latest rolling?

It will be easy to fix any bug if we can reproduce it in our lab.
So for that, we need config from 2 nodes.

show conf com

And the necessary commands that need to reproduce it.

dmbaturin added a project: test.Jul 29 2021, 1:13 PM
dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).
dmbaturin reassigned this task from zsdc to erkin.Aug 13 2021, 1:52 PM
dmbaturin added a subscriber: zsdc.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:25 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:06 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:45 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:31 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:38 PM
Viacheslav closed this task as Invalid.Dec 18 2023, 8:44 AM

Configs weren't provided, so closed the task as invalid. Works with internal tetts.
Re-open it or add steps to reproduce.