Firezone's default nftables config seems to mess up with DHCPv6

Hello all,

I’m running a selfhosted Firezone in an AWS EC2 instance, type t4g.medium (arm64), under Ubuntu 20.04. It’s working great and made my life easier btw.

The only issue I’m facing with it is that the EC2 instance is dualstack, and it gets the IPv6 config via DHCPv6. For some reason, the nftables ruleset created by Firezone, which seems harmless, also seems to interfere with DHCPv6 operation. In particular, my instance does get a temporary lease with DHCPv6 on boot. Then, Firezone is started. Then, when the DHCPv6 expires, it never renews. I can run dhclient -6 -v ens5 and see it never get a lease. A tcpdump -eni ens5 ip6 shows the SOLICIT being sent, but it never gets a reply. The moment I run firezone-ctl teardown-network, dhclient -6 -v ens5 works instantly and the SOLICIT gets replied.

Have anybody experienced this? Do you know of any workaround? Should I open an issue on GitHub? Don’t hesitate in asking for more information, tcpdumps and such.


Hey @lucas8831! Thanks for the detailed report. Yes — could you open a GH issue for this with a packet capture of each of the failed dhcp request and the successful one? That’ll help us triage faster.

Hey jamil, sure. Find it at Firezone vs DHCPv6 · Issue #717 · firezone/firezone · GitHub .