Why "Blocking Bogons" breaks DHCPv6 on WAN

Bob.Dig

@left4apple Post "Status Interfaces WAN", maybe we have a clue. Working here fine though.

NogBadTheBad

@left4apple Working fine here, is your ISP issuing out addresses in the bogonsv6 table ?

That Reddit post is 3 years+ old BTW.

JKnott

@left4apple

Perhaps Packet Capture can tell you what addresses are being used. I would expect they should be using only GUA addresses, which start with a 2 or 3 and link local. Are they using ULA for something?

johnpoz

@left4apple that makes no sense because when you enable dhcp or dhcpv6 for your wan. Hidden rules are put in place that allow dhcp or dhcpv6 to happen before bogon would even be evaluated.

[22.01-RELEASE][admin@sg4860.local.lan]/root: cat /tmp/rules.debug | grep dhcpv6
pass in  quick on $WAN proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 ridentifier 1000000563 label "allow dhcpv6 client in WAN"
pass in  quick on $WAN proto udp from any port = 547 to any port = 546 ridentifier 1000000564 label "allow dhcpv6 client in WAN"
pass out  quick on $WAN proto udp from any port = 546 to any port = 547 ridentifier 1000000565 label "allow dhcpv6 client out WAN" 
[22.01-RELEASE][admin@sg4860.local.lan]/root: 

stephenw10

Is it actually breaking dhcpv6 though or simply not passing traffic once a dhcpv6 WAN is established? Unclear.

The v6 bogons list is extensive though. It would not entirely surprise me to find either the list has become out of date or ISPs just using address from within it.

Steve

johnpoz

@stephenw10 either way Steve not sure how that would be blocking the dhcpv6.. Isn't the hidden rules to allow dhcpv6 evaluated before the bogon rule?

I could see if he had bogon on his lan side interface that could cause issues with client talking to a Ipv6 that is in bogonv6

Could also be possible that just trying to load bogonv6 which is quite large is causing issues with loading rules. That is a known issue for quite some time with table size, etc. And user might need to adjust their max table side depending on what they are loading into tables, be it bogon or other aliases say via pfblocker, etc.

edit: also bogon by default logs, so if bogon was causing you problems - you should see what it blocks in your firewall logs.

stephenw10

Yeah, I can't see how it would block the actual DHCPv6 traffic.

It certainly could be exhausting the table space but you would see an alert when trying to load the ruleset.

johnpoz

@stephenw10 said in Why "Blocking Bogons" breaks DHCPv6 on WAN:

It certainly could be exhausting the table space but you would see an alert when trying to load the ruleset.

Concur - Unless this can be duplicated, or specifics given like logs in firewall from bogon rule, etc. Turning off bogon could just be a red herring that had nothing to do with the problem.

Seems other users have posted that they have bogon enabled, and dhcpv6 working fine, etc.

And per the hidden rules created when you enable dhcpv6 on your wan, I don't see how bogon could be involved in dhcpv6.

Since I assume OP just installed that this is current 2.6 version. But have seen in past uses installing old versions that they had laying around from 2 years ago, or downloading from non netgate source, etc.

Or maybe user is running dev 2.7 version?

@left4apple could you provide more details of what exactly is not working? Your saying pfsense (what version) is not getting an IPv6 via dhcp6 on its wan, when you enable bogon on your wan. If so can you duplicate this.. enable bogon and see if you can get an IP, etc.

left4apple

Some information if it helps:

1. WAN config:
   

2. WAN information:

3. LAN bridge has Track Interface configured for IPv6, tracking WAN

4. Device in the network gets 2601:647:5e00:a95:xxxxxxx as IPv6 address

left4apple

@johnpoz Thanks (and to everyone else) for digging down to this problem. I'm using the latest pfSense 2.6. I really haven't gong too far other than disabling Blocking Bogons. Will collect more information after work today. But to answer your question,

1. Even with Block Bogons enabled, the device in the network can get IPv6 address starting with 2601.

johnpoz

@left4apple said in Why "Blocking Bogons" breaks DHCPv6 on WAN:

Even with Block Bogons enabled, the device in the network can get IPv6 address starting with 2601.

So if your getting IPv6 on your wan and clients are also getting IPv6 on your lan side networks via using tracking then what is the problem.

Thought you said blocking bogon breaks dhcpv6 on wan.. from what you posted, with your wan showing a 2001 address that is not the case.

And bogon blocking on wan just like the rfc1918 block is only for inbound unsolicited traffic to your wan - has nothing to do with traffic you might initiate to rfc1918 or something blocked in bogon.

I show the current bogonv6 table
Table last updated on Sun May 1 00:55:01 2022 GMT. 131,285 records.

And from a quick look I don't see either your wan 2001 prefix or your 2601 in bogon anyway. Those 2001 and 2601 prefix are assigned to comcast.

left4apple

@johnpoz Sorry if the title is misleading. In fact I have very little knowledge about IPv6. I mean enabling Blocking Bogon stops the IPv6 from working with WAN configured DHCPv6 and LAN Tracking the WAN interface.

stephenw10

Mmm, check for blocks in the firewall log when it's enabled.

NogBadTheBad

@left4apple a subnetmask of /128 on your wan interface?

keyser

@left4apple Well I have noticed that my WAN interface will not SLAAC it’s way to a GUA WAN IPv6 address if block Bogons is enabled. I have been unable to confirm if this is because my ISPs IPv6 addresses are listed in the Bogons table.
But I would be very surprised if this was the case as its a well known operator with many years of IPv6 operation.

bingo600

@keyser
The bogon files are in /etc on the pfSense box

And it seems like they're fetced from here

https://files.pfsense.org/lists/fullbogons-ipv4.txt
https://files.pfsense.org/lists/fullbogons-ipv6.txt

A "find" or grep would prob. solve your question.

/Bingo

keyser

@bingo600 said in Why "Blocking Bogons" breaks DHCPv6 on WAN:

@keyser
The bogon files are in /etc on the pfSense box

And it seems like they're fetced from here

https://files.pfsense.org/lists/fullbogons-ipv4.txt
https://files.pfsense.org/lists/fullbogons-ipv6.txt

A "find" or grep would prob. solve your question.

/Bingo

Thanks. The GUA addresses are not on the Bogon list, så thats not the reason. But I just had a event with Slaac not working now regardless of disabling Bogon block, so the issue is probably ISP related. I know they are working on exchanging their IPv6 Edge equipment, so it might just be they are experiencing problems.

johnpoz

@keyser yeah even if the IP you were trying to go to is in bogon, it wouldn't be blocked. The rule is for source IP not destination IP, and if you created the connection to them, the return traffic would be allowed by the state.

My guess is your disable of bogon was just a red herring.. And really nothing to do with your problem you were or are having. If bogon blocked something - it also would be in the firewall log.. Unless you disabled logging of bogon?

You don't have bogon enabled on any of your lan side interfaces do you? Bogon really should only be enabled on a wan interface.

chrcoluk

@johnpoz said in Why "Blocking Bogons" breaks DHCPv6 on WAN:

@stephenw10 either way Steve not sure how that would be blocking the dhcpv6.. Isn't the hidden rules to allow dhcpv6 evaluated before the bogon rule?

I could see if he had bogon on his lan side interface that could cause issues with client talking to a Ipv6 that is in bogonv6

Could also be possible that just trying to load bogonv6 which is quite large is causing issues with loading rules. That is a known issue for quite some time with table size, etc. And user might need to adjust their max table side depending on what they are loading into tables, be it bogon or other aliases say via pfblocker, etc.

edit: also bogon by default logs, so if bogon was causing you problems - you should see what it blocks in your firewall logs.

Should there be a any 546 to any 547 rule maybe?

I just had disabled bogon logging as I am getting lots of fe80 port 546 to ff02 port 547 traffic on WAN link. The provider does issue both v4 and v6 over DHCP.

stephenw10

You can see the rules in the rules.debug file, for example:

# allow our DHCPv6 client out to the BT
pass in  quick on $BT proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 ridentifier 1000005711 label "allow dhcpv6 client in BT"
pass in  quick on $BT proto udp from any port = 547 to any port = 546 ridentifier 1000005712 label "allow dhcpv6 client in BT"
# Add Priority to dhcp6c packets if enabled
pass out  quick on $BT proto udp from any port = 546 to any port = 547 ridentifier 1000005713 label "allow dhcpv6 client out BT" 

That is above the block bogons rule:

# block bogon networks (IPv6)
# https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $BT from <bogonsv6> to any ridentifier 11004 label "block bogon IPv6 networks from BT"

Steve