Why "Blocking Bogons" breaks DHCPv6 on WAN

left4apple

Some information if it helps:

1. WAN config:
   

2. WAN information:

3. LAN bridge has Track Interface configured for IPv6, tracking WAN

4. Device in the network gets 2601:647:5e00:a95:xxxxxxx as IPv6 address

left4apple

@johnpoz Thanks (and to everyone else) for digging down to this problem. I'm using the latest pfSense 2.6. I really haven't gong too far other than disabling Blocking Bogons. Will collect more information after work today. But to answer your question,

1. Even with Block Bogons enabled, the device in the network can get IPv6 address starting with 2601.

johnpoz

@left4apple said in Why "Blocking Bogons" breaks DHCPv6 on WAN:

Even with Block Bogons enabled, the device in the network can get IPv6 address starting with 2601.

So if your getting IPv6 on your wan and clients are also getting IPv6 on your lan side networks via using tracking then what is the problem.

Thought you said blocking bogon breaks dhcpv6 on wan.. from what you posted, with your wan showing a 2001 address that is not the case.

And bogon blocking on wan just like the rfc1918 block is only for inbound unsolicited traffic to your wan - has nothing to do with traffic you might initiate to rfc1918 or something blocked in bogon.

I show the current bogonv6 table
Table last updated on Sun May 1 00:55:01 2022 GMT. 131,285 records.

And from a quick look I don't see either your wan 2001 prefix or your 2601 in bogon anyway. Those 2001 and 2601 prefix are assigned to comcast.

left4apple

@johnpoz Sorry if the title is misleading. In fact I have very little knowledge about IPv6. I mean enabling Blocking Bogon stops the IPv6 from working with WAN configured DHCPv6 and LAN Tracking the WAN interface.

stephenw10

Mmm, check for blocks in the firewall log when it's enabled.

NogBadTheBad

@left4apple a subnetmask of /128 on your wan interface?

keyser

@left4apple Well I have noticed that my WAN interface will not SLAAC it’s way to a GUA WAN IPv6 address if block Bogons is enabled. I have been unable to confirm if this is because my ISPs IPv6 addresses are listed in the Bogons table.
But I would be very surprised if this was the case as its a well known operator with many years of IPv6 operation.

bingo600

@keyser
The bogon files are in /etc on the pfSense box

And it seems like they're fetced from here

https://files.pfsense.org/lists/fullbogons-ipv4.txt
https://files.pfsense.org/lists/fullbogons-ipv6.txt

A "find" or grep would prob. solve your question.

/Bingo

keyser

@bingo600 said in Why "Blocking Bogons" breaks DHCPv6 on WAN:

@keyser
The bogon files are in /etc on the pfSense box

And it seems like they're fetced from here

https://files.pfsense.org/lists/fullbogons-ipv4.txt
https://files.pfsense.org/lists/fullbogons-ipv6.txt

A "find" or grep would prob. solve your question.

/Bingo

Thanks. The GUA addresses are not on the Bogon list, så thats not the reason. But I just had a event with Slaac not working now regardless of disabling Bogon block, so the issue is probably ISP related. I know they are working on exchanging their IPv6 Edge equipment, so it might just be they are experiencing problems.

johnpoz

@keyser yeah even if the IP you were trying to go to is in bogon, it wouldn't be blocked. The rule is for source IP not destination IP, and if you created the connection to them, the return traffic would be allowed by the state.

My guess is your disable of bogon was just a red herring.. And really nothing to do with your problem you were or are having. If bogon blocked something - it also would be in the firewall log.. Unless you disabled logging of bogon?

You don't have bogon enabled on any of your lan side interfaces do you? Bogon really should only be enabled on a wan interface.

chrcoluk

@johnpoz said in Why "Blocking Bogons" breaks DHCPv6 on WAN:

@stephenw10 either way Steve not sure how that would be blocking the dhcpv6.. Isn't the hidden rules to allow dhcpv6 evaluated before the bogon rule?

I could see if he had bogon on his lan side interface that could cause issues with client talking to a Ipv6 that is in bogonv6

Could also be possible that just trying to load bogonv6 which is quite large is causing issues with loading rules. That is a known issue for quite some time with table size, etc. And user might need to adjust their max table side depending on what they are loading into tables, be it bogon or other aliases say via pfblocker, etc.

edit: also bogon by default logs, so if bogon was causing you problems - you should see what it blocks in your firewall logs.

Should there be a any 546 to any 547 rule maybe?

I just had disabled bogon logging as I am getting lots of fe80 port 546 to ff02 port 547 traffic on WAN link. The provider does issue both v4 and v6 over DHCP.

stephenw10

You can see the rules in the rules.debug file, for example:

# allow our DHCPv6 client out to the BT
pass in  quick on $BT proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 ridentifier 1000005711 label "allow dhcpv6 client in BT"
pass in  quick on $BT proto udp from any port = 547 to any port = 546 ridentifier 1000005712 label "allow dhcpv6 client in BT"
# Add Priority to dhcp6c packets if enabled
pass out  quick on $BT proto udp from any port = 546 to any port = 547 ridentifier 1000005713 label "allow dhcpv6 client out BT" 

That is above the block bogons rule:

# block bogon networks (IPv6)
# https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $BT from <bogonsv6> to any ridentifier 11004 label "block bogon IPv6 networks from BT"

Steve