Blocking ISP provided IPv6 while still allowing HE IPV6 Tunnel

Sn3akerz

How can I block my ISP's RA/NDP? for IPv6? I have client machines picking up the ISP IPv6 address even though I have IPv6 disabled on my WAN interface (IPv6 Configuration Type: NONE) , and my DHCPv6 & RA configured for my He.net tunnel.

I'm on 23.01.

I have a He.net tunnel (2001:470:1f05 range) that serves me well for IPv6 connectivity, and providing static IPv6 addressing that I have had for multiple years.

Comcast has assigned me a 'static' block of IPs that has changed parodically over the months/years so I don't want to use it. Their modem (CGA4131COM) is handing out 2603:2024:1157 addresses, and I see no option in the router to disable such announcements.

So far I've been unable to wrap my head around a firewall rule to block this.

edited to show WAN IPv6 is set to NONE.

johnpoz

@sn3akerz said in Blocking ISP provided IPv6 while still allowing HE IPV6 Tunnel:

and I see no option in the router to disable such announcements.

huh - just set IPv6 on your wan interface to NONE..

Sn3akerz

@johnpoz I guess I wasn't clear, my apologies. WAN IPv6 Configuration Type is set to NONE.

johnpoz

@sn3akerz then how would you be getting an IPv6 address.. It wouldn't if its NONE.

Sn3akerz

@johnpoz That's what I have been trying to figure out.

here's the ifconfig output for my WAN interface:

igb0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	description: WAN
	options=4e120bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
	ether nope
	inet6 fe80::225:90ff:fef4:a5d2%igb0 prefixlen 64 scopeid 0x1
	inet 75.144.249.xxx netmask 0xfffffff8 broadcast 75.144.249.xxx
	inet 75.144.249.xxx netmask 0xffffffff broadcast 75.144.249.xxx
	inet 75.144.249.xxx netmask 0xffffffff broadcast 75.144.249.xxx
	inet 10.1.10.2 netmask 0xffffff00 broadcast 10.1.10.255
	inet 75.144.249.xxx netmask 0xffffffff broadcast 75.144.249.xxx
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Here's for LAN:

igb1: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	description: LAN
	options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>
	ether nope
	inet6 fe80::225:90ff:fef4:a5d3%igb1 prefixlen 64 scopeid 0x2
	inet6 2001:470:1f05:xxx::254 prefixlen 64
	inet 10.xxx.xxx.254 netmask 0xffffff00 broadcast 10.0.0.255
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Sn3akerz

Here's the generated radvd.conf

# Automatically Generated, do not edit
# Generated for DHCPv6 Server lan
interface igb1 {
        AdvSendAdvert on;
        MinRtrAdvInterval 200;
        MaxRtrAdvInterval 600;
        AdvDefaultLifetime 1800;
        AdvLinkMTU 1500;
        AdvDefaultPreference medium;
        AdvManagedFlag on;
        AdvOtherConfigFlag on;
        prefix 2001:470:1f05:xxx::/64 {
                DeprecatePrefix on;
                AdvOnLink on;
                AdvAutonomous on;
                AdvValidLifetime 86400;
                AdvPreferredLifetime 14400;
        };
        route ::/0 {
                AdvRoutePreference medium;
                RemoveRoute on;
        };
        RDNSS 2001:470:1f05:xxx::254 {
                AdvRDNSSLifetime 1800;
        };
        DNSSL domain.int  {
                AdvDNSSLLifetime 1800;
        };
};

Here's dhcpdv6.conf:

option domain-name "int.domain.net";
option ldap-server code 95 = text;
option domain-search-list code 119 = text;
option dhcp6.bootfile-url code 59 = string;

default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;
subnet6 2001:470:1f05:xxx::/64 {
        range6 2001:470:1f05:xxx:: 2001:470:1f05:xxx:ffff:ffff:ffff:ffff;
        option domain-name "domain.int";
        option dhcp6.domain-search "domain.int";
        do-forward-updates false;
        option dhcp6.name-servers 2001:470:1f05:xxx::254;
        default-lease-time 72000;
        max-lease-time 864000;

        option dhcp6.bootfile-url "http://2001:470:1f05:xxx::65/ipxe.pxe";
}
ddns-update-style none;

johnpoz

@sn3akerz so you had it setup at one time, is your lan still set to track?

wait - I don't see any IPv6 on your wan, and that on your lan is from your tunnel.

this is linklocal addess - yeah your always going to have that
inet6 fe80::225:90ff:fef4:a5d2%igb0 prefixlen 64 scopeid 0x1

Sn3akerz

@johnpoz

To the best of my recollection, I've never had WAN IPv6 set to anything but NONE.
LAN IPv6 is set to static IPv6 with the address you see in the output.

Here's the output of ipconfig on a windows box that I have access to:
note, I removed a bunch of Deprecated addressess as I didn't want to mask them all

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : domain.int
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection (6) I219-V
   Physical Address. . . . . . . . . : nope
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:470:1f05:xxx:b242:e86b:caf4:7857(Preferred)
   IPv6 Address. . . . . . . . . . . : 2001:470:1f05:xxx:e43e:6423:90b7:6a7f(Preferred)
   Lease Obtained. . . . . . . . . . : Tuesday, March 14, 2023 6:31:07 PM
   Lease Expires . . . . . . . . . . : Wednesday, March 22, 2023 7:22:42 AM
   IPv6 Address. . . . . . . . . . . : 2603:3024:1157:xxxx:xxxx:8682:239d:efd3(Preferred)
   Temporary IPv6 Address. . . . . . : 2001:470:1f05:xxx:9432:15f7:960a:238f(Preferred)
   Temporary IPv6 Address. . . . . . : 2603:3024:1157:xxxx:xxxx:15f7:960a:238f(Preferred)

   Link-local IPv6 Address . . . . . : fe80::518f:2c26:659f:2f37%18(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.xxx.0.128(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, March 14, 2023 6:31:05 PM
   Lease Expires . . . . . . . . . . : Thursday, April 13, 2023 6:31:14 PM
   Default Gateway . . . . . . . . . : fe80::225:90ff:fef4:a5d3%18
                                       fe80::3e9a:77ff:fe21:4727%18
                                       10.xxx.0.254
   DHCP Server . . . . . . . . . . . : 10.xxx.0.99
   DHCPv6 IAID . . . . . . . . . . . : nope
   DHCPv6 Client DUID. . . . . . . . : nope
   DNS Servers . . . . . . . . . . . : 2001:470:1f05:xxx::254
                                       10.xxx.0.254
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       domain.int

johnpoz

@sn3akerz well that isn't pfsense handing that out.. You have some issue with your L2 and that windows box is seeing traffic from your ISP.

Do you have a bridge setup in pfsense? From your wan to your lan? How exactly is the network connected together - do you have a common switch your running your wan and lan through?

Sn3akerz

@johnpoz
No bridge setup, however the modem is connected to a Cisco 2960 switch (a) on a separate VLAN, trunked to another Cisco 2960 (b) that pfSense's WAN is connected to, which connects LAN to vlan 1 (which I need to fix).
This client connects to VLAN 1 on switch a.

I've double checked the VLAN configuration on both switches and the ports are configured correctly. I will need to look into the switches IPv6 capabilities and see if they are somehow causing this.

Thanks for your help

johnpoz

@sn3akerz yeah looks to me like the client is getting that from your isp via being on the L2 network - so that would point to a problem with your isolation on your switches.

Run say wireshark on that client and validate what traffic its seeing and where it gets the IP from.. Just don't see how it could be pfsense passing it on, when its not setup for a bridge and that IP range is not setup anywhere on it, etc.

Sn3akerz

@johnpoz

I will give that a try, otherwise I'll grab a 50 ft cat6 cable and remove the switches from the modem/WAN entirely and see if I still pull those IPs.

I agree, I don't see how it would be pfSense passing the info on, the theory I had was somehow the RA/NDP packets were being allowed / forwarded somehow that I couldn't think of.

johnpoz

@sn3akerz Yeah that would be a good way to make sure your isolated.. A bit more intrusive of a test, but valid way for sure.

If you sniff on client and actually see broadcast traffic from your wan L2, you will know you got some sort of leak between your vlans. If your isp is anything like mine - my wan is full of arp traffic that I really shouldn't be seeing ;)

So that would be smoking gun you have a L2 isolation problem..

Sn3akerz

@johnpoz

I am seeing the following in wireshark, so I am going to say you are right and I have a L2 leak.

Source                   Destination Protocol   Info
fe80:3e9a:77ff:fe21:4727 ff02::1     ICMPv6     Router Advertisement from 3c:9a:77

That mac address is for Technicolor which is the modem manufacturer and I verified that is the ip of the modem.

Now to figure out how to fix it.

johnpoz

@sn3akerz yeah you should for sure not being seeing such traffic on your lan side networks behind your router..

Look at it this way you found a problem, that is good to get fixed that is for sure.

Currently you directly exposed to the public internet. If it was me I would turn off the ipv6 on those devices until you get them isolated.

Sn3akerz

Just wanted to share, the issue was the switch port was set to trunk mode instead of access mode. The tool I was using didn't show this, it wasn't until I manually logged into the switch and reviewed the config that I caught the issue.

Thanks again for sending me down the right path.

johnpoz

@sn3akerz glad you got it sorted.. So you weren't crazy heheh..

So far I've been unable to wrap my head around a firewall rule to block this.

Kind of hard to block something at the firewall if its not going over the firewall ;)