Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Where are the inbound rules for routeable IPv6 on LAN interfaces? Solved

    Scheduled Pinned Locked Moved IPv6
    6 Posts 3 Posters 1.2k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      chrcoluk
      last edited by chrcoluk

      So I noticed I have fully working inbound ICMP which is fine, but I wanted to start logging it to track a source IP for a monitoring service I am using and then noticed there is no specific rules setup to allow the traffic, is this being allowed via one of the hidden default rules?

      There is a WAN rule, but thats not processing the traffic.

      pfSense CE 2.8.1

      C GertjanG 2 Replies Last reply Reply Quote 0
      • C Offline
        chrcoluk @chrcoluk
        last edited by

        Already solved, it is the WAN rule, logging didnt show it as its using an established state.

        pfSense CE 2.8.1

        Bob.DigB 1 Reply Last reply Reply Quote 0
        • Bob.DigB Offline
          Bob.Dig LAYER 8 @chrcoluk
          last edited by

          @chrcoluk Solved

          1 Reply Last reply Reply Quote 0
          • GertjanG Offline
            Gertjan @chrcoluk
            last edited by

            @chrcoluk said in Where are the inbound rules for routeable IPv6 on LAN interfaces? Solved:

            I have fully working inbound ICMP which is fine

            Inbound on .. LAN or WAN ?
            The default behavior of LAN : TCP, UDP, ICMP, and dozens of other protocols are allowed.
            WAN : nothing, meaning zero, which wasn't initiated from pfSense itself (or some LAN device), can enter.

            @chrcoluk said in Where are the inbound rules for routeable IPv6 on LAN interfaces? Solved:

            it is the WAN rule, logging didnt show it as its using an established state.

            What WAN rule ?
            If traffic comes in on WAN and it is established traffic, then initially, it was granted by an existing WAN firewall rule, one you place there yourself. Subsequent traffic, from the same traffic stream, will be granted right away.

            If you want WAN to reply on ICMPv4 from some device on the Internet, you need to create firewall rule on WAN that grants access from this device (this device, using its source IP, or "any" for everybody) selecting some or all ICMPv4 types of traffic.

            By default, pfSense will not reply on ICMP request coming into (= inbound into WAN) the WAN.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            C 1 Reply Last reply Reply Quote 0
            • C Offline
              chrcoluk @Gertjan
              last edited by

              @Gertjan Hi

              I had a WAN rule already added to allow ICMP.

              Just a little bit of background here.

              So I have a monitoring service, monitoring my WAN IP.

              I wanted to find out what the remote IP is, so enabled logging on the rule, I then observed nothing is getting logged for the monitoring, which sent me on a red herring looking for another rule that might be whats allowing the traffic.

              It was the correct rule, what happened is the rule has the default keep state, and I didnt flush states on the configuration change, and since there was already a state, it meant the pings from the monitoring were just hitting the existing state and as such the logging wasnt applied as the pings never hit the rule. If that makes sense. When I discovered the state, of course I also discovered the remote IP.

              pfSense CE 2.8.1

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG Offline
                Gertjan @chrcoluk
                last edited by

                @chrcoluk said in Where are the inbound rules for routeable IPv6 on LAN interfaces? Solved:

                looking for another rule that might be whats allowing the traffic

                I presume your monitoring service pings (right ?!) from 'somewhere on the outside, somewhere from the Internet' so a firewall rule on the WAN interface is needed to allow this traffic coming into the WAN.
                The good news : normally ^^ you don't have many rules on WAN and typically none on the floating tab. So the matching rule is easy to find. In this case : look for the rules that match ICMP (or any), and a : 'any' as a source.

                @chrcoluk said in Where are the inbound rules for routeable IPv6 on LAN interfaces? Solved:

                If that makes sense.

                Yep.
                Re saving the firewall rules doesn't terminate already exiting states.
                Normally, these will time out, and disappear.
                But this is a case where you have to 'reset' them all, even loosing other connections, like the very noticeable web browser LAN pfSense GUI connection : you have to login again before you can see the changes. And that is just the tip of the iceberg, as more services on any LAN device that had open connections will get interrupted. Example : that gmail app in your phone, that update service in your PC and any other other service that wants to have a connection at all times for whatever reason. These will all get signaled : the connection closed, and they will re open one.

                You could have used an intermediate step to discover the IP of the Internet based device :
                Packet capture.

                81ca2312-fea4-4b87-b989-68f9d2803897-image.png

                You'll see multiple packet popping up very regularly.
                The most obvious one : the pfSense WAN monitoring tool called dpinger, sending out an ICMP ping request, and getting an ICMP ping reply back. You can recognize these bu the sending IP? and replying destination.
                You will also see the ICMP ping request coming IN, and pfSense sending an ICMP ping reply - to the IP that is monitoring your WAN from the outside.
                Maybe you'll find other devices (== IPs) that are pinging pfSense WAN IP ^^

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.