PfSense 2.0.1 - IPv6 disabled but passing IPv6 traffic on firewall
-
Hi,
I am using pfsense 2.0.1. I did not enable IPv6. But since some days I got many IPv6 logs which pass my firewall.
Can help me someone what traffic this is and why it can pass the firewall and how to block ?Thank you.
-
Those are probably LAN to LAN or LAN to LAN IP of the firewall. You just don't want to see WAN in the IF column.
-
But I did not enable IPv6 on pfsense - why should there be any IPv6 traffic initiated by pfsense !?
I am unsure if this could be some kind of virus, trojan on a host on the LAN !?
And on this pfsense there is only one LAN interface and three WAN interfaces - and on the LAN there is just another pfsense but no hosts.And I am not familar with IPv6 IP address reading and so I don't know where this traffic comes from. Which host initiates this traffic.
This is my network:
WNA1
WAN2–-pfsense1---172.16.0.0/16-----pfsense2---172.17.0.0/16 (6 different VLANs)
WAN3pfsense1 is doing LoadBalancing and NAT + freeradius2+openvpn
pfsense2 is doing just routing with squid+squidguard+freeradius2Any suggestions ?
-
"But I did not enable IPv6 on pfsense "
You did not enable it on the firewall, but what did you enable on the lan interface? Did you set an ipv6 address, does it have a ipv6 address?
I would just look at ifconfig on your pfsense box, do you have ipv6 link local address there?
em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:00:00:02
inet 192.168.1.253 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::250:56ff:fe00:2%em0 prefixlen 64 scopeid 0x1If so then sure you could see ipv6 traffic from other devices on the lan.</rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>
-
[2.0.1-RELEASE][admin@pfsense1.hpa]/root(1): ifconfig igb0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum>ether 00:26:2d:04:2f:36 inet 192.168.2.2 netmask 0xffffff00 broadcast 192.168.2.255 inet6 fe80::226:2dff:fe04:2f36%igb0 prefixlen 64 scopeid 0x1 nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>) status: active igb1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum>ether 00:26:2d:04:2f:37 inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::226:2dff:fe04:2f37%igb1 prefixlen 64 scopeid 0x2 nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>) status: active igb2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum>ether 00:1b:21:a1:c9:64 inet6 fe80::21b:21ff:fea1:c964%igb2 prefixlen 64 scopeid 0x3 inet 192.168.3.20 netmask 0xffffff00 broadcast 192.168.3.255 nd6 options=3 <performnud,accept_rtadv>media: Ethernet 100baseTX <full-duplex>status: active igb3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum>ether 00:1b:21:a1:c9:65 inet 172.16.0.1 netmask 0xffff0000 broadcast 172.16.255.255 inet6 fe80::21b:21ff:fea1:c965%igb3 prefixlen 64 scopeid 0x4 nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>) status: active lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 nd6 options=3 <performnud,accept_rtadv>pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 syncok: 1 pflog0: flags=100 <promisc>metric 0 mtu 33200 enc0: flags=0<> metric 0 mtu 1536 ovpns2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500 options=80000 <linkstate>inet6 fe80::226:2dff:fe04:2f36%ovpns2 prefixlen 64 scopeid 0x9 inet 10.0.32.1 --> 10.0.32.2 netmask 0xffffffff nd6 options=3 <performnud,accept_rtadv>Opened by PID 16133</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum></up,broadcast,running,simplex,multicast>
igb0-igb2 is my WAN, igb3 is my LAN.
At the moment I am connected via openvpn.I am using pfsense 2.0.1 - never added some IPv6 code from git or somewhere else. As far as I know this version of pfsense does not support IPv6 ?! Just tunneling IPv6 traffic through IPv4 - but this is disabled in GUI.
PS: If you need more information from commandline, please let me know what and the syntax to get it.
Thanks in advance!
-
Well there you go
inet6 fe80::21b:21ff:fea1:c965%igb3 prefixlen 64 scopeid 0x4
So yeah your lan interface can see ipv6 traffic.
Just because pfsense does not have their gui with ipv6 stuff, doesn't mean the freebsd underneath it doesn't support ipv6.
Guess I could fire up a copy of 2.01 or 2.02, but doesn't your lan interface gui have a place to set ipv6 address?
-
Just so that you know, anything that starts with fe80 is a link local (hardware IPv6) address. It is not supposed to be routable. From the wiki:
Local addresses
::1/128 — The loopback address is a unicast localhost address. If an application in a host sends packets to this address, the IPv6 stack will loop these packets back on the same virtual interface (corresponding to 127.0.0.0/8 in IPv4).
fe80::/10 — Addresses in the link-local prefix are only valid and unique on a single link. Within this prefix only one subnet is allocated (54 zero bits), yielding an effective format of fe80::/64. The least significant 64 bits are usually chosen as the interface hardware address constructed in modified EUI-64 format. A link-local address is required on every IPv6-enabled interface—in other words, applications may rely on the existence of a link-local address even when there is no IPv6 routing. These addresses are comparable to the auto-configuration addresses 169.254.0.0/16 of IPv4. -
^ exactly.. If you don't want to see that sort of traffic then you should fully disable IPv6 on your lan machines.
I personally don't like it being enabled unless I am going to actually do something with it on that box. So if not going to actually use ipv6 I disabled it completely so that there. Why run a protocol your not using I say! Windows its pretty easy.
reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255
Linux and bsd's depending on flavor you have to do a bit of research ;)
-
Thank you johnpoz and podilarius,
that helped me much. First thing it is good to know that this is no virus or something else and I agree with you. Why should something be enabled if I do not need it. I do not need IPv6 on my LAN.
Thank you for your help! :-)