Issues with the Ping tool
-
I pushed a GPO to every computer to disable IPv6 using the registry entry described here:
http://support.microsoft.com/kb/929852I want to leave IPv6 disabled until our ISP supports it, and then I'll set it up correctly.
-
In line with dok here - out of the box pretty much every os will try and do something with ipv6.. It may not be good stuff, like windows for example out of the box has 3 different methods of getting ipv6 to work over ipv4 (teredo, isatap, 6to4). To me this is just nonsense, and causes issues if you ask me when people don't follow through or understand ipv6. while sure linux has ipv6 out of the box it doesn't try and tunnel ipv6 over ipv4 out of the box that I have ever seen.
So windows can cause lots of noise and traffic that can be confusing to someone that is not up to speed with ipv6, etc.
To be honest I personally suggest if your not ready for ipv6 yet, disable it - atleast on your windows machine. It has no real requirement as of yet - while homegroups uses it for some stuff.. Who and the F is using that that would be actually looking at logs or attempting to actually setup their network ;) It doesn't actually use it for file transfers.. So might as well just turn that nonsense off as well.
To disable ipv6 on windows is quite simple, from elevated prompt
reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255
rebootTo put it back the way it came
reg delete hklm\system\currentcontrolset\services\tcpip6\parameters\ /v DisabledComponents /f
rebootSo your trying to track down the source of noise - to disable the ipv6 on? What your seeing in firewall log is broadcast for dhcpv6, as to what your pfsense has for its link local address those that start with fe80.. just look on interface page, or ifconfig. As dok stated I think just disable ipv6 blocks on firewall, I don't think it turns off ipv6 support or link local addresses in the os (freebsd)
How are you going to track it down if you can ping it? Going to start unplugging stuff until it doesn't ping? The suggestion for ndp table is much better idea.. On pfsense what do you see for ndp -a for that address your looking for?
-
@piz0t:
I pushed a GPO to every computer to disable IPv6 using the registry entry described here:
http://support.microsoft.com/kb/929852I want to leave IPv6 disabled until our ISP supports it, and then I'll set it up correctly.
So are you still seeing the hits in your pfsense log - if so then something didn't take the GPO I would guess.
Even when your isp supports it, doesn't mean you have to jump on it right away. I don't see it becoming a real requirement for quite some time, to be honest many of the isps that have it deployed like comcast I have find it not quite ready for prime time. I like to play with it, the HE tunnel has been nothing but rock solid stable.
-
To be honest I personally suggest if your not ready for ipv6 yet, disable it - atleast on your windows machine.
I agree, so that's why I want to disable IPv6 completely until I'm ready to set it up right.
To disable ipv6 on windows is quite simple, from elevated prompt
reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255
rebootYeah, that's the registry value in my GPO. I'm sure it's working fine for all the Windows computers. It works so well, that's why I'm using the firewall to identify the host because I can't ping from my workstation with IPv6 :)
How are you going to track it down if you can ping it? Going to start unplugging stuff until it doesn't ping?
Actually, that's exactly what I was planning to do :)
The suggestion for ndp table is much better idea.. On pfsense what do you see for ndp -a for that address your looking for?
Thanks, I'll look into the NDP stuff.
So are you still seeing the hits in your pfsense log - if so then something didn't take the GPO I would guess.
Yes, but I think the GPO is effective and this unknown host must not be on the Windows domain. It's probably an iPhone, MacBook, or something unauthorized.
Even when your isp supports it, doesn't mean you have to jump on it right away.
It's good to hear this from someone else. I assumed people on this forum would laugh at me for disabling IPv6.
-
The NDP Table only has entries for the interfaces on the pfSense box. The unknown IPv6 addresses aren't on that list.
-
When you say phone - so you have your wlan and lan on same segment? Why would you being seeing wireless phones on your lan? So only known devices are suppose to be on your wifi? if you have any sort of open or guest connection you can not control that they will ask for ipv6 from dhcpv6
Security 101 states if your not using a protocol, don't run the protocol - if your not actually using iPv6 why would you have it enabled ;)
-
When you say phone - so you have your wlan and lan on same segment? Why would you being seeing wireless phones on your lan? So only known devices are suppose to be on your wifi? if you have any sort of open or guest connection you can not control that they will ask for ipv6 from dhcpv6
Security 101 states if your not using a protocol, don't run the protocol - if your not actually using iPv6 why would you have it enabled ;)
Yes, we have company-issued iPhones on the same subnet as our workstations and servers. Yes, only known devices should be connecting to our wifi. The wifi is secured with RADIUS and WPA2.
I appreciate your help. I think I can figure it out from here. I mostly wanted to open this thread to suggest that the Ping tool be improved to give helpful error messages instead of no text at all, and to widen the textbox.
-
Agreed they could do some tweaking on the tool, but that is going to be very low priority for sure ;)
To be honest I don't think you can even turn off ipv6 on iphone for example - best thing would be prob just not log the requests so your log doesn't get filled up with noise ;)
-
http://en.wikipedia.org/wiki/Link-local_address
fe80:::: shouldn't even be forwarded anywhere
-
Who said it was being forwarded anywhere?
