Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issues with the Ping tool

    Scheduled Pinned Locked Moved General pfSense Questions
    14 Posts 4 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      Jeremy11one
      last edited by

      I pushed a GPO to every computer to disable IPv6 using the registry entry described here:
      http://support.microsoft.com/kb/929852

      I want to leave IPv6 disabled until our ISP supports it, and then I'll set it up correctly.

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        In line with dok here - out of the box pretty much every os will try and do something with ipv6.. It may not be good stuff, like windows for example out of the box has 3 different methods of getting ipv6 to work over ipv4 (teredo, isatap, 6to4). To me this is just nonsense, and causes issues if you ask me when people don't follow through or understand ipv6.  while sure linux has ipv6 out of the box it doesn't try and tunnel ipv6 over ipv4 out of the box that I have ever seen.

        So windows can cause lots of noise and traffic that can be confusing to someone that is not up to speed with ipv6, etc.

        To be honest I personally suggest if your not ready for ipv6 yet, disable it - atleast on your windows machine.  It has no real requirement as of yet - while homegroups uses it for some stuff.. Who and the F is using that that would be actually looking at logs or attempting to actually setup their network ;)  It doesn't actually use it for file transfers..  So might as well just turn that nonsense off as well.

        To disable ipv6 on windows is quite simple, from elevated prompt
        reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255
        reboot

        To put it back the way it came
        reg delete hklm\system\currentcontrolset\services\tcpip6\parameters\ /v DisabledComponents /f
        reboot

        So your trying to track down the source of noise - to disable the ipv6 on?  What your seeing in firewall log is broadcast for dhcpv6, as to what your pfsense has for its link local address those that start with fe80.. just look on interface page, or ifconfig.  As dok stated I think just disable ipv6 blocks on firewall, I don't think it turns off ipv6 support or link local addresses in the os (freebsd)

        How are you going to track it down if you can ping it?  Going to start unplugging stuff until it doesn't ping?  The suggestion for ndp table is much better idea..  On pfsense what do you see for ndp -a for that address your looking for?

        ndplist.png
        ndplist.png_thumb

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator
          last edited by

          @piz0t:

          I pushed a GPO to every computer to disable IPv6 using the registry entry described here:
          http://support.microsoft.com/kb/929852

          I want to leave IPv6 disabled until our ISP supports it, and then I'll set it up correctly.

          So are you still seeing the hits in your pfsense log - if so then something didn't take the GPO I would guess.

          Even when your isp supports it, doesn't mean you have to jump on it right away.  I don't see it becoming a real requirement for quite some time, to be honest many of the isps that have it deployed like comcast I have find it not quite ready for prime time.  I like to play with it, the HE tunnel has been nothing but rock solid stable.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • J Offline
            Jeremy11one
            last edited by

            @johnpoz:

            To be honest I personally suggest if your not ready for ipv6 yet, disable it - atleast on your windows machine.

            I agree, so that's why I want to disable IPv6 completely until I'm ready to set it up right.

            @johnpoz:

            To disable ipv6 on windows is quite simple, from elevated prompt
            reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255
            reboot

            Yeah, that's the registry value in my GPO.  I'm sure it's working fine for all the Windows computers.  It works so well, that's why I'm using the firewall to identify the host because I can't ping from my workstation with IPv6 :)

            @johnpoz:

            How are you going to track it down if you can ping it?  Going to start unplugging stuff until it doesn't ping?

            Actually, that's exactly what I was planning to do :)

            @johnpoz:

            The suggestion for ndp table is much better idea..  On pfsense what do you see for ndp -a for that address your looking for?

            Thanks, I'll look into the NDP stuff.

            @johnpoz:

            So are you still seeing the hits in your pfsense log - if so then something didn't take the GPO I would guess.

            Yes, but I think the GPO is effective and this unknown host must not be on the Windows domain.  It's probably an iPhone, MacBook, or something unauthorized.

            @johnpoz:

            Even when your isp supports it, doesn't mean you have to jump on it right away.

            It's good to hear this from someone else.  I assumed people on this forum would laugh at me for disabling IPv6.

            1 Reply Last reply Reply Quote 0
            • J Offline
              Jeremy11one
              last edited by

              The NDP Table only has entries for the interfaces on the pfSense box.  The unknown IPv6 addresses aren't on that list.

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                When you say phone - so you have your wlan and lan on same segment?  Why would you being seeing wireless phones on your lan?  So only known devices are suppose to be on your wifi?  if you have any sort of open or guest connection you can not control that they will ask for ipv6 from dhcpv6

                Security 101 states if your not using a protocol, don't run the protocol - if your not actually using iPv6 why would you have it enabled ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • J Offline
                  Jeremy11one
                  last edited by

                  @johnpoz:

                  When you say phone - so you have your wlan and lan on same segment?  Why would you being seeing wireless phones on your lan?  So only known devices are suppose to be on your wifi?  if you have any sort of open or guest connection you can not control that they will ask for ipv6 from dhcpv6

                  Security 101 states if your not using a protocol, don't run the protocol - if your not actually using iPv6 why would you have it enabled ;)

                  Yes, we have company-issued iPhones on the same subnet as our workstations and servers.  Yes, only known devices should be connecting to our wifi.  The wifi is secured with RADIUS and WPA2.

                  I appreciate your help.  I think I can figure it out from here.  I mostly wanted to open this thread to suggest that the Ping tool be improved to give helpful error messages instead of no text at all, and to widen the textbox.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Agreed they could do some tweaking on the tool, but that is going to be very low priority for sure ;)

                    To be honest I don't think you can even turn off ipv6 on iphone for example - best thing would be prob just not log the requests so your log doesn't get filled up with noise ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • H Offline
                      heper
                      last edited by

                      http://en.wikipedia.org/wiki/Link-local_address

                      fe80:::: shouldn't even be forwarded anywhere

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Who said it was being forwarded anywhere?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.