IPv6 address even though disabled
-
I have "Allow IPv6" unchecked in the advanced settings and "prefer to use ipv6 instead of ipv6" checked. The really weird thing though is that my WAN and LAN networks get IPv6 addresses!
I have multiple vlan's so I don't have any hosts on the LAN segment to test it, but I would think that if I disable ipv6, it won't get an address on the wan or lan interfaces. Is it really disabled or is something else going on?
-
So your seeing link local on your interfaces then? Your talking about your pfsense interfaces right.
example
em2_vlan100: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:50:56:00:00:03
inet6 fe80::250:56ff:fe00:3%em2_vlan100 prefixlen 64 scopeid 0xa
inet 192.168.5.253 netmask 0xffffff00 broadcast 192.168.5.255
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 100 vlanpcp: 0 parent interface: em2</full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast> -
Below are my two interfaces that are getting ipv6 addresses….
vmx0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=60009b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,rxcsum_ipv6,txcsum_ipv6>ether 00:0c:29: <foo>inet6 fe80::20c:<foo>:4412%vmx0 prefixlen 64 scopeid 0x1
inet <ip>netmask 0xfffffe00 broadcast 255.255.255.255
inet6 2001:5<foo>9:4125:5501 prefixlen 128
nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect
status: activevmx3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=60009b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,rxcsum_ipv6,txcsum_ipv6>ether 00:0c:29: <foo>inet 10.0.1.1 netmask 0xffffff00 broadcast 10.0.1.255
inet6 2601:248:<foo>:44c6 prefixlen 64
inet6 fe80::1:1%vmx3 prefixlen 64 scopeid 0x4
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect
status: active</performnud,auto_linklocal></foo></foo></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,rxcsum_ipv6,txcsum_ipv6></up,broadcast,running,simplex,multicast></performnud,accept_rtadv,auto_linklocal></foo></ip></foo></foo></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,rxcsum_ipv6,txcsum_ipv6></up,broadcast,running,promisc,simplex,multicast> -
Unchecking that box ONLY blocks all IPv6 traffic.
NOTE: This does not disable any IPv6 features on the firewall, it only blocks traffic.
It does not serve as "let's pretend there's no IPv6" button.
-
Unchecking that box ONLY blocks all IPv6 traffic.
NOTE: This does not disable any IPv6 features on the firewall, it only blocks traffic.
It does not serve as "let's pretend there's no IPv6" button.
Oh…duh... should had rtfm.
Is there a 'lets pretend there's no ipv6' button? :)
-
No.
-
The "Let's pretend IPv6 doesn't exist" setting is on each interface. Don't enable IPv6 on the interface if you don't want to use it. Don't want it on your LAN? Set IPv6 Configuration Type to None. Don't want it on your WAN? Do the same.
You might want it on the WAN and an OPT1 network, but not on the LAN. Then enable it for those two interfaces, but leave it set to None on the LAN.
-
@virgiliomi:
The "Let's pretend IPv6 doesn't exist" setting is on each interface. Don't enable IPv6 on the interface if you don't want to use it. Don't want it on your LAN? Set IPv6 Configuration Type to None. Don't want it on your WAN? Do the same.
You might want it on the WAN and an OPT1 network, but not on the LAN. Then enable it for those two interfaces, but leave it set to None on the LAN.
Problem is, that setting doesn't work - you still wind up with ip6 addresses assigned to interfaces.
I have a weird issue going on now where I default route my traffic from pfsense to an openVPN tunnel. It works quite well.
Now, I'd like to add access to pfsense for a client coming in over the wan. I do not assign any ip6 properties to either the outbound or inbound tunnel adapters, but both come up with default ip6 properties set.
Things work fine as long as the openvpn adapter for clients to connect to is disabled.
Enabling the adapter, even with no clients connecting, leads to very long DNS lookup times, or faiilure to resolve, and much slower page loads for browsers behind the firewall.
some websites simply refuse to load and error out - one being Netflix.
DNS lookups start to return a mix of usable ip4 addresses and ip6 addresses, not usable since the box isn't permitting ip6 to pass - but some is apparently leaking in.
My impression is that despite having the global "do not permit ip6" flag set on the web interface, not configuring ip6 on any interfaces and having rules on each interface to block all ip6 traffic, because there is baseline ip6 information being bound to each adapter the openvpn config is picking up some ip6 routing information from my provider.
Enabling a second openvpn interface makes the box think that it maybe sorta can route ip6 after all, and it tries to do so.
From what I'm reading, the best way to remove ip6 support in bsd is to compile the kernel with an explicit no ip6 directive set.
There may also be approaches which involve sysctl, which I'm looking into now.
-
"Enabling the adapter, even with no clients connecting, leads to very long DNS lookup times, or faiilure to resolve, and much slower page loads for browsers behind the firewall."
Huh?? What is having a hard time to resolve? You do understand even if you query via IPv4 for a fqdn if there is AAAA record you most likely get that returned as well since many dns clients default to query both..
If you get back a AAAA (ipv6 address for a fqdn) and your client prefers and has ipv6 it will try to use that.. But what does this have to do with pfsense having a link local address? I use ipv6 on some interfaces in pfsense and none on other interfaces that I am not using IPv6 in that network.. Yes those interfaces still get link local as shown above..
Your posting of this
inet6 2001:5<foo>9:4125:5501 prefixlen 128
and
inet6 2601:248:<foo>:44c6 prefixlen 64This is NOT a none setting on the interface.. Where are you saying this is coming from?? If you have an interface set to NONE for ipv6 it sure and the hell is not going to get a global ipv6 address on it.. 2000::/3
So you bring up openvpn.. I route ipv6 over one of my vpn servers connections, and then on another one I do not - so as you can see from attached one has a global ipv6 address, the other does not but both of them have link local addresses on them for ipv6..
If you are not ready to use ipv6, then make sure all your interfaces in pfsense have none set for ipv6 this is all that should have to be done..
</foo></foo>
