IPv6 multicasts flooding the pfSense logs.
-
Got it… done. Here's the output:
DiagnosticsCommand Prompt
Shell Output - pfctl -sr
scrub on re2 all fragment reassemble
scrub on re0 all fragment reassemble
scrub on re1 all fragment reassemble
anchor "relayd/" all
anchor "openvpn/" all
anchor "ipsec/" all
pass in quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
block drop in log quick inet6 all label "Block all IPv6"
block drop out log quick inet6 all label "Block all IPv6"
block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick from <snort2c>to any label "Block snort2c hosts"
block drop log quick from any to <snort2c>label "Block snort2c hosts"
block drop in log quick proto tcp from <sshlockout>to (self) port = ssh label "sshlockout"
block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = https label "webConfiguratorlockout"
block drop in log quick from <virusprot>to any label "virusprot overload table"
block drop in log quick on re2 from <bogons>to any label "block bogon IPv4 networks from WAN"
block drop in log on ! re2 inet from XX.XX.194.0/23 to any
block drop in log inet from XX.XX.XX.XX to any
block drop in log on re2 inet6 from fe80::212:eff:fee6:b069 to any
block drop in log quick on re2 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
block drop in log quick on re2 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
block drop in log quick on re2 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
block drop in log quick on re2 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
block drop in log quick on re2 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
pass in on re2 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
pass out on re2 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
block drop in log on ! re0 inet from 192.168.2.0/24 to any
block drop in log inet from 192.168.2.1 to any
block drop in log on re0 inet6 from fe80::20d:b9ff:fe38:5648 to any
pass in quick on re0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on re0 inet proto udp from any port = bootpc to 192.168.2.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on re0 inet proto udp from 192.168.2.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
block drop in log on ! re1 inet from 192.168.3.0/24 to any
block drop in log inet from 192.168.3.1 to any
block drop in log on re1 inet6 from fe80::20d:b9ff:fe38:5649 to any
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (re2 XX.XX.XX.1) inet from XX.XX.XX.XX to ! XX.XX.XX.0/23 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
anchor "userrules/" all
pass in quick on openvpn all flags S/SA keep state label "USER_RULE: OpenVPN BaseStar-VPN wizard"
block drop in quick on re2 inet6 all label "USER_RULE: Block IPv6"
pass in quick on re2 reply-to (re2 XX.XX.XX.1) inet proto udp from any to XX.XX.XX.XX port = 3219 keep state label "USER_RULE: OpenVPN BaseStar-VPN wizard"
block drop in log quick on re0 inet proto tcp from 192.168.2.4 to (self) port = ssh label "USER_RULE: Isolate ConnectME client from firewall management"
block drop in log quick on re0 inet proto tcp from 192.168.2.4 to (self) port = https label "USER_RULE: Isolate ConnectME client from firewall management"
block drop in log quick on re0 inet proto udp from 192.168.2.4 to (self) port = ssh label "USER_RULE: Isolate ConnectME client from firewall management"
block drop in log quick on re0 inet proto udp from 192.168.2.4 to (self) port = https label "USER_RULE: Isolate ConnectME client from firewall management"
block return in quick on re0 inet from <nas>to XX.XX.XX.0/23 label "USER_RULE: No WAN access"
block return in quick on re0 inet from <no_wan_access>to XX.XX.XX..0/23 label "USER_RULE: No WAN access"
pass in quick on re0 inet from 192.168.2.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
block return in quick on re1 inet proto tcp from 192.168.3.0/24 to (self) port = ssh label "USER_RULE: Block access to Firewall Management"
block return in quick on re1 inet proto tcp from 192.168.3.0/24 to (self) port = https label "USER_RULE: Block access to Firewall Management"
block return in quick on re1 inet proto udp from 192.168.3.0/24 to (self) port = ssh label "USER_RULE: Block access to Firewall Management"
block return in quick on re1 inet proto udp from 192.168.3.0/24 to (self) port = https label "USER_RULE: Block access to Firewall Management"
block return in quick on re1 inet from 192.168.3.0/24 to 192.168.2.0/24 label "USER_RULE: Block traffic to LAN"
pass in quick on re1 inet from 192.168.3.0/24 to any flags S/SA keep state label "USER_RULE: Permit outgoing IPv4 traffic"
anchor "tftp-proxy/*" allExecute Shell Command
My real WAN IP is replaced in this output with XX.XX.XX.XX just so you know what that is and why is it there.
Please let me know if this helps.</no_wan_access></nas></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>
-
Yep, that helps.
Seel the line that says this, the first block rule?
"block drop in log quick inet6 all label "Block all IPv6"The "log" keyword is there. On your WAN rules, didn't you label it "block all ipv6"? make sure you don't have the "log" checked for that rule.
I think that block rule is from your addition, but it may be added from disabling the IPv6 that you did elsewhere in the config.
One way to prove that would be to go back and reenable the IPv6 and leave your block rule that you added (turning back on the logging of default rules) and see what shows up in the logs. -
That's it! You did it…
To re-cap, the rule labeled "Block all IPv6" is not that one I created manually, the once I created is called "Block IPv6" and logging is not enabled on that rule.
However, as soon as I re-enabled IPv6 processing under @ System->Advanced->Networking: Allow IPv6, the logging of those endless ICMPv6 messages stopped!
Now logs look appropriate, just the way I would expected them to be. Only records are now shown on WAN is the unsolicited traffic and majority of it is IPv4.
Thanks to you, the logs for firewall on my Pfsense is useful again.
I can't thank you enough for all your help.
This was not easy for me to diagnose and I think is worthy of been mentioned in official man pages for the PFsense.
Again, thank you for all your help and assistance.
-
Fantastic! So now we know that disabling IPv6 added the two block rules at the top, with the log option, that logging was affected by the disable options over on the log settings.
We've both learned something about this now.
-
(Hopefully this isn't a second post… looks like I was logged off and had to come back and repost...)
Thanks guys, now I know I'm not crazy (mostly) :) I had the exact same problem as above compounded by the fact I syslog out to a local NAS which, after I disabled IPv6 a bit ago, began churning away 24/7 with all these log messages.I more or less did the same as you did above. Re-enable IPv6 on the Advanced tab and add a manual rule with log OFF to block all IPv6 traffic. Few notes for anyone who comes after:
Thanks in part to this:
https://www.engren.se/2013/04/30/some-pfsense-commands-to-keep-handy/Trying to find the rule that is logging all the messages...
ssh to pfsense
viconfig
The firewall rule we're looking for is not present in this config. Must be generated by whatever reads this config and creates the rules.In the actual runtime rules here:
/tmp/rules.debugThese are the two rules created when System > Advanced > Networking > "Allow IPv6" is unchecked (verified):
Block all IPv6
block in log quick inet6 all tracker 1000000003 label "Block all IPv6"
block out log quick inet6 all tracker 1000000004 label "Block all IPv6"I say verified because I know those two rules are created and deleted when that checkbox is toggled. I do NOT know if there is anything else modified.
If any PFSense folks happen to see these posts, sure would be nice to have an extra option in that Advanced tab to control logging.
-
Found what may be a better solution. Based on this:
https://doc.pfsense.org/index.php/How_can_I_edit_the_PF_rulesetssh to pfsense
vi /etc/inc/filter.inc
Find the two lines following:
$ipfrules .= "block in {$log['block']} quick inet6 all tracker {$increment_tracker($tracker)} label "Block all IPv6"\n";
$ipfrules .= "block out {$log['block']} quick inet6 all tracker {$increment_tracker($tracker)} label "Block all IPv6"\n";
In both of those lines remove the string (and one space):
{$log['block']}
Save and quit viGo back to pfsense UI and
- remove the custom rule we added from previous posts
- uncheck the "Allow IPv6" again
- let pfsense rewrite it's rules
Now those default rules are back in place BUT without the log parameter.
My only question: will this manual modification be overwritten by a PFSense update?
-
Hi,
Just went looking for this sort of thing also and found this:
https://doc.pfsense.org/index.php/Firewall_Logs#Disable_Default_Block_LoggingHopefully this helps?
-
Found what may be a better solution. Based on this:
https://doc.pfsense.org/index.php/How_can_I_edit_the_PF_rulesetThis was very helpful. Thanks!
-
Thanks all for the help in resolving this issue.
I would like to clear something out , to ask actually:
I had the same issue by being clogged by this ICMPv6 logs. After I checked the box "Allow IPv6" in advance/networking I got rid of the annoyance finally. Now do I need to create a rule manually to block IPv6 traffic (with logging of) so it won enter my WAN ? or since set "IPv6 Configuration Type" to "NONE" on my WAN interface so ipv6 will be still blocked ?
Thanks.
-
Why would you want to block IPv6??? That's what the world is moving to. It's the future of the Internet.
-
It's not moving to good direction then. :)
-
While I can't speak about the specific issues here, both ICMP6 and multicasts are essential parts of IPv6. For example, there is no such thing as broadcasts with IPv6. Instead, there are several types of multicasts, to specific groups. Even ARP has been replaced with solicited node multicasts. One thing that's also used extensively is MTU discovery, which involved ICMP6. MTU discovery is essential, as with IPv6 routers are not allowed to fragment packets. With IPv4, you could set the MTU to whatever and if the packet tried to pass through a router that couldn't handle the MTU, the packet would be fragmented so that the fragments could pass.
I have been running IPv6 for 7 years, including just over a year with pfSense and it works fine.