Disable IPv6 for Parental Controls
-
I have used OpenDNS for years for parental controls. OpenDNS can be configured to block groups of web sites (drugs, pornography, etc.). I recently changed from Sophos to pfSense. pfSense was setup to use OpenDNS (system/general setup). I have noticed many web sites sneaking through pfSense that were previously denied using Sophos. I tracked this down to web browsers are looking up sites using IPv6 DNS instead of the IPv4 OpenDNS servers specified in system/general setup. I have "Allow DNS server list to be overridden by DHCP/PPP on WAN" unchecked, but apparently, my ISP is passing an IPv6 DNS server that pfSense is passing downstream.
I don't want any of my LAN clients able to use IPv6 DNS services.
Note: OpenDNS offers an early version of IPv6 DNS service, but it's not fully configurable with whitelists and blacklists like their IPv4 service. Other vendors (SafeDNS, Norton, Yandex) do not offer configurable IPv6 services, either.
I tired "Prefer to use IPv4 even if IPv6 is available" (System/Advanced) but this did not change any behavior. LAN clients were still prioritizing IPv6 DNS queries over IPv4. Next was blocking IPv6 traffic (System/Advanced), disabling the IPv6 DHCP server, removing the LAN IPv6 address (on the LAN interface menu), but all of these changes resulted in dead devices. LAN devices could ping external IPv4 addresses, but no DNS-based addressing worked. Apparently, PCs (Windows 7) and iOS devices desperately want to try IPv6 even when the IPv6 DHCP is disabled, they are not receiving IPv6 addresses, and the LAN port on the pfSense has IPv6 disabled.
What IPv6 feature needs to be adjusted on the pfSense so all LAN connected devices default to IPv4 DNS queries?
-
I don't want any of my LAN clients able to use IPv6 DNS services.
Disable all IPv6 on WAN,
or
(better) Put a firewall rule on the LAN interface that blocks all IPv6 traffic. -
I don't want any of my LAN clients able to use IPv6 DNS services.
Block IPv6 to TCP/UDP port 53 then.
-
I don't want any of my LAN clients able to use IPv6 DNS services.
Block IPv6 to TCP/UDP port 53 then.
I thought about that one, but I guess the question is wrong ( disabling IPv6 DNS services) ;) but DNS resolver requests using IPv4-UDP will return A and AAAA records. My browser will take the AAAA right away to visit a site using IPv6.
-
"but DNS resolver requests using IPv4-UDP will return A and AAAA records. My browser will take the AAAA right away to visit a site"
Sure yup - but if your using opendns and your filtering of what can be returned and not returned. So say you have it set to not lookup porn.. Your saying it won't return a A record, but it does return AAAA? I find that highly unlikely… If you only allow access to dns that does category based returns for you - ie block porn, malware, etc. it will not return A or AAAA for these fqdn.
If your concerned with ipv6 sneaking through your filtering system - why not just block it outright? Better make sure they don't teredo it through your ipv4 setup and still get an IPv6 address on the client ;)
Personally - if you don't want a client using ipv6, its best to just disable it at the client side.. If not its just going to be spaming out ipv6 noise for something you have blocked anyway.
-
I have tried the following:
- System/Advanced/Network - "All IPv6 traffic will be blocked by the firewall unless this box is checked" - Unchecked
- Interfaces/LAN - "IPv6 Configuration Type" - None
- Interfaces/WAN - "IPv6 Configuration Type" - None
- Servers/DHCPv6 Server & RA - "Enable DHCPv6 server on interface LAN" - Unchecked
- Servers/DHCPv6 Server & RA - "Router Mode" - Disabled
Despite making these changes, LAN devices are assigning Link-Local IPv6 Addresses. Since the devices think IPv6 exists, they aggressively attempt IPv6 – apparently, not able to regress to IPv4 when IPv6 fails. So they are “stuck” in IPv6 mode when IPv6 has been disabled on the pfSense.
I configured a network using an older ASUS router (no IPv6 capabilities) and the LAN devices do not show any IPv6 connectivity attributes. Everything works just fine.
This means pfSense is advertising its IPv6 capabilities to the LAN clients, so the LAN clients believe IPv6 is running. What is pfSense doing? How can I turn it off?
if you don't want a client using ipv6, its best to just disable it at the client side
Clients include laptops and tablets that are used elsewhere and I don't want to make custom client-side settings just for my network. Additionally, I have many iOS (iPhone, iPod, iPad) devices on my system. iOS does not have a profile or setting to disable IPv6.
-
"LAN devices are assigning Link-Local IPv6 Addresses"
That is not how it works.. Just because a device creates a link local address. He will not use that to try and go to the internet…
"This means pfSense is advertising its IPv6 capabilities to the LAN clients"
If you turned off IPv6 - ie set to NONE on the lan interface, and have disabled RA and dhcpv6 there is no way pfsense would be advertising anything IPv6..
edit: So you can see attached my box has ipv6 link local address, internet works just fine via ipv4 and just to show its not actually using ipv6 via teredo or anything, etc. Which it can't because I have all of those disabled.. teredo, 6to4, isatap, etc.
Maybe the client is getting a teredo address that is not really working but it has and is trying to use, etc. You can block teredo from working on pfsense if you want as well.
-
johnpoz thank you for identifying my poor knowledge of IPv6. I intend to look at those online courses (and T-shirt!) but want to get my pfSense working with IPv4 before attacking IPv6. I'd much rather develop understanding of IPv6 before implementing it, so I know how to control my network. My problem is retrograding pfSense to IPv4 requires more IPv6 knowledge than I have learned. Circular argument! I need to understand IPv6 to retrograde to IPv4, so I can take my time to learn IPv6?
OK I understand my fallacies of arguments. So I'll try it again, this time without any techno-jargon:
I disabled IPv6 settings on pfSense, but the LAN devices (mostly Windows 7 computers and iOS) still think they should talking IPv6, even after rebooting and resetting all network switches and gear. Windows and iOS property screens show IPv6 parameters, such as Local Link Address. Web browsing or services requiring DNS don't work. Pings to IPv4 numerical addresses still work.
When I replace the pfSense box with m0n0wall or my old Asus Wifi Router, the LAN devices happily drop their IPv6 intentions and operate over IPv4, even without rebooting. Windows and iOS property screens no longer display any IPv6 parameters such as the local link address. When I disconnect the substitute router and connect pfSense, something is "triggered" on the LAN to make everybody think IPv6 is the default. IPv6 parameters reappears on network property dialogs and everybody stops using IPv4 for DNS queries. I want to find that "trigger" and disable it, so the LAN devices don't think IPv6 is available and reverts to IPv4 DNS queries.
-
I'd much rather develop understanding of IPv6 before implementing it,
The book "IPv6 Essentials", from O'Reilly is excellent.
-
"even after rebooting and resetting all network switches and gear. Windows and iOS property screens show IPv6 parameters"
Please post up ipconfig /all from your windows box.. You can also look at what it sees for ipv6 for neighbors via
netsh int ipv6 show neigh
> netsh int ipv6 show neigh Interface 1: Loopback Pseudo-Interface 1 Internet Address Physical Address Type –------------------------------------------ ----------------- ----------- ff02::c Permanent ff02::16 Permanent ff02::fb Permanent ff02::1:2 Permanent Interface 13: Local Internet Address Physical Address Type -------------------------------------------- ----------------- ----------- ff02::1 33-33-00-00-00-01 Permanent ff02::2 33-33-00-00-00-02 Permanent ff02::16 33-33-00-00-00-16 Permanent ff02::1:2 33-33-00-01-00-02 Permanent ff02::1:3 33-33-00-01-00-03 Permanent ff02::1:ff15:d1a4 33-33-ff-15-d1-a4 Permanent
And look at what routes your box is seeing for ipv6, and ipv4 with the route print command
> route print =========================================================================== Interface List 13…18 03 73 b1 0d d3 ......Broadcom NetLink (TM) Gigabit Ethernet 1...........................Software Loopback Interface 1 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.9.253 192.168.9.100 10 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.9.0 255.255.255.0 On-link 192.168.9.100 266 192.168.9.100 255.255.255.255 On-link 192.168.9.100 266 192.168.9.255 255.255.255.255 On-link 192.168.9.100 266 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.9.100 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.9.100 266 =========================================================================== Persistent Routes: None IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 1 306 ::1/128 On-link 13 266 fe80::/64 On-link 13 266 fe80::68e2:9822:c215:d1a4/128 On-link 1 306 ff00::/8 On-link 13 266 ff00::/8 On-link =========================================================================== Persistent Routes: None
As you can see from the ipv6 routes there is nothing there for anything other than the link-local network. There is no default route for ipv6.. etc..
If you have non set on your pfsense interface, and dhcpv6 off it would/should not be advertising anything to your clients for any sort of ipv6..
-
I changed the pfSense settings (attached JPEG screenshots), rebooted pfSense and Windows 7 workstation simultaneously. There were other devices (wifi AP, other Windows 7 computers) attached to the LAN during this test. Results when the Windows 7 box was freshly booted:
Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\>netsh int ipv6 show neigh Interface 1: Loopback Pseudo-Interface 1 Internet Address Physical Address Type -------------------------------------------- ----------------- ----------- ff02::c Permanent ff02::16 Permanent ff02::fb Permanent ff02::1:2 Permanent ff02::1:ff01:1 Permanent Interface 21: Teredo Tunneling Pseudo-Interface Internet Address Physical Address Type -------------------------------------------- ----------------- ----------- ff02::16 255.255.255.255:65535 Permanent ff02::fb 255.255.255.255:65535 Permanent ff02::1:2 255.255.255.255:65535 Permanent ff02::1:ff01:1 255.255.255.255:65535 Permanent Interface 26: Local Area Connection 5 Internet Address Physical Address Type -------------------------------------------- ----------------- ----------- ff02::1 33-33-00-00-00-01 Permanent ff02::2 33-33-00-00-00-02 Permanent ff02::c 33-33-00-00-00-0c Permanent ff02::16 33-33-00-00-00-16 Permanent ff02::fb 33-33-00-00-00-fb Permanent ff02::1:2 33-33-00-01-00-02 Permanent ff02::1:3 33-33-00-01-00-03 Permanent ff02::1:ff01:1 33-33-ff-01-00-01 Permanent ff02::1:ffed:798c 33-33-ff-ed-79-8c Permanent C:\>route print =========================================================================== Interface List 26...00 ** ** ** ** ef ......Intel(R) PRO/1000 PT Server Adapter 1...........................Software Loopback Interface 1 24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 28...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter 21...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 198.19.19.1 198.19.19.16 10 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 198.19.19.0 255.255.255.0 On-link 198.19.19.16 266 198.19.19.16 255.255.255.255 On-link 198.19.19.16 266 198.19.19.255 255.255.255.255 On-link 198.19.19.16 266 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 198.19.19.16 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 198.19.19.16 266 =========================================================================== Persistent Routes: None IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 1 306 ::1/128 On-link 28 1010 2002::/16 On-link 28 266 2002:****:****::****:****/128 On-link 26 266 fe80::/64 On-link 26 266 fe80::****:****:****:****/128 On-link 1 306 ff00::/8 On-link 26 266 ff00::/8 On-link =========================================================================== Persistent Routes: None C:\>
-
198.19.19.0 255.255.255.0 On-link 198.19.19.16
Why are you using that range?? That is a special network.. While it should not route on the internet.. Why would you not just use the normal rfc1918 space?
Where is your IP config all this shows your box has IPv6 address??
28 1010 2002::/16 On-link
28 266 2002:::::/128Also you shouldn't even be able to see the dhcpv6 tab for lan if it doesn't have a IPv6 address.. So your NONE setting did not take or something.
Also your running 2.4 beta? What snap?
Look See I have ipv6 static setup on my lan.. Its listed in the dhvpv6 section.. Its not enabled, nor is RA enabled.. But it shows its there to enable because I have ipv6 set static on my lan interface. But when I change the lan to NONE for ipv6.. Then there is no LAN interface listed under dhcpv6&Ra tab.. So clearly you got some problem where pfsense has something on its lan for ipv6.. Your dhcpv6 tab shows this via that odd range?? That tab should not even be there..
-
I was running the RELEASE, but changed the update settings a few weeks ago to development snapshot. I suspected something was not "sticking". It is running today's snapshot 2.3.5.a.20170828.1049.
I don't want to hijack this thread with IPv4, but you asked. I travel a lot and VPN to my pfSense. Hotels commonly use 10.0.0.0/8 ranges. One of my consulting clients uses 192.168.0.0/16 with a huge subnet mask. I also run across 172.16.0.0/12 addresses. I tried several of these private RFC1918, but eventually, I inevitably run across a conflict. I suppose that's hit-or-miss bad luck of running into a VPN conflict, given the massive selection within the /8 pool. Since I switched to 198.18.0.0/15, there is no longer any conflict opportunity. The 198.19.19.x subnet is good because it's reserved for "network testing". Equipment is expected to work and be testable in the range. Perhaps I'm using it as intended, because I'm testing a "development" release of pfSense … no matter.
I made another attempt and turned off the DHCPv6 server and RA. When I clicked on the LAN interface, pfSense displayed an error screen and crashed. I went to the server room, reset the machine, and connected a console monitor. The console showed an empty configuration for the LAN interface. I re-entered the LAN parameters at the console but it didn’t stick, even through a manual reboot from the console. I restored a previous backup from the console and got the machine working again.
-
I updated to 2.4.0-RC (amd64). Disabled DHCPv6 Server and RA. Changed LAN IPv6 to "none". Went back and checked DHCPv6 and menus were gone. Success. Rebooted pfSense, switchgear, and Windows computer. Windows network adapter showed correct IPv4 statistics and no IPv6 parameters (except for link-local address). LAN devices did not work - Windows, iOS, Android - except a Virtual Machine Android emulator on the Windows computer. Pings to URLs do not work but pings to IP address work. I traced the problem to DNS. Nobody is receiving replies from DNS queries, except the VM, which has hard-coded DNS that bypasses pfSense unbound DNS resolver.
I believe that IPv6 is disabled, but now I'm having a hard time with DNS. Screenshots attached.
-
OK I got my system working with IPv6 disabled.
I turned off the DNS Forwarder and DNS Resolver. Now the LAN clients are working. But without the Forwarder or Resolver, I can't individually assign DNS to LAN clients. For example, the kids LAN clients need to be operating on one DNS policy (forcing Google safe search) and the parents using another DNS policy (such as allowing youtube and netflix). So now my problem is DNS configuration, not belonging in this thread anymore.
In summary, 2.4.0-RC (amd64) seemed to fix my IPv6 problem. Disabling the DCHPv6, RA, and LAN IPv6 worked once I updated to 2.4.0-RC (amd64).