Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    In a firewall rule, what is included in "LAN net" for IPv6?

    Scheduled Pinned Locked Moved IPv6
    48 Posts 5 Posters 11.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mrsunfire
      last edited by

      I can confirm this. My Samsung TV is doing the same think. If you block it, it doesn't use IPv6.

      Netgate 6100 MAX

      IsaacFLI 1 Reply Last reply Reply Quote 0
      • IsaacFLI
        IsaacFL @mrsunfire
        last edited by

        I had kind of ignored it for a while, assuming it was a Samsung peculiarity. But I checked the RFC 4861 - Neighbor Discovery in IPv6.

        Par 4.1 Router Solicitation Message Format

        IP Fields:

          Source Address
                         An IP address assigned to the sending interface, or
                         the unspecified address if no address is assigned
                         to the sending interface.
        
          Destination Address
                         Typically the all-routers multicast address.
        
        IsaacFLI 1 Reply Last reply Reply Quote 0
        • IsaacFLI
          IsaacFL @IsaacFL
          last edited by

          After further checking I can confirm that Windows 10 does the same thing.

          On power up, first thing it does is send icmpv6 multicast, from source address [::] to [ff02::2] (All routers on the local network segment). After that it uses its link local address as source for multicast.

          So it is not just the Samsung.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Yeah reading through that RFC it does appear to need one more rule to allow from that.

            I've got a commit coming that should fix it up in 2.4.4.

            https://redmine.pfsense.org/issues/8791

            You could make a manual and more specific rule to pass it than allowing any source, though:

            0_1534423796308_Selection_047.jpg

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            JKnottJ 1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott @IsaacFL
              last edited by

              @isaacfl said in In a firewall rule, what is included in "LAN net" for IPv6?:

              I am seeing traffic with a source address of :: (unspecified address) with a multicast to ff02::2.

              That sort of packet shouldn't even be passed by pfSense, as it's intended to be for the local link only. Check the hop limit and you'll likely find it's 255. This value is used to ensure a packet has not passed through a router, as it would have been decremented from 0 and routers are supposed to discard any packet that has a hop limit of 0. And, a source address of :: or unspecified can never be a destination address, as it's only used by a device that doesn't yet know it's own address. So, you're looking at a packet that's intended to be used on the local network only and pfSense should not attempt to forward it.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott @jimp
                last edited by

                @jimp said in In a firewall rule, what is included in "LAN net" for IPv6?:

                I've got a commit coming that should fix it up in 2.4.4.

                Why should a router or neighbour discovery ever be passed by psSense or any other router? Those are link local only functions. I'd seriously question that passes those off the local net.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                jimpJ 1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate @JKnott
                  last edited by

                  @jknott said in In a firewall rule, what is included in "LAN net" for IPv6?:

                  Why should a router or neighbour discovery ever be passed by psSense or any other router? Those are link local only functions. I'd seriously question that passes those off the local net.

                  They need to be able to hit the firewall itself so the firewall can answer neighbor/router discovery queries from these clients. It's multicast so it's all local, won't leave its segment, but still valid for the firewall to pass.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott
                    last edited by

                    I know why they're needed. However, I've been running IPv6 for over 8 years and this has never been an issue. I'll have to fire up Wireshark and try monitoring what happens with another computer.

                    BTW, I have a Samsung Blu-ray player that no longer connects to the Internet at all. They did something absolutely brilliant. When connecting to the Internet, one of the first things the player does is try to connect to a certain web site. Can't reach the site, no connection and it stops there. However, since that was set up, that site, along with many others, switched to https, which this player cannot handle. As I said, brilliant!

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    jimpJ JKnottJ 2 Replies Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate @JKnott
                      last edited by

                      @jknott said in In a firewall rule, what is included in "LAN net" for IPv6?:

                      I know why they're needed. However, I've been running IPv6 for over 8 years and this has never been an issue. I'll have to fire up Wireshark and try monitoring what happens with another computer.

                      I've been running it for years as well without seeing this, but that doesn't make it invalid. It's valid per the RFC and certain (rare?) devices behave this way. There isn't a compelling reason to not allow the traffic. It won't be routed, it's only hitting the local segment.

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      IsaacFLI 1 Reply Last reply Reply Quote 1
                      • IsaacFLI
                        IsaacFL @jimp
                        last edited by

                        @jimp said in In a firewall rule, what is included in "LAN net" for IPv6?:

                        @jknott said in In a firewall rule, what is included in "LAN net" for IPv6?:

                        I know why they're needed. However, I've been running IPv6 for over 8 years and this has never been an issue. I'll have to fire up Wireshark and try monitoring what happens with another computer.

                        I've been running it for years as well without seeing this, but that doesn't make it invalid. It's valid per the RFC and certain (rare?) devices behave this way. There isn't a compelling reason to not allow the traffic. It won't be routed, it's only hitting the local segment.

                        If you have been running dual stack then some ipv6 errors have been masked by falling back to IPv4.

                        In my mind I should only have to define a โ€œpassโ€ rule to allow traffic from one subnet to another.

                        The issue is that these rules are needed for services in the router to perform link local functions that are required by ipv6.

                        In this case the default rules are not there to allow the router internally to implement NDP on the local net so I am manually having to create pass rules to get them into the router.

                        JKnottJ 1 Reply Last reply Reply Quote 0
                        • JKnottJ
                          JKnott @JKnott
                          last edited by

                          @jknott said in In a firewall rule, what is included in "LAN net" for IPv6?:

                          I'll have to fire up Wireshark and try monitoring what happens with another computer.

                          I just did, with another computer running Linux. The first 3 packets were:
                          Neighbour solicitation for it's own link local address from ::, for duplicate address check (DAD)
                          Router solicitation, with link local address as source
                          Router advertisement from router to link local address.

                          My question is why are those devices not doing a DAD to ensure they can use their address, as is required by the specs. Once a device passes DAD for it's link local address, it's free to use it, as shown in my test.
                          If a device is not doing DAD, it's defective.

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          1 Reply Last reply Reply Quote 0
                          • JKnottJ
                            JKnott @IsaacFL
                            last edited by

                            @isaacfl said in In a firewall rule, what is included in "LAN net" for IPv6?:

                            If you have been running dual stack then some ipv6 errors have been masked by falling back to IPv4.

                            What sort of errors? I just ran Wireshark filtering on the computer MAC address and ICMP6. No IPv4 involved at all. Incidentally, I've been running a browser add-in called "ShowIP" that shows the web site address, for years. If there was a problem, I'd have noticed it.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            jimpJ 1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate @JKnott
                              last edited by

                              @jknott Your tests aren't going to tell us anything meaningful about how someone else's device behaves or should behave. Only how yours behave, which is not relevant to this discussion.

                              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              JKnottJ 1 Reply Last reply Reply Quote 0
                              • JKnottJ
                                JKnott @jimp
                                last edited by

                                @jimp said in In a firewall rule, what is included in "LAN net" for IPv6?:

                                Your tests aren't going to tell us anything meaningful about how someone else's device behaves or should behave. Only how yours behave, which is not relevant to this discussion.

                                If a device doesn't do DAD, it's defective. Those other people should be running Wireshark to see exactly what's happening. Packet Capture can also be used, but it's not as useful as Wireshark.

                                I'm just getting set up to test a W10 computer, to see what happens with it.

                                PfSense running on Qotom mini PC
                                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                UniFi AC-Lite access point

                                I haven't lost my mind. It's around here...somewhere...

                                JKnottJ 2 Replies Last reply Reply Quote 0
                                • JKnottJ
                                  JKnott @JKnott
                                  last edited by

                                  @jknott said in In a firewall rule, what is included in "LAN net" for IPv6?:

                                  I'm just getting set up to test a W10 computer, to see what happens with it.

                                  I just tried with W10 and got the exact same sequence as with Linux. Both do DAD and then continue with the link local address. What does that other device do, as shown by Wireshark or Packet Capture? If it's trying to do a RS without having run DAD first, it's defective and has no business being on a network. If it has run DAD, then it should be doing the RS with the link local address as source.

                                  If this is a problem with that other device, then pfSense shouldn't be changed to fix the problem. The problem should be sent back to the company that made the device.

                                  PfSense running on Qotom mini PC
                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                  UniFi AC-Lite access point

                                  I haven't lost my mind. It's around here...somewhere...

                                  1 Reply Last reply Reply Quote 0
                                  • jimpJ
                                    jimp Rebel Alliance Developer Netgate
                                    last edited by

                                    You already missed the point here. The DAD ND solicitation in your capture mentioned in your post earlier was sourced from ::, too, so pfSense would have dropped it and not responded without this fix.

                                    This is valid traffic, per the RFC mentioned before and also RFC 4429 and RFC 7527. In each case, the DAD NS is sourced from the unspecified address (::) first, and it would be dropped.

                                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    JKnottJ 1 Reply Last reply Reply Quote 1
                                    • JKnottJ
                                      JKnott @jimp
                                      last edited by

                                      @jimp said in In a firewall rule, what is included in "LAN net" for IPv6?:

                                      You already missed the point here. The DAD ND solicitation in your capture mentioned in your post earlier was sourced from ::, too, so pfSense would have dropped it and not responded without this fix.

                                      ????

                                      PfSense should have nothing to do with a DAD from another device. It's simply a check by a device to see if an IP address is in use elsewhere. PfSense or rather the IPv6 stack below it should only respond in the event of a conflict with itself. Likewise NS and RS are below the pfSense level and handled within the FreeBSD IPv6 stack, not pfSense. In fact, you should be able to run FreeBSD or any other operating system and have this work, without any application, such as pfSense, running.

                                      Now, take a look at the RFCs. In RFC 4861, under Neighbor Solicitation, it says:

                                      "Source Address
                                      Either an address assigned to the interface from
                                      which this message is sent or (if Duplicate Address
                                      Detection is in progress [ADDRCONF]) the
                                      unspecified address."

                                      So, no problem using :: in NS.

                                      Now, when we get to RFC 2461, where router solicitations are discussed we have:

                                      "Source Address
                                      An IP address assigned to the sending interface, or
                                      the unspecified address if no address is assigned
                                      to the sending interface."

                                      Sounds OK, but then we get to a curious situation. RAs are sent out to all nodes at interval or to a specific host, after a RS.

                                      In the RA section:

                                      "Destination Address
                                      Typically the Source Address of an invoking Router
                                      Solicitation or the all-nodes multicast address."

                                      But what address if the RS source is ::? That's not a valid destination address.

                                      So, I'd question whether there should ever be a RA in response to an RS from an unspecified address.

                                      Here's what Cisco says:
                                      When an RA is sent in response to a router solicitation, the destination address in the RA message is the unicast address of the source of the router solicitation message.

                                      But then we get back to what source address, if the unspecified address cannot be used?

                                      In my experience here, with both Linux and W10, the sequence is DAD from the unspecified address, followed by normal RS & RA using the valid link local address. Is that what's happening with that Samsung TV?

                                      PfSense running on Qotom mini PC
                                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                      UniFi AC-Lite access point

                                      I haven't lost my mind. It's around here...somewhere...

                                      1 Reply Last reply Reply Quote 0
                                      • jimpJ
                                        jimp Rebel Alliance Developer Netgate
                                        last edited by

                                        @jknott said in In a firewall rule, what is included in "LAN net" for IPv6?:

                                        PfSense should have nothing to do with a DAD from another device. It's simply a check by a device to see if an IP address is in use elsewhere. PfSense or rather the IPv6 stack below it should only respond in the event of a conflict with itself. Likewise NS and RS are below the pfSense level and handled within the FreeBSD IPv6 stack, not pfSense. In fact, you should be able to run FreeBSD or any other operating system and have this work, without any application, such as pfSense, running.

                                        Except those packets won't make it to the stack to be processed if they are blocked by pf, hence the problem.

                                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                        Need help fast? Netgate Global Support!

                                        Do not Chat/PM for help!

                                        1 Reply Last reply Reply Quote 1
                                        • JKnottJ
                                          JKnott
                                          last edited by

                                          @jimp said in In a firewall rule, what is included in "LAN net" for IPv6?:

                                          Except those packets won't make it to the stack to be processed if they are blocked by pf, hence the problem.

                                          Are you suggesting pfSense is blocking ICMP to itself? That's guaranteed to break SLAAC etc..
                                          Can you ping the pfSense device on either IPv4 or IPv6? Does SLAAC work on your network without rules passing ICMPv6?

                                          PfSense running on Qotom mini PC
                                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                          UniFi AC-Lite access point

                                          I haven't lost my mind. It's around here...somewhere...

                                          jimpJ IsaacFLI 2 Replies Last reply Reply Quote 0
                                          • jimpJ
                                            jimp Rebel Alliance Developer Netgate @JKnott
                                            last edited by

                                            @jknott said in In a firewall rule, what is included in "LAN net" for IPv6?:

                                            @jimp said in In a firewall rule, what is included in "LAN net" for IPv6?:

                                            Except those packets won't make it to the stack to be processed if they are blocked by pf, hence the problem.

                                            Are you suggesting pfSense is blocking ICMP to itself? That's guaranteed to break SLAAC etc..
                                            Can you ping the pfSense device on either IPv4 or IPv6? Does SLAAC work on your network without rules passing ICMPv6?

                                            That's the entire problem we've been actually discussing in this thread, which you seem to have missed entirely.

                                            There is a default set of rules in pfSense to pass specific ICMPv6 packets at all times, for things like ND, RA, and so on. These are in place to ensure these features function properly even without a user adding rules to pass them. These rules did not pass from a source of :: to the multicast destination. I added a rule to pass them so it will work.

                                            The full set of automatic default ICMPv6 rules (now)
                                            https://github.com/pfsense/pfsense/blob/75cf92ffe93c7ea71cd5b432c369860b6e66a0d3/src/etc/inc/filter.inc#L3309

                                            The change I made in response to this thread:
                                            https://github.com/pfsense/pfsense/commit/75cf92ffe93c7ea71cd5b432c369860b6e66a0d3#diff-84e675728564ed6deea6ee8002196c14

                                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                            Need help fast? Netgate Global Support!

                                            Do not Chat/PM for help!

                                            C 1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.