pfsense and IPv6 default behavior

lohphat

It's not clear from the existing docs how pfSense handles the underlying housekeeping of IPv6 networks.

So far I've had to manually add two rules to apparently compensate for default behavior but it's not clear if the rules are needed or best practice or not.

e.g.
I've had to add an IPv6(any) fe80::/10(from) any(to) to the LAN firewall rules to handle basic multicast traffic which is required for basic IPv6 operation. Also I've added an IPv6(ICMP[all]) any(from) LAN net(to) on the WAN side to allow basic ICMP to work.

One of the big benefits of IPv6 is large multicast media streaming e.g. YouTube live events. It's not clear if the default config would allow for the multicast sessions to be handled correctly. With IPv4 it was a mess requiring kludges and IGMP snooping to work but with IPv6 it's all built in.

The IPv6 section of the docs is very thin.

johnpoz

@lohphat said in pfsense and IPv6 default behavior:

I've had to add an IPv6(any) fe80::/10(from) any(to) to the LAN firewall rules to handle basic multicast traffic which is required for basic IPv6 operation

Where did you get idea that you had to add that?

And that is link-local space, multicast space would be ff00::/8

lohphat

@johnpoz There are firewall blocked entries for link local to multicast showing in the logs.

e.g.
Sep 30 16:15 LAN [fe80::4b7:xxxx:yyyy:zzzz] [ff02::fb]:5353

So I added the permit fe80::/10 to any rule to suppress those entries.

johnpoz

that is the link-local address broadcasting for mdns.. That is not required for anything to work..

lohphat

@johnpoz That's my point. Why is link local LAN traffic blocked at all? What if mDNS behavior is desired?

johnpoz

Because link-local is not LAN NET would be why its blocked ;)

Change your source on your IPv6 rule to any if you don't want to see the those blocks ;)

And what exactly are you going to be running on pfsense for mdns to be resolve from it? There is not mdns package, etc.

lohphat

@johnpoz Yes. I know that but for IPv6 to work it's not clear in the pfSense doc what is and is not appropriate link local traffic. Shouldn't it be presumed that link local to broadcast/multicast traffic on the LAN segment is permitted?

johnpoz

Why would you assume that.. Its not a requirement for ipv6 to work...

Not sure why the pfsense book or docs should be the IPv6 bible or anything... If you want to learn about IPv6 there are many a resource for that...

Broadcast/multicast traffic isn't going anywhere - why should it be allowed.. What would be listening on pfsnese out of the box for such traffic?

Rule is Lan Net, not whatever link-local address you might be using, etc. Which is not required for ipv6 to function and route through pfsense. Not aware of any service you would run on pfsense where those would be needed, etc.

lohphat

@johnpoz Isn't avahi/zeroconf/bonjour a form of mDNS for auto-enumeration of local hostnames?

Not wanting to get into the weeds, this is my point of my original issue: IPv6 default behavior is not well documented. multicast/broadcast needs to work for IPv6 and when you see blocked link local traffic to broadcast destinations raises questions. If it's blocking that, is it also interfering in other multicast group operations too?

lohphat

@johnpoz Multicast group membership management is key for IPv6 functionality.

https://en.wikipedia.org/wiki/IPv6_address#Multicast_addresses

For these key IPv6 group addresses to work, multicast but be working. It is not optional.

johnpoz

@lohphat said in pfsense and IPv6 default behavior:

If it's blocking that, is it also interfering in other multicast group operations too?

Again like what?? Not sure where you got the idea that link-local to broadcast is required for anything? Are you thinking of maybe icmpv6 that is required for say router solicitation, etc?

edit:
You might want do a bit more research ;)

Pfsense is the gateway off that L3.. it has nothing to do with devices on that L2 talking whatever they want to talk to each other with... They can send traffic all day to [ff02::fb]:5353, pfsense is just not needed in that conversation and why should it allow the traffic to something its not listening on, etc.

if you happen to add dhcpv6 enabled - just like when you enable dhcp - hidden rules are enabled that are not shown in the gui that allow the requirements... Look at the full ruleset if you want, etc.
https://docs.netgate.com/pfsense/en/latest/firewall/viewing-the-full-pf-ruleset.html

edit: also not sure what info you think you found about this

One of the big benefits of IPv6 is large multicast media streaming e.g. YouTube live events

Think you misread something somewhere ;)

JKnott

@lohphat said in pfsense and IPv6 default behavior:

@johnpoz That's my point. Why is link local LAN traffic blocked at all? What if mDNS behavior is desired?

Given that link local addresses are not routeable, they will never pass through pfSense, so any rules for them will be useless. Link local addresses are useful only on the local network and may be used for things like router advertisements, etc.

JKnott

@lohphat said in pfsense and IPv6 default behavior:

@johnpoz Isn't avahi/zeroconf/bonjour a form of mDNS for auto-enumeration of local hostnames?

Not wanting to get into the weeds, this is my point of my original issue: IPv6 default behavior is not well documented. multicast/broadcast needs to work for IPv6 and when you see blocked link local traffic to broadcast destinations raises questions. If it's blocking that, is it also interfering in other multicast group operations too?

First off, there's no such thing as broadcasts in IPv6, only multicasts. The closest thing to broadcasts in IPv6 is all hosts multicast. Then, with multicasts, there's the issue of scope, that is how far the multicast is supposed to travel. That could be as limited as an interface, the local network is commonly used and somewhere beyond a router. I mentioned router advertisements (RAs) in another note. If you watch a network with Packet Capture, you will see RAs from the router, from the router link local address to the all hosts multicast address etc. So, you'll have to consider what the multicast will be used for, it's scope, routeable vs link local addresses, etc.

JKnott

@johnpoz said in pfsense and IPv6 default behavior:

If you want to learn about IPv6 there are many a resource for that...

I recommend IPv6 Essentials.

Broadcast/multicast traffic isn't going anywhere - why should it be allowed.

No such thing as broadcast on IPv6. Multicast might be passed by a router, depending on scope.

lohphat

@JKnott I understand that. My question is why are Layer 2 packets used for IPv6 housekeeping making it into the logs in the first place? Either they're all handed properly as part of the protocol spec or they're blocked and not processed. Thus the confusion caused by layer 2 housekeeping showing up. If it's not going to be processed by the definition of link local, then why log it?

lohphat

@JKnott I apologize for using "broadcast" I was referring to the all hosts multicast address. Old habits die hard. ;-)

JKnott

@lohphat said in pfsense and IPv6 default behavior:

My question is why are Layer 2 packets used for IPv6 housekeeping making it into the logs in the first place?

Layer 2 is Ethernet. I thought we were talking about IPv6, which is L3. Even link local addresses are L3. Perhaps this is where some of your confusion is coming from.

lohphat

@JKnott Yes, probably. With IPv6 the reserved multicast address member management packets are link local too (IGMP, etc.) so why aren't those packets showing up in the firewall logs but the mDNS packets are?

johnpoz

I knew you would call me out on the "broadcast" term ;) My bad yes - bad habit I do need to break, and yes you are correct the term is not correct in relation to ipv6.. But its the same sort of thing in use ;)

IsaacFL

@lohphat

pfsense by default blocks everything that isn't explicitly passed.

The more correct way would be to have a rule that passes "any" to "multicast". I use ff00::/8 as multicast.

The reason is that you will see multicast coming from your local ipv6 addresses and link local addresses both.

You have to have a rule to pass multicast, if you are using Avahi for instance. The Avahi service inside pfsense will never see the mDNS traffic via ipv6 otherwise.