pfsense routing local link to internet?
-
So I have a guest lan subnet and isolated vlan.
Currently dhcp6 and slaac is not enabled so devices only get a routable ipv6 if they manually configured, this does not include my phone.
I have a deny all rule at end to catch packets not whitelisted in my wall garden and it logs the hits, fe80 is been blocked as the rule is configured to only allow my ipv6 subnet as the source ip for outgoing internet requests.
I am seeing facebook blocked packets, and the two weird thoughts are.
1 - why is android sending out requests over ipv6 when it has no routed ipv6.
2 - why is pfsense trying to route these packets.some example log entries. am I correct fe80 interfaces should not be routing internet traffic? Or are my expectations wrong? But all documentation I have read suggests fe80 should not be used for routing internet traffic and only used for lan functions such as dhcp6, discovery etc.
Oct 22 09:45:14 LAN2 USER_RULE (1554343263) [fe80::66a2:f9ff:fe4c:f44c]:41268 [2a03:2880:f029:16:face:b00c:0:3]:443 TCP:S
Oct 22 09:41:05 LAN2 USER_RULE (1554343263) [fe80::66a2:f9ff:fe4c:f44c]:46888 [2a02:e0:3116:0:face:b00c:3333:a3f]:443 TCP:SThe above is akin to outbound nat on ipv4 such as 192.168.0.45 a source and 8.8.8.8 as destination.
All my devices regardless of which subnet they on are been given fe80::1 as the gateway, not the routable ipv6 on pfsense, I dont know if this is contributing to the problem.
When I tested on windows, using basic tests, it seems to all work as expected, windows machine on guest lan, fails to connect to ipv6 sites, fails ipv6 connectivity tests, but then I manually give it a routable ipv6 from the subnet I assigned and ipv6 works (on the permitted ports), so works as expected on windows clients.
-
@chrcoluk said in pfsense routing local link to internet?:
All my devices regardless of which subnet they on are been given fe80::1 as the gateway, not the routable ipv6 on pfsense, I dont know if this is contributing to the problem
On IPv6 the link local address is used for routing. Here's my default route on a Linux system:
default via fe80::1:1 dev eth0 proto ra metric 1024 expires 54sec hoplimit 64 pref medium -
Ok thanks.
Does that linux system still have internet access if it only has a link local ip (no routable ip)?
-
@chrcoluk said in pfsense routing local link to internet?:
Ok thanks.
Does that linux system still have internet access if it only has a link local ip (no routable ip)?
No. Are you actually seeing packets being routed through pfSense? Run Packet Capture to see what's happening on the Internet side.
-
yep they been routed, hence my attention been drawn to it.
it does look unique to android in terms of the client device triggering the behaviour. I tested also on a desktop linux system and it behaves the same as windows, doesnt even attempt to do internet ipv6 when fe80 is the only ip on the interface. Which is I believe how it should be.
I also get the google play store sending ipv6 packets from fe80 as well when that is accessed, and on those pfsense also routes them to wan.
--
Ok thinking about it some more, I have no proof pfsense is trying to route the packets as its assessing the rules I assume right after its processed by the nic inbound, so before the packets hit any routing table. What I will do as a test is switch rules to allow whilst been logged, then setup a rule on the wan interface which also logs, and see if these packets ever hit the wan interface, if they do its routing, if they dont its not and its fine.
The problem it would seem is android. But I will run this little test to confirm as well as the packet capture.
-
@chrcoluk said in pfsense routing local link to internet?:
then setup a rule on the wan interface which also logs
No reason to do that.. What you would want is just sniff on wan.. To see if its sending traffic out with the link local as source.
-
@chrcoluk said in pfsense routing local link to internet?:
Ok thinking about it some more, I have no proof pfsense is trying to route the packets as its assessing the rules I assume right after its processed by the nic inbound, so before the packets hit any routing table. What I will do as a test is switch rules to allow whilst been logged, then setup a rule on the wan interface which also logs, and see if these packets ever hit the wan interface, if they do its routing, if they dont its not and its fine.
The problem it would seem is android. But I will run this little test to confirm as well as the packet capture.This is why I said to run Packet Capture on the Internet side (WAN interface). While Android shouldn't be forwarding from the link local address, pfSense also shouldn't try to forward if it is. If pfSense doesn't forward it, then no problem.
-
Looking at the packet capture, it indicates its not been routed to the internet by pfsense.
example below
07:07:38.323493 00:0e:c4:d2:7d:be > 64:a2:f9:4c:f4:4c, ethertype IPv6 (0x86dd), length 134: (hlim 64, next-header ICMPv6 (58) payload length: 80) fe80::1:1 > fe80::66a2:f9ff:fe4c:f44c: [icmp6 sum ok] ICMP6, destination unreachable, beyond scope 2a03:2880:f221:c4:face:b00c:0:43fe, source address fe80::66a2:f9ff:fe4c:f44c
So question answered, thanks guys. Instagram app is whats generating these packets, although its possible whatsapp is also. I definitely only have a fe80 interface on the phone for ipv6.
-
What does that tell you? All I see is a frame with no indication of what it is or IP addresses. When I run packet capture, I download the capture file and read it with Wireshark. To see if the packet is being routed out of pfSense, you'd filter on the link local address of the Android device and watch for it on the WAN interface. In Packet Capture, you can enter that address as a filter.
-
I dont use wireshark, not really a fan of it and dont know how to use it.
The ip addresses are in my paste.
"fe80::1:1 > fe80::66a2:f9ff:fe4c:f44c:"
and
"beyond scope 2a03:2880:f221:c4:face:b00c:0:43fe, source address fe80::66a2:f9ff:fe4c:f44c"
Basically pfsense sent a icmp unreachable back to the android device rejecting the request.
I did use the android link local address as the filter in packet capture.