Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 disabled yet majority of firewall blocks are IPv6

    Scheduled Pinned Locked Moved IPv6
    7 Posts 3 Posters 963 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sterlinggold
      last edited by

      Hi there,

      I have IPv6 disabled under system Advanced Networking, yet 90% of my firewall block activity is IPv6. most are LAN and UDP protocol. Is this expected?

      Thank you so much.

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        If hosts on the inside are using IPv6 it would be expected that the firewall would be logging blocks.

        You might want to post some of the blocks so people can see what you're talking about.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 1
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          "Disabling" IPv6 from that page only blocks the traffic, so that's somewhat expected. Just because the system isn't actively trying to use IPv6 doesn't mean you won't see it on the network. IPv6 heavily leverages multicast where the firewall will see the packets on the network no matter what.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 1
          • S Offline
            sterlinggold
            last edited by

            Thank you, here are some of the blocks I see. Is there anyway I can correlate what are the hosts behind this IPv6 traffic? My DHCPv6 Leases is empty so not really sure what is sending these packets.

            Nov 4 16:37:18 EM2 [fe80::1472:dea:7fab:e8a4] [ff02::2] ICMPv6
            Nov 4 16:37:18 LAN [fe80::1472:dea:7fab:e8a4] [ff02::2] ICMPv6
            Nov 4 16:37:18 LAN [fe80::1472:dea:7fab:e8a4] [ff02::2] ICMPv6
            Nov 4 16:37:13 EM2 [fe80::1472:dea:7fab:e8a4]:5353 [ff02::fb]:5353 UDP
            Nov 4 16:37:13 LAN [fe80::1472:dea:7fab:e8a4]:5353 [ff02::fb]:5353 UDP
            Nov 4 16:37:13 LAN [fe80::1472:dea:7fab:e8a4]:5353 [ff02::fb]:5353 UDP
            Nov 4 16:37:09 EM2 [fe80::1472:dea:7fab:e8a4]:5353 [ff02::fb]:5353 UDP
            Nov 4 16:37:09 LAN [fe80::1472:dea:7fab:e8a4]:5353 [ff02::fb]:5353 UDP
            Nov 4 16:37:09 LAN [fe80::1472:dea:7fab:e8a4]:5353 [ff02::fb]:5353 UDP
            Nov 4 16:37:09 EM2 [fe80::1472:dea:7fab:e8a4] [ff02::2] ICMPv6
            Nov 4 16:37:09 LAN [fe80::1472:dea:7fab:e8a4] [ff02::2] ICMPv6
            Nov 4 16:37:09 LAN [fe80::1472:dea:7fab:e8a4] [ff02::2] ICMPv6
            Nov 4 16:38:07 EM2 [fe80::ae37:43ff:fedd:33ad] [ff02::2] ICMPv6
            Nov 4 16:38:07 LAN [fe80::ae37:43ff:fedd:33ad] [ff02::2] ICMPv6
            Nov 4 16:38:07 LAN [fe80::ae37:43ff:fedd:33ad] [ff02::2] ICMPv6
            Nov 4 16:26:42 EM2 [fe80::4a5f:99ff:fe27:858f]:546 [ff02::1:2]:547 UDP
            Nov 4 16:26:42 LAN [fe80::4a5f:99ff:fe27:858f]:546 [ff02::1:2]:547 UDP
            Nov 4 16:26:42 LAN [fe80::4a5f:99ff:fe27:858f]:546 [ff02::1:2]:547 UDP

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              Packet capture and look at the MAC addresses, I suppose. From some of the link-local addresses the MACs can be gleaned from the EUI-64 format there.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • S Offline
                sterlinggold
                last edited by

                Thanks again, one of them looks like android device which is not easy to IPv6 disable.

                So is the best practice to enable IPv6? I'm concerned about needing to maintain double firewall,suricata, traffic rules.

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by Derelict

                  Or ignore the logs.

                  Or make rules that suppress the logs.

                  Whether or not you enable IPv6 really depends on whether or not you have IPv6.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.