Disable IPV6 completely
-
Hi,
Even when you disable IPv6 on your router, there will still always be IPv6 traffic on your LAN's as it is the default traffic these days - IPv4 is only used when IPv6 is broken / not set up.
You have to disable it on any device, if possible.You are seeing log lines because you activated the default firewall block logging ? See log settings.
If you didn't add any IPv6 rules, and default block rules aren't logging, then IPv6 will just be discarded.@erbalo said in Disable IPV6 completely:
I have installed pfblocker and also blocked all IPV6 GEOip addresses.
What ?
You want to disable IPv6 and still including IPv6 rules ? -
@Gertjan said in Disable IPV6 completely:
You are seeing log lines because you activated the default firewall block logging ? See log settings.
If you didn't add any IPv6 rules, and default block rules aren't logging, then IPv6 will just be discarded.Create a firewall rule to drop IPv6 and not log as @Gertjan mentioned you'll still see IPv6 from the end devices otherwise.
-
Please post example of what your seeing in the logs..
If you want to stop the noise of ipv6, its best to turn it off on the device if possible.
-
Try looking at this old post. I did this before I started running IPv6. It turns off logging for the quick rule if the "Allow IPv6" checkbox is unchecked.
https://forum.netgate.com/topic/101469/ipv6-multicasts-flooding-the-pfsense-logs/16
Looks like it's around Line 3253 in /etc/inc/filter.inc in 2.4.4-3 .
If you do this, it will be overwritten by upgrades. You'll need to redo.
Ignore as needed, I'm pretty hung over. Too much quarantine. -
Not logging stuff you have control over is not best solution.. Since its still actually there - your just not looking at it..
For example there is one thing if your tired of looking at the noise from the public internet of the bots hitting you on port 3389, and you just don't want to see it in your logs any more.. There is really nothing you can do about that sort of noise.
But if what your seeing is your devices asking for dhcpv6, and your firewall is logging it.. What is better for your network.. Just turn off the logging and ignore it, or just set the device that keeps asking for dhcpv6 to not ask for dhcpv6 since your not running IPv6 on this network..
Details of what exactly is being logged will help us determine best way to accomplish what @erbalo wants.
Maybe what is flooding his logs with noise is some iot device that he has zero control over it putting ipv6 noise on the wire.. The better solution for just ignoring this by not logging it, might be to isolate that iot device and any of its brothers to their own L2, so that now that noise isn't on his normal devices network/wifi.. Or maybe he can block the noise at the switch port before this noise enters the network - vs just not logging it..
-
Here are some details about my configs and logs. The problem is here because too much logs i can't see another logs over and can't solve another problems becuase too much logs of IPV6..
Some of logs:
Can you please also verify me to my system logs settings?
PFblocker also blocked ipv6 country:
IPV6 settings of Pfsense:
-
Not sure the point of hiding link local IPs.. But that traffic is multicast dns and LLMNR (another local name resolution protocol)..
I would suggest you turn that off at the machine.. the LLMNR would scream some windows machine to me.. Turn it off there.
But if you don't want that nonsense logged, then create a rule that doesn't log it.. I would create a rule with dest say ff00::/8 and not log it..
-
@johnpoz said in Disable IPV6 completely:
ff00::/8
Ok just by me the destination IPV6 address is everytime different.
When you add this rule, did you then pass this rule also? Is that not strange to do that? By me on the logs i see that this address is blocked.
-
Doesn't matter if you pass it or block it... pfsense isn't going to do anything with it anyway!
The dest ff00:://8 would include all of that dest traffic!
Again the best solution is turn off the noise at the source!!
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@johnpoz said in Disable IPV6 completely:
Again the best solution is turn off the noise at the source!!
Another one might be : locate and obliterate that device that likes so much ports "5353 and 5355 ".
-
@johnpoz When i want to add this rule it says destination ip is not correct, how did you add that to the rule. I am planning to add this rule on floating and then as block.
-
Post a screenshot.
You can drag a screenshot into the reply window.
-
As network
make sure you tick the quick checkbox! How many interfaces do you have? Its normally a GOOD idea to put the rules directly on the interface... So you don't forget about them when looking at your rules.
There would be 1 thing if you had 100 interfaces... But when you have a handful, just put the rules directly on the interface!!
But if you don't want to see any ipv6 noise - prob just make the dest ANY Ipv6 vs the specific multicast destination
-
This post is deleted! -
Because that is NOT single addres ff00::/8 is a NETWORK!
And again its not going to do you any good on floating if you don't tick the quick option!
Why would you be picking the WAN interface? Are you seeing ipv6 noise on your wan? That you don't have an IPv6 address on? What sort of noise is that? Post a screenshot of such noise please.
And yet again I am going to mention this - you would be better off turning it off at the source of the NOISE!! Disable IPv6 on your windows machines for example... Which I would guess would of been the source of that LLMNR traffic.. Windows loves to have that shit on by default..
-
With this settings the logs are not go on and still coming on.
I have searched the source in NTOPng but i can't found which device that is, i don't get a DNS name.
I will also try to put the rule on the interfaces.
-
And is what your seeing in the logs to the ff00:: network?
What you posted before was.. Your saying your still seeing that? What other rules do you have on floating? So we can see the order.
Since you don't want to see IPv6 in your logs, just set the dest to ANY.. vs just multicast..
ff02::fb in your log for example is the ipv6 link-local dest multicast address
FF02:0:0:0:0:0:0:FB mDNSv6
So if your still seeing it logged, you have something other than the default rule logging it. Possible the Block ALL IPv6 rule... What is the description on your log?
Turn off the block all IPv6 setting... It's pretty pointless if you don't have any ipv6 setup on your interfaces in the first place, or don't allow IPv6 inf your rules anyway.
-
just here are some of logs:
-
When you want to block all incoming IPv6 traffic :
Note : unchecking this option == blocking UIPv6 activates rule "1000000003" =
block in log quick inet6 all tracker 1000000003 label "Block all IPv6"and you have this option set :
then yeah, your Firewall log will get hail stormed by these '100000003' lines.
After all, all your devices on your LAN's are still going to try to use IPv6.So, you get exactly what you are asking ...
-
Oh just;
- Unceck the Allow IPV6 (it was by me allready unchecked)
- And then using the Command shell run:
block in log quick inet6 all tracker 1000000003 label "Block all IPv6 - Go to the Rule 1000000003 and uncheck Log packets
Is that correct?
