Disable IPV6 completely
-
Doesn't matter if you pass it or block it... pfsense isn't going to do anything with it anyway!
The dest ff00:://8 would include all of that dest traffic!
Again the best solution is turn off the noise at the source!!
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@johnpoz said in Disable IPV6 completely:
Again the best solution is turn off the noise at the source!!
Another one might be : locate and obliterate that device that likes so much ports "5353 and 5355 ".
-
@johnpoz When i want to add this rule it says destination ip is not correct, how did you add that to the rule. I am planning to add this rule on floating and then as block.
-
Post a screenshot.
You can drag a screenshot into the reply window.
-
As network
make sure you tick the quick checkbox! How many interfaces do you have? Its normally a GOOD idea to put the rules directly on the interface... So you don't forget about them when looking at your rules.
There would be 1 thing if you had 100 interfaces... But when you have a handful, just put the rules directly on the interface!!
But if you don't want to see any ipv6 noise - prob just make the dest ANY Ipv6 vs the specific multicast destination
-
This post is deleted! -
Because that is NOT single addres ff00::/8 is a NETWORK!
And again its not going to do you any good on floating if you don't tick the quick option!
Why would you be picking the WAN interface? Are you seeing ipv6 noise on your wan? That you don't have an IPv6 address on? What sort of noise is that? Post a screenshot of such noise please.
And yet again I am going to mention this - you would be better off turning it off at the source of the NOISE!! Disable IPv6 on your windows machines for example... Which I would guess would of been the source of that LLMNR traffic.. Windows loves to have that shit on by default..
-
With this settings the logs are not go on and still coming on.
I have searched the source in NTOPng but i can't found which device that is, i don't get a DNS name.
I will also try to put the rule on the interfaces.
-
And is what your seeing in the logs to the ff00:: network?
What you posted before was.. Your saying your still seeing that? What other rules do you have on floating? So we can see the order.
Since you don't want to see IPv6 in your logs, just set the dest to ANY.. vs just multicast..
ff02::fb in your log for example is the ipv6 link-local dest multicast address
FF02:0:0:0:0:0:0:FB mDNSv6
So if your still seeing it logged, you have something other than the default rule logging it. Possible the Block ALL IPv6 rule... What is the description on your log?
Turn off the block all IPv6 setting... It's pretty pointless if you don't have any ipv6 setup on your interfaces in the first place, or don't allow IPv6 inf your rules anyway.
-
just here are some of logs:
-
When you want to block all incoming IPv6 traffic :
Note : unchecking this option == blocking UIPv6 activates rule "1000000003" =
block in log quick inet6 all tracker 1000000003 label "Block all IPv6"and you have this option set :
then yeah, your Firewall log will get hail stormed by these '100000003' lines.
After all, all your devices on your LAN's are still going to try to use IPv6.So, you get exactly what you are asking ...
-
Oh just;
- Unceck the Allow IPV6 (it was by me allready unchecked)
- And then using the Command shell run:
block in log quick inet6 all tracker 1000000003 label "Block all IPv6 - Go to the Rule 1000000003 and uncheck Log packets
Is that correct?
-
Your not suppose to run anything in the shell.
Your block all IPv6 rule is evaluated before your no log rule.. So stop blocking all IPv6.. and your logs will clear up..
With your no log rule..
Blocking all IPv6 is pointless if your not allowing it in the first place.. all interfaces have default deny. Unchecking that box is just going to spam your log with all IPv6 traffic that is blocked.
Also ZERO point in hiding link-local address space.. But stops us from seeing if that is 1 device or multiple devices. Again the best advice I can give you is turn IPv6 off at the devices themselves if you don't want noise on your network... Your not using IPv6.. So every packet put on the wire is just noise, be you log it or not..
-
also check this: https://redmine.pfsense.org/issues/9837
-
@erbalo said in Disable IPV6 completely:
Is that correct?
For one third.
Uncheck - see my image above.
Doing so, this will place a firewall rule '100000003' that block all IPV6 traffioc on all interface. This is what Unchecking "Allow IPV6" does, not more, not less.
To see the firewall rule : Take a look at /tmp/rules.debugI do not understand what you mean with 2. There is nothing to execute by you.
- Even less.
Again.
Uncheck this one :
and hit the bleu Save button at the bottom.
Problem solved.
edit : solved .... is relative.
IPv4 is still fading out - IPV6 is the future.
Accepting it, learning it is not some kind of luxury.
If you are selling hair dryer all your live, you might need any IPv6 knowledge.
If you maintain and administer Firewalls ... there is no choice. -
If you have IPv6 service, why would you want to block it? What sort of log entries are you getting? Where are they from?
-
Problem solved,
- I have disabled all of the IP6 devices only one that i can't because it is from the thermostat device, i have no access there.
- I have also created the IPV6 logs with rules as you gives advice but it did'nt works.
-
@erbalo said in Disable IPV6 completely:
I have also created the IPV6 logs with rules as you gives advice but it did'nt works.
As gone over already if you have pfsense to block all IPv6... This setting unchecked.
It creates a block rule that logs, and no rules you put in place would not log it... because the auto rule that creates is evaluated before any of your rules.
So you either need have that checked and create your own rules that do not log... Or you have to edit the system files so the rule that creates doesn't log.. Which would be horrible idea if you ask me, since now any time you update pfsense that will get put back and your ipv6 traffic would be logged.
I think prob the best thing that could happen is that like you have option to not log default deny rule, you should be able to not log the block IPv6 rule.. You could put in a feature request for that.
-
@johnpoz Allow IPv6 checked and not receiving any logs as long as now.
I have also another question about autorrule because i have also problem with that pfsense blocking IP adresses for Google Home services.
What i did:
- Whitelisted these IP addresses as Alias and placed on the top of the IOT Vlan.
- Whitelisted www.google.com and google.com on PFblocker.
- PFblockerNG-devel is installed and working also fine, blocking ads etc.
Do i maybe change the ruleorder?
My ruler order is:
-
Rules are evaluated top down, first rule to trigger wins - no other rules are evaluated.
https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-processing-order.html
