Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Weird link-local DHCPv6 behaviour

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 110 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      BobKersten
      last edited by BobKersten

      Hello,

      I'm trying to block DHCPv6 responses using a transparent bridged firewall. This works for IPv4 like expected. By blocking port 68 for packets not originating from the BRIGDE address.

      For IPv6 I'd like to achieve the same thing. I'm blocking port 546 not originating from the BRIDGE address. However, I'm still seeing replies arriving using tcpdump.

      tcpdump port 546 or port 547 -n
09:28:14.855694 IP6 fe80::10d0:xxxx:xxxx:3c76.546 > ff02::1:2.547: dhcp6 inf-req
09:28:23.350384 IP6 fe80::10d0:xxxx:xxxx:3c76.546 > ff02::1:2.547: dhcp6 inf-req
09:28:23.353425 IP6 fe80::43:yyyy:yyyy:2100.547 > fe80::10d0:zzzz:zzzz:3c76.546: dhcp6 reply
09:28:23.465366 IP6 fe80::ae22:yyyy:yyyy:bda3.547 > fe80::10d0:zzzz:zzzz:3c76.546: dhcp6 reply

      So both my pfsense bridge (2100) is responding as well as my modem (bda3). Now when I turn off the DHCPv6 server on the pfsense box, none of them are responding.

      09:27:09.672287 IP6 fe80::10d0:xxxx:xxxx:3c76.546 > ff02::1:2.547: dhcp6 inf-req
09:27:10.686507 IP6 fe80::10d0:xxxx:xxxx:3c76.546 > ff02::1:2.547: dhcp6 inf-req
09:27:12.768231 IP6 fe80::10d0:xxxx:xxxx:3c76.546 > ff02::1:2.547: dhcp6 inf-req
09:27:16.952931 IP6 fe80::10d0:xxxx:xxxx:3c76.546 > ff02::1:2.547: dhcp6 inf-req
09:27:25.189624 IP6 fe80::10d0:xxxx:xxxx:3c76.546 > ff02::1:2.547: dhcp6 inf-req
09:27:42.107897 IP6 fe80::10d0:xxxx:xxxx:3c76.546 > ff02::1:2.547: dhcp6 inf-req

      I've also changed the rule to block all traffic, not specifically mentioning the BRIDGE address in the rule, but it makes no difference. Although it sounds impossible, but it appears as if the modem is piggybacking on an open state/rule.

      [UPDATE] when I turn off the pfsense DHCPv6 server, the modem replies are still coming in. It would seem as if link-local traffic isn't firewalled at all?

      Any thoughts?

      1 Reply Last reply Reply Quote 0
      • kiokomanK Offline
        kiokoman LAYER 8
        last edited by

        maybe you need to reset states after changing rules for ipv6
        diagnostic / states / reset states
        This may be necessary after making substantial changes to the firewall and/or NAT rules, especially if there are IP protocol mappings (e.g. for PPTP or IPv6) with open connections.

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.