• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Zombie Default deny rule IPv6

Scheduled Pinned Locked Moved 2.5 Development Snapshots (Retired)
7 Posts 3 Posters 1.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • V
    vesalius
    last edited by vesalius Dec 5, 2020, 7:14 PM Dec 5, 2020, 5:28 PM

    Can't kill it or stop it from stuffing the firewall log.
    Have the all IPv6 button checked in System/Advanced/Networking. Have a rule to pass all IPv6 traffic in my LAN firewall. It's all mDNS traffic on port 5353, but can't make it stop. I do not have IPv6 on for wan, so this is all internal. Not sure how long this has been going on, just happened to check earlier this week. Updated to the latest 2.5 snapshot today and the issue persist.

    137bd4fa-3a31-48db-b3de-b724e8dbd13b-image.png

    3c14cb5d-cdb6-4a17-8613-659016adf4e0-image.png

    d81794aa-a7f6-4d95-9ee0-25fb844426a1-image.png

    With some googlefu, found a few older things online where turning off then back on the all IPv6 button in System/Advanced/Networking seemed to work for some, but no such luck for me.

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Dec 7, 2020, 2:14 PM

      What are your specific rules which pass IPv6 on your LAN? Odds are they don't cover this. Either because you used something like "LAN Net" which doesn't include link-local, or because packets may have some other property which doesn't make them match (like IP options).

      I suspect the former in this case. Read other reports such as https://redmine.pfsense.org/issues/9168 for details.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 1
      • G
        Gertjan
        last edited by Dec 7, 2020, 2:24 PM

        Try this one :

        a2786d8e-28ce-4ae9-ab71-1e26d38d493e-image.png

        It works.

        Normally, these :

        87b05ea1-85d9-44f7-9781-460dec97562e-image.png

        are unchecked, as you don't want to know who's knocking on the door.
        Those who can and should enter, have the key (your rules).
        Because you have some of them checked, you saw the issue : packets hit the default block rule.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        J 1 Reply Last reply Dec 7, 2020, 2:31 PM Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate @Gertjan
          last edited by Dec 7, 2020, 2:31 PM

          You don't need a source of * as that's a bit dangerous.

          You could just add a rule to pass from fe80::/10 to * and from LAN net to *.

          Or be more specific:

          • Block IPv6 fe80::/10 to ff00::/8 with "Allow IP options" checked, and without log checked, description "Ignore link local multicast traffic"
          • Block IPv6 fe80::/10 to fe80::/10 with "Allow IP options" checked, and without log checked, description "Ignore other link local traffic"
          • Pass LAN Net to *

          That way if something unusual comes along, like a link-local address erroneously trying to contact something outside multicast or link local, it would still be logged since you may want to track down the misbehaving client.

          If there are services on the firewall you want to expose via link-local addresses, you can add explicit pass rules for them. Most/all things that required for basic IPv6 operation are passed automatically and not subject to the LAN rules.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          G 1 Reply Last reply Dec 7, 2020, 2:45 PM Reply Quote 1
          • G
            Gertjan @jimp
            last edited by Dec 7, 2020, 2:45 PM

            Adopted :

            72e79354-30cc-4b92-84b7-3624183c4f62-image.png

            Made the first to to log for a while, just to see what they do - if something is done / rules apply.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            J 1 Reply Last reply Dec 7, 2020, 2:50 PM Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate @Gertjan
              last edited by Dec 7, 2020, 2:50 PM

              Another note, if you do install something like Avahi on purpose that needs to receive IPv6 multicast on the firewall, then you would need to set that multicast rule to pass, or to create one that would at least pass to that same source/destination with whatever port(s) it needs on there (e.g. 5353)

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              G 1 Reply Last reply Dec 7, 2020, 3:41 PM Reply Quote 0
              • G
                Gertjan @jimp
                last edited by Dec 7, 2020, 3:41 PM

                @jimp Yep, I'm using Avahi, how did you know ? ;)

                But, mine is there so Captive portal user can 'find' our printers, so they can print something like a plain ticket or whatever.
                Knowing that the captive portal is IPv4-only land, I don't need that extra rule.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                6 out of 7
                • First post
                  6/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received