Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    1. Home
    2. Tags
    3. ipv6
    Log in to post
    • All categories
    • JonathanLeeJ

      Seeking Insight on IPV6 Suricata Alerts – "Excessive Retransmissions" and "Wrong Direction First Data"

      Watching Ignoring Scheduled Pinned Locked Moved IPv6 ipv6 suricata
      3
      0 Votes
      3 Posts
      73 Views
      bmeeksB

      @JonathanLee said in Seeking Insight on IPV6 Suricata Alerts – "Excessive Retransmissions" and "Wrong Direction First Data":

      SURICATA Applayer Wrong direction first Data

      Here is the link in the Suricata docs for this stream rule alert: https://docs.suricata.io/en/latest/rules/app-layer.html#applayer-wrong-direction-first-data.

      The short version of the story is that even today, after several attempted fixes within Suricata, the coders of client/server software apps seem to still be able via crappy coding to craft network flows that trip up the Suricata parser. This is basically a harmless error.

      As @SteveITS said, the best thing is to disable all the Suricata stream event rules. They are informational anyway and don't necessarily indicate malicious traffic.

    • JonathanLeeJ

      Snort and GIF0 for HE tunnel broker

      Watching Ignoring Scheduled Pinned Locked Moved IDS/IPS ipv6 snort he.net gif ips
      9
      0 Votes
      9 Posts
      136 Views
      JonathanLeeJ

      @SteveITS It looks like it is detecting ipv6 better

      already is showing alerts

      Screenshot 2025-07-12 at 10.39.56.png

      It sees some ipv6 going to my interface. Again snort also would spot stuff every once a a while. My son got a bad bug on his tablet and it had a Russian email server running I checked it on virus total and it was spot on as malware known abuses so I reported it

    • JonathanLeeJ

      Port 0 and IPv4 Great... but hey what about IPv6 or inet6?

      Watching Ignoring Scheduled Pinned Locked Moved Firewalling port 0 pfctl -sr inet6 ipv6 acl
      15
      0 Votes
      15 Posts
      216 Views
      JonathanLeeJ

      @johnpoz This even does this with the newest CE edition inside of UTM virtualized environment outside of the 2100s

      Screenshot 2025-07-17 at 10.15.51.png

      It is not just the 2100s this is set up for standard stuff everything else works with it just the status page

    • JonathanLeeJ

      Router Advertisements

      Watching Ignoring Scheduled Pinned Locked Moved IPv6 ipv6 he.net tunnelbroker dhcpv6 ipv4+ipv6
      4
      0 Votes
      4 Posts
      206 Views
      JonathanLeeJ

      @Gertjan Fixed it. I had on the interface address both an IPv6 address and an "IPv4 address embedded in the IPv6 address (this is known as IPv6-mapped IPv4 addresses or IPv6 embedded IPv4 addresses)" before that is normally not for interfaces only the static device assignments so that is corrected my Pv6-mapped IPv4 addresses or IPv6 embedded IPv4 addresses are now only on the Lan devices and not on the firewall interfaces.

      Screenshot 2025-07-09 at 15.29.37.png

    • S

      How do I enable IPv6 traffic on VLAN for IoT Matter traffic?

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions iot matter ipv6 vlan
      22
      0 Votes
      22 Posts
      529 Views
      dennypageD

      @Seeking-Sense said in How do I enable IPv6 traffic on VLAN for IoT Matter traffic?:

      @dennypage
      …
      Do you have any experience with the Tapo switches?

      I don’t have direct experience with Tapo. However I do have experience with Kasa, and I can attest that TP-Link goes out of its way to push / force you onto cloud services.

    • D

      IPv6 Firewall rules for external internet access only

      Watching Ignoring Scheduled Pinned Locked Moved IPv6 ipv6 rules gua internet access whitelist
      3
      0 Votes
      3 Posts
      584 Views
      D

      @Bob-Dig That looks like it worked! Is there a limitation I should be aware of with how quickly those rules will update? I just don't want to leave an open hole in my firewall whenever my ISP drops the ball.

    • I

      Alias tables don't contain IPv6 addresses anymore

      Watching Ignoring Scheduled Pinned Locked Moved IPv6 ipv6 aliases tables hostnames
      20
      1 Votes
      20 Posts
      2k Views
      I

      @JonathanLee said in Alias tables don't contain IPv6 addresses anymore:

      Is your zone transparent ? I had an issue with mine set to (type transparent) and it was causing issues

      Zone type is at default "transparent" not "type transparent".

    • D

      pfSense installation into an IPv6 only environment?

      Watching Ignoring Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software ipv6 installer
      2
      0 Votes
      2 Posts
      258 Views
      stephenw10S

      Hmm, that's a good question. Let me run some tests....

      You can install using the legacy installer and upgrade if needed:
      https://atxfiles.netgate.com/mirror/downloads/

      Steve

    • B

      Dynamic DNS client "extracted from local system"

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions dynamic dns ipv6
      18
      0 Votes
      18 Posts
      2k Views
      S

      @Gertjan said in Dynamic DNS client "extracted from local system":

      To know if the WAN IP really changed ? Easy. Store the latest succeeded updated WAN IPv4 address locally. This is the cache file. Compare the actual WAN IPv4 with the cache ;:

      Just going to take this opportunity to point out that this causes a problem in the case where we restore to a replacement router in our lab before delivery. DDNS is updated to our office IP. Live router will not update because its cached IP didn’t change. (Workaround is to manually modify the file on disk to fool it, as I recall)

    • XSIVX

      Interested

      Watching Ignoring Scheduled Pinned Locked Moved Official Netgate® Hardware internet security vpn firewall ipv6
      2
      0 Votes
      2 Posts
      384 Views
      stephenw10S

      Did you have a specific question?

      If you're unsure I would first try installing CE on whatever hardware you have to test it.

      Steve

    • JonathanLeeJ

      IPv6 HE tunnel broker and Netflix quick fix idea

      Watching Ignoring Scheduled Pinned Locked Moved IPv6 ipv6 he.net tunnelbroker netflix unbound
      3
      0 Votes
      3 Posts
      603 Views
      GertjanG

      @JonathanLee said in IPv6 HE tunnel broker and Netflix quick fix idea:

      This fixed my issues 100% anyone else parse AAAA and A dns records like this?

      That issue is very old.

      Hit the search button - its just above :

      979fea0f-8b0a-4338-afa4-9be21a3aeefa-image.png

      The issue has even a pfBlockerng solution made for it :

      99d7ab85-cb14-44e3-958e-e48648d7256f-image.png

      Check the check box.
      Add all the host names that should not be resolved to AAAA.
      Done.

    • JonathanLeeJ

      Squid and IPv6

      Watching Ignoring Scheduled Pinned Locked Moved Cache/Proxy he.net ipv6 squid certificates
      1
      0 Votes
      1 Posts
      279 Views
      No one has replied
    • G

      Recurring internet disconnect when using iPV6

      Watching Ignoring Scheduled Pinned Locked Moved IPv6 ipv6 disconnects dhcpv6
      1
      0 Votes
      1 Posts
      259 Views
      No one has replied
    • G

      global IPV6 addresses are not routed into the LAN and to the client

      Watching Ignoring Scheduled Pinned Locked Moved IPv6 multiwan failover ipv6 ipv4 dual stack
      4
      0 Votes
      4 Posts
      639 Views
      G

      @Globaltrader312 I have now also removed the firewall rules under NAT

    • A

      IPv6 Slow Upload Speed

      Watching Ignoring Scheduled Pinned Locked Moved IPv6 ipv6 upload speed tcp retransmission
      1
      0 Votes
      1 Posts
      396 Views
      No one has replied
    • C

      IPv6 over pfSense 802.1q VLAN limits ICMP6 data size to 1240 bytes

      Watching Ignoring Scheduled Pinned Locked Moved IPv6 ipv6 icmp6 size
      4
      0 Votes
      4 Posts
      788 Views
      C

      UPDATE: This issue is not specific to the use of large mtg (jumbo frames). It affects ICMP6 generally in this configuration. I don't know if the issue is due to the VLAN or the combination of a VLAN on a bridge. IPv4 is not affected and ICMP message sizes (with do-not-fragment set) respect the configured mtu.

    • S

      ISP ipv6 request is accepted via dhcp6c but not applied to my interface???

      Watching Ignoring Scheduled Pinned Locked Moved IPv6 ipv6 orange dhcp6c
      13
      0 Votes
      13 Posts
      2k Views
      keyserK

      @sloopbun Me to :-)

    • T

      Setting up ipv6 with one /64 allocation

      Watching Ignoring Scheduled Pinned Locked Moved IPv6 ipv6
      5
      0 Votes
      5 Posts
      1k Views
      JKnottJ

      @tmoore said in Setting up ipv6 with one /64 allocation:

      For what it's worth my ISP is Teksavvy. I phoned in to them this morning and asked them to give me a /56 address delegation which they have done. So now I have a /56.

      Are you connected via Bell or Rogers? If Rogers, you might want to check the Rogers config. A friend of mine is with Teksavvy on Rogers. Another friend used be be with them on Bell.

      As for that pending gateway, you have to provide a monitor address that responds to pings. For mine, I ran traceroute to Google and picked the first address that responded. That address is 2607:f798:10:10d2:0:241:5615:217. It might be different for you, depending on where you are.

    • G

      Cannot enable the "Allow IPv6" setting

      Watching Ignoring Scheduled Pinned Locked Moved IPv6 ipv6 configuration issue
      9
      0 Votes
      9 Posts
      1k Views
      O

      @Gertjan Correct.

    • bearhntrB

      Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?

      Watching Ignoring Scheduled Pinned Locked Moved IPv6 ipv6
      60
      0 Votes
      60 Posts
      21k Views
      bearhntrB

      @bmeeks said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

      The correct way to handle this is to use a separate sub-domain for your internal AD setup. Something like mydomain.com for the public IP domain name and internal.mydomain.com for the Windows AD network in RFC1918 space. That can work. A quick Google search will lead you to a Microsoft best practices and how-to article on this configuration. I highly recommend you restructure you AD configuration to match what is described at this older Microsoft link here: https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx. And here is a slightly newer document showing the same thing: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772970(v=ws.10).

      Thanks for the links - one of them I had looked already (as a Google search pointed to it). My public domain name has a - {dash} in it, and apparently my old ass NAS does not like that. I have tried and tried to get it to recognize the domain-name that I first setup as ad.{mypublicdomain} - even a chat session with them for over an hour (nothing worked - they plan no updates to it. It also only does CIFSv1/SMBv1 - FTP (no sFTP) and NFS (but only to Linux boxes) - and some form of iSCSI. I have over 6TB of files and stuff on there, and they "SEAGATE" is not even willing to 'help' me with another NAS to replace it. One of my IT buddies said I should use {mypublicdomain}.loc for my AD/DS...but still going to resolve the - {dash} in there unless I remove it completely. I have considered creating (renaming my public-facing-domain) as only HomeAssistant uses it (well their app on my phone and the ALEXA and GOOGLE links do too).

      My older post you referenced was assuming the network was IPv4 only with no IPv6 in use. You want to use IPv6, but your ISP is not guaranteeing you a static assignment (they use prefix delegation which means the IPv6 space might change unexpectedly). That's going to be an issue unless you use both ULA and GUA IPv6 addresses. My post also assumed that your Active Directory domain was never going to be accessed from outside. Sounds like that is not what you intend as you mentioned somewhere up above about using some type of home automation with LDAP authentication I believe (unless I'm confusing this thread with another one).

      Pretty much what I am going to. Every guide that I have read says not to DISABLE the IPv6 on a DC. I am going to leave it at its default settings and let pfSense take care of it. Same for DHCPv4 - going to only do DNS on AD/DS and I am guessing that pfSense is RESOLVER with the FORWARDING option turned on. I would also need a Domain Override setup to point to AD/DS name and IPv4 address as well. Still trying to grasp the REV LOOKUP (setup in pfSense) thing and the HOST OVERRIDE too.

      The LDAP stuff that I want to do is not really for Home Automation, per se. I do have HomeAssisitant - what I want to do is sign-ins to the various parts with LDAP credentials so that I do not have to keep up with (currently 22) separate login accounts. All of that stuff is 'inside' my pfSense Firewall - only Alexa and Google can access from outside and their app. I got that working, and hoping that I do not have to go through that again. WHEW!!!