Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 bogon pings

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Kyrra
      last edited by

      I see that following firewall alert appear about every second since I got IPv6 setup on my pfsense. Seems to be triggered by the bogon network rule (since the source is a local net address)

      May 21 10:04:42	wan_stf	  [fe80::cdab:240]	  [2602:xxxx:xxxx:xxxx::]	ICMPv6
      

      My setup is pretty simple. LAN and WAN interfaces only. Wan uses PPPoE with a vlan to work with CenturyLink silliness. I'm guessing the CenturyLink hardware is pinging me, but I can't figure out how to stop the rule from triggering as the bogon network rule is always higher up in the list of rules.

      Anyone have any tips on how to stop my firewall logs being flooded by blocked pings?

      1 Reply Last reply Reply Quote 0
      • B
        bri189
        last edited by

        I had a similar problem with IPv4 bogon rules and having a "valid" broadcast coming from my ISP (I'll argue "valid" with my ISP at a later date…).

        Here's what I did to stop the flood of logs for this harmless and more importantly known IGMP from my ISP for IPv4, in my case the source IP was 10.54.112.1, I'm sure it should work for IPv6:

        • Created an alias to represet private space called 'private_ipv4_space' and added the 10/8, 172.16/12, and 192/24 ip addresses that are bogon networks for IPv4

        • Created an allow rule on the WAN to allow the 10.54.12.1 which was being treated as a bogon, I made sure to set the destination IP being sent by the ISP just to make sure if it changed, I know.  I put this as high as I could in the overall WAN list.

        • Created a block rule underneath the previous allow rule to block any source that was in the 'private_ipv4_space' alias (aka IPv4 bogon)

        • Disabled the bogon check, this gets rid of that "top of list" firewall rule that is being hit that you can't edit

        Hope this helps!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.