IPv6 multicasts flooding the pfSense logs.
-
That's it! You did it…
To re-cap, the rule labeled "Block all IPv6" is not that one I created manually, the once I created is called "Block IPv6" and logging is not enabled on that rule.
However, as soon as I re-enabled IPv6 processing under @ System->Advanced->Networking: Allow IPv6, the logging of those endless ICMPv6 messages stopped!
Now logs look appropriate, just the way I would expected them to be. Only records are now shown on WAN is the unsolicited traffic and majority of it is IPv4.
Thanks to you, the logs for firewall on my Pfsense is useful again.
I can't thank you enough for all your help.
This was not easy for me to diagnose and I think is worthy of been mentioned in official man pages for the PFsense.
Again, thank you for all your help and assistance.
-
Fantastic! So now we know that disabling IPv6 added the two block rules at the top, with the log option, that logging was affected by the disable options over on the log settings.
We've both learned something about this now.
-
(Hopefully this isn't a second post… looks like I was logged off and had to come back and repost...)
Thanks guys, now I know I'm not crazy (mostly) :) I had the exact same problem as above compounded by the fact I syslog out to a local NAS which, after I disabled IPv6 a bit ago, began churning away 24/7 with all these log messages.I more or less did the same as you did above. Re-enable IPv6 on the Advanced tab and add a manual rule with log OFF to block all IPv6 traffic. Few notes for anyone who comes after:
Thanks in part to this:
https://www.engren.se/2013/04/30/some-pfsense-commands-to-keep-handy/Trying to find the rule that is logging all the messages...
ssh to pfsense
viconfig
The firewall rule we're looking for is not present in this config. Must be generated by whatever reads this config and creates the rules.In the actual runtime rules here:
/tmp/rules.debugThese are the two rules created when System > Advanced > Networking > "Allow IPv6" is unchecked (verified):
Block all IPv6
block in log quick inet6 all tracker 1000000003 label "Block all IPv6"
block out log quick inet6 all tracker 1000000004 label "Block all IPv6"I say verified because I know those two rules are created and deleted when that checkbox is toggled. I do NOT know if there is anything else modified.
If any PFSense folks happen to see these posts, sure would be nice to have an extra option in that Advanced tab to control logging.
-
Found what may be a better solution. Based on this:
https://doc.pfsense.org/index.php/How_can_I_edit_the_PF_rulesetssh to pfsense
vi /etc/inc/filter.inc
Find the two lines following:
$ipfrules .= "block in {$log['block']} quick inet6 all tracker {$increment_tracker($tracker)} label "Block all IPv6"\n";
$ipfrules .= "block out {$log['block']} quick inet6 all tracker {$increment_tracker($tracker)} label "Block all IPv6"\n";
In both of those lines remove the string (and one space):
{$log['block']}
Save and quit viGo back to pfsense UI and
- remove the custom rule we added from previous posts
- uncheck the "Allow IPv6" again
- let pfsense rewrite it's rules
Now those default rules are back in place BUT without the log parameter.
My only question: will this manual modification be overwritten by a PFSense update?
-
Hi,
Just went looking for this sort of thing also and found this:
https://doc.pfsense.org/index.php/Firewall_Logs#Disable_Default_Block_LoggingHopefully this helps?
-
Found what may be a better solution. Based on this:
https://doc.pfsense.org/index.php/How_can_I_edit_the_PF_rulesetThis was very helpful. Thanks!
-
Thanks all for the help in resolving this issue.
I would like to clear something out , to ask actually:
I had the same issue by being clogged by this ICMPv6 logs. After I checked the box "Allow IPv6" in advance/networking I got rid of the annoyance finally. Now do I need to create a rule manually to block IPv6 traffic (with logging of) so it won enter my WAN ? or since set "IPv6 Configuration Type" to "NONE" on my WAN interface so ipv6 will be still blocked ?
Thanks.
-
Why would you want to block IPv6??? That's what the world is moving to. It's the future of the Internet.
-
It's not moving to good direction then. :)
-
While I can't speak about the specific issues here, both ICMP6 and multicasts are essential parts of IPv6. For example, there is no such thing as broadcasts with IPv6. Instead, there are several types of multicasts, to specific groups. Even ARP has been replaced with solicited node multicasts. One thing that's also used extensively is MTU discovery, which involved ICMP6. MTU discovery is essential, as with IPv6 routers are not allowed to fragment packets. With IPv4, you could set the MTU to whatever and if the packet tried to pass through a router that couldn't handle the MTU, the packet would be fragmented so that the fragments could pass.
I have been running IPv6 for 7 years, including just over a year with pfSense and it works fine.