ICMPv6 flooding the pfSense firewall logs
I am experiencing and issue related to the logs been flooded by ICMPv6 pings from the WAN interface.
Never had this issue before upgrading to the latest version (at the time of this post - 2.3.1-RELEASE-p1 (amd64)).
My firewall logs completely flooded with this:
" Jun 13 17:43:50 WAN [fe80::201:5cff:fe6f:7e46] [ff02::1] ICMPv6 "
This particular message is about 98% of the entire log file for the Firewall. Message repeated with the only difference in the time/date stamp.
I would like to point out that:
1. The settings under: System -> Advanced -> Networking : Allow IPv6 check box is UNCHECKED. I assumed that should turn off IPv6 processing by the PFSense and firewall… and all IPv6 traffic coming to WAN interface would be ignored.
2. All internal interfaces, for example LAN: Interfaces -> LAN : IPv6 Configuration Type: is set to "none"
3. WAN interface uses DHCP to get IPv4 address from ISP, and the WAN interface has "IPv6 configuration type" setting set to "NONE".
With those settings in place, is still show, under: Diagnostics -> NDP Table, IPv6 addresses assigned to the physical Ethernet interfaces installed.
The Firewall log is flooded with messages regarding ICMPv6 messages bombarding WAN interface from some IPv6 address, with a destination of: [ff02::1], using ICMPv6 protocol on WAN interface.
Can anyone please, clarify if this is truly a legitimate traffic (Multicast ?!) that is blocked and therefore is logged, or this is some sort of a bug?
Could anyone advise how to really truly turn of IPv6, eradicate it or at least configure PFsense so that IPv6 is completely ignored and logs for the firewall actually useful again.
Thank you for your time.
Things are still not good with logs.
I have created a rule on WAN for all IPv6 packets to be BLOCKED (dropped silently). In the GUI editing for the rule, the check box for logging is unchecked and still the logs keep recording the events cut but this rule. In the log, when hovering over the red cross it does show the rule number from the top (first rule).
The rule is the 3ed one in the list and that's as high in the list I can get, because the top two rules are auto-generated by PFsense to block the Bogon networks.
Log's still on junked up with the ICPMv6 messages.
Doesn't fire wall logs for WAN everything? If I would not have any rules for WAN governing incoming traffic.. than what? All traffic that came to WAN and was not initiated from with in (the host behind the firewall), Firewall logs immediately starts piling up, showing all the unsolicited requests.
That's why this ICMPv6 messages are in the logs, even tho now I have a explicit rule to match the patter of the incoming traffic, and the check box to log this traffic is UN-checked.
So there is no way to tell the logs to ignore the IPv6 traffic coming to the WAN and stop piling up the logs. That's how I see it as of right now.
Sooo... is this a feature or a bug or a featured-bug?
If some one from PFsense dev team reading this forum... please chime in..... because in my case, as of right now logs are nearly useless.
I can go in and create a custom filter to sort out the logs and exclude the IPv6 junk, but that just not user friendly, additional work to do, and doe snot affect the graphical pie-charts - they all look totally skewed.
In addition to this dilemma, got this weirdness going on:
One of the events in logs on WAN interface looks like this:
Action Time Interface Source Destination Protocol
X Jun 16 00:04:37 WLAN 0.0.0.0 220.127.116.11 IGMP
Hovering over the the red (X) mark shows a message:
The rule that triggered this action is:
@9(1000000103) block drop in log inet all label "Default deny rule IPv4"
I do not have a single rule in the rule sets for the firewall with that label : "Default deny rule IPv4"
Where is this coming from? Where is this rule? Does GUI not list all the rules?
Someone PLEASE comment.... please?!
That checkbox does make it ignore IPv6, but if any makes it to the system, as will in the case of multicast from some other device on your WAN, it still blocks it. You can disable that default rule logging, or add a floating block rule without logging.
What it's doing is the correct and desired behavior for that circumstance and config.
Got it. I have the same question opened in the Firewall section of the forum, but … could I ask you what steps should I take to disable logging for the default rules related to IPv6?
Thank you for your help.
This problem is solved now, please see this here: