• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Can't ping IPv6 LAN interface

Scheduled Pinned Locked Moved IPv6
6 Posts 2 Posters 2.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    magiconair
    last edited by Sep 20, 2016, 8:18 PM Sep 20, 2016, 7:48 PM

    Hi,

    I'm new to pfSense and IPv6 but I have some understanding of firewalls. I've got IPv6 configured for xs4all.nl on a fiber-optic link.

    ping6 www.google.nl works from my laptop on the LAN
    ping6 2001:981:41db:0:2e0:4cff:fe68:27dc (my pfSense) works from the internet
    ping6 2001:981:41db:0:2e0:4cff:fe68:27dc does NOT work from my laptop (sometimes it does)

    However, ping6 to my firewall worked briefly after disabling the bogon network rule. Then it stopped working again after I've enabled it again and I wasn't able to got it to work ever since.

    The main reason I'm digging into this is that I've got some websites which sometimes hang and these are dual-stack sites. So my suspicion is the v6 setup.

    Any help is greatly appreciated.

    pfsense: 2.3.2-RELEASE

    System > Advanced > Networking > IPv6: checked

    WAN: PPPOE interface on VLAN 6 with prio 1
    WAN: IPv4 PPPoE, IPv6 DHCPv6, MTU 1492, req IPv6 prefix through v4, only req v6 prefix, /48 prefix, send v6 prefix hint, block private and bogon networks checked
    LAN: v4 static, v6 track WAN interface id 0, block private and bogon networks UNchecked
    Floating rule: ICMP v6 any any, pass, quick
    WAN: block RFC1918, block bogon
    LAN: anti lockout rule: 80, 443, 22 from LAN
    LAN: Allow all v4 and v6 traffic from LAN net

    Thx
    Frank

    Update:

    I get this pcap on the LAN interface for ICMPv6

    
21:54:33.635858 IP6 2001:981:41db:0:6e40:8ff:fe94:9378 > ff02::1:ff68:27dc: ICMP6, neighbor solicitation, who has 2001:981:41db:0:2e0:4cff:fe68:27dc, length 32
21:54:33.635924 IP6 2001:981:41db:0:2e0:4cff:fe68:27dc > 2001:981:41db:0:6e40:8ff:fe94:9378: ICMP6, neighbor advertisement, tgt is 2001:981:41db:0:2e0:4cff:fe68:27dc, length 32
21:54:34.636090 IP6 2001:981:41db:0:6e40:8ff:fe94:9378 > ff02::1:ff68:27dc: ICMP6, neighbor solicitation, who has 2001:981:41db:0:2e0:4cff:fe68:27dc, length 32
21:54:34.636162 IP6 2001:981:41db:0:2e0:4cff:fe68:27dc > 2001:981:41db:0:6e40:8ff:fe94:9378: ICMP6, neighbor advertisement, tgt is 2001:981:41db:0:2e0:4cff:fe68:27dc, length 32
21:54:34.700012 IP6 fe80::6e40:8ff:fe94:9378 > fe80::1:1: ICMP6, neighbor solicitation, who has fe80::1:1, length 32
21:54:34.700088 IP6 fe80::1:1 > fe80::6e40:8ff:fe94:9378: ICMP6, neighbor advertisement, tgt is fe80::1:1, length 24
21:54:36.057894 IP6 2001:981:41db:0:6e40:8ff:fe99:c308 > 2001:981:41db:0:2e0:4cff:fe68:27dc: ICMP6, neighbor solicitation, who has 2001:981:41db:0:2e0:4cff:fe68:27dc, length 32
21:54:36.057983 IP6 2001:981:41db:0:2e0:4cff:fe68:27dc > 2001:981:41db:0:6e40:8ff:fe99:c308: ICMP6, neighbor advertisement, tgt is 2001:981:41db:0:2e0:4cff:fe68:27dc, length 24
21:54:36.435246 IP6 fe80::1:1 > ff02::1: ICMP6, router advertisement, length 128
21:54:36.636475 IP6 2001:981:41db:0:6e40:8ff:fe94:9378 > ff02::1:ff68:27dc: ICMP6, neighbor solicitation, who has 2001:981:41db:0:2e0:4cff:fe68:27dc, length 32

    I would have expected ICMP echo requests and replies but I don't see them.

    Update 2:

    I also can't ssh into the pfSense via v6 from the LAN and pinging my laptop from the pfSense is really slow

    
[2.3.2-RELEASE][admin@fw.home]/root: ping6 fe80::6e40:8ff:fe94:9378%re1
PING6(56=40+8+8 bytes) fe80::1:1%re1 --> fe80::6e40:8ff:fe94:9378%re1
16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=0 hlim=64 time=2.375 ms
16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=1 hlim=64 time=1369.162 ms
16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=2 hlim=64 time=368.319 ms
16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=3 hlim=64 time=1044.073 ms
16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=4 hlim=64 time=45.291 ms
16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=5 hlim=64 time=333.452 ms
16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=6 hlim=64 time=1381.189 ms
16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=7 hlim=64 time=380.344 ms
    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Sep 20, 2016, 8:53 PM

      Are you saying when you ping your laptop via ipv4 its fast?  that sure looks to be some sort of wifi connection to me with the all over the board response times.  Crappy wifi at that ;)

      So when you say you ping
      2001:981:41db:0:2e0:4cff:fe68:27dc

      is that what is on the pfsense lan or the wan interface?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • M
        magiconair
        last edited by Sep 21, 2016, 5:05 AM

        @johnpoz: two issues. Not sure if they are related.

        1. ping pfSense LAN interface not working

        2001:981:41db:0:2e0:4cff:fe68:27dc is on the pfSense LAN interface. I cannot ping this address from the LAN but only from the WAN. See screenshots.

        2. ping laptop -> pfSense is fast, ping pfSense -> laptop is slow

        
# laptop -> pfSense
$ ping 192.168.178.1
PING 192.168.178.1 (192.168.178.1): 56 data bytes
64 bytes from 192.168.178.1: icmp_seq=0 ttl=64 time=1.267 ms
64 bytes from 192.168.178.1: icmp_seq=1 ttl=64 time=1.481 ms
64 bytes from 192.168.178.1: icmp_seq=2 ttl=64 time=1.721 ms

# pfSense -> laptop
ping 192.168.178.67
PING 192.168.178.67 (192.168.178.67): 56 data bytes
64 bytes from 192.168.178.67: icmp_seq=0 ttl=64 time=3.474 ms
64 bytes from 192.168.178.67: icmp_seq=1 ttl=64 time=1285.005 ms
64 bytes from 192.168.178.67: icmp_seq=2 ttl=64 time=284.568 ms

        ![Screen Shot 2016-09-21 at 07.01.53.png](/public/imported_attachments/1/Screen Shot 2016-09-21 at 07.01.53.png)
        ![Screen Shot 2016-09-21 at 07.01.53.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-21 at 07.01.53.png_thumb)
        ![Screen Shot 2016-09-21 at 07.02.04.png](/public/imported_attachments/1/Screen Shot 2016-09-21 at 07.02.04.png)
        ![Screen Shot 2016-09-21 at 07.02.04.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-21 at 07.02.04.png_thumb)
        ![Screen Shot 2016-09-21 at 07.02.14.png](/public/imported_attachments/1/Screen Shot 2016-09-21 at 07.02.14.png)
        ![Screen Shot 2016-09-21 at 07.02.14.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-21 at 07.02.14.png_thumb)
        ![Screen Shot 2016-09-21 at 06.59.18.png](/public/imported_attachments/1/Screen Shot 2016-09-21 at 06.59.18.png)
        ![Screen Shot 2016-09-21 at 06.59.18.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-21 at 06.59.18.png_thumb)

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by Sep 21, 2016, 3:03 PM

          what is the global IP your laptop is getting for ipv6?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • M
            magiconair
            last edited by Sep 21, 2016, 8:08 PM 

            
en0: flags=8863 <up,broadcast,smart,running,simplex,multicast>mtu 1500
	ether 6c:40:08:94:93:78
	inet6 fe80::6e40:8ff:fe94:9378%en0 prefixlen 64 scopeid 0x4
	inet 192.168.178.67 netmask 0xffffff00 broadcast 192.168.178.255
	inet6 2001:981:41db::6e40:8ff:fe94:9378 prefixlen 64 autoconf
	inet6 2001:981:41db::74f0:5f67:73b9:a6e3 prefixlen 64 autoconf temporary
	nd6 options=1 <performnud>media: autoselect
	status: active</performnud></up,broadcast,smart,running,simplex,multicast>
            1 Reply Last reply Reply Quote 0
            • M
              magiconair
              last edited by Sep 21, 2016, 8:14 PM

              and here the pfSense ifconfig -a, netstat -rn and pfctl -sa (sans STATE)

              
[2.3.2-RELEASE][admin@fw.home]/root: ifconfig -a
re0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=8209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate>ether 00:e0:4c:68:27:db
	inet6 fe80::2e0:4cff:fe68:27db%re0 prefixlen 64 scopeid 0x1
	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
re1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=8209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate>ether 00:e0:4c:68:27:dc
	inet 192.168.178.1 netmask 0xffffff00 broadcast 192.168.178.255
	inet6 2001:981:41db:0:2e0:4cff:fe68:27dc prefixlen 64
	inet6 fe80::1:1%re1 prefixlen 64 scopeid 0x2
	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
iwn0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 2290
	ether 00:1e:65:41:11:d1
	nd6 options=21 <performnud,auto_linklocal>media: IEEE 802.11 Wireless Ethernet autoselect (autoselect)
	status: no carrier
pflog0: flags=100 <promisc>metric 0 mtu 33160
pfsync0: flags=0<> metric 0 mtu 1500
	syncpeer: 224.0.0.240 maxupd: 128 defer: on
	syncok: 1
enc0: flags=0<> metric 0 mtu 1536
	nd6 options=21 <performnud,auto_linklocal>lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
	options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet 127.0.0.1 netmask 0xff000000
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
	nd6 options=21 <performnud,auto_linklocal>re0_vlan6: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=3 <rxcsum,txcsum>ether 00:e0:4c:68:27:db
	inet6 fe80::2e0:4cff:fe68:27db%re0_vlan6 prefixlen 64 scopeid 0x8
	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
	vlan: 6 vlanpcp: 1 parent interface: re0
pppoe0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1492
	inet 82.161.239.242 --> 194.109.5.175 netmask 0xffffffff
	inet6 fe80::2e0:4cff:fe68:27db%pppoe0 prefixlen 64 scopeid 0x9
	inet6 fe80::2e0:4cff:fe68:27dc%pppoe0 prefixlen 64 scopeid 0x9
	nd6 options=23 <performnud,accept_rtadv,auto_linklocal>[2.3.2-RELEASE][admin@fw.home]/root: netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags      Netif Expire
default            194.109.5.175      UGS      pppoe0
82.161.239.242     link#9             UHS         lo0
127.0.0.1          link#7             UH          lo0
192.168.178.0/24   link#2             U           re1
192.168.178.1      link#2             UHS         lo0
194.109.5.175      link#9             UH       pppoe0
194.109.6.66       194.109.5.175      UGHS     pppoe0
194.109.9.99       194.109.5.175      UGHS     pppoe0

Internet6:
Destination                       Gateway                       Flags      Netif Expire
default                           fe80::2a0:a50f:fc78:5530%pppoe0 UGS      pppoe0
::1                               link#7                        UH          lo0
2001:981:41db::/64                link#2                        U           re1
2001:981:41db:0:2e0:4cff:fe68:27dc link#2                        UHS         lo0
fe80::2a0:a50f:fc78:5530          pppoe0                        UHS      pppoe0
fe80::%re0/64                     link#1                        U           re0
fe80::2e0:4cff:fe68:27db%re0      link#1                        UHS         lo0
fe80::%re1/64                     link#2                        U           re1
fe80::1:1%re1                     link#2                        UHS         lo0
fe80::%lo0/64                     link#7                        U           lo0
fe80::1%lo0                       link#7                        UHS         lo0
fe80::%re0_vlan6/64               link#8                        U      re0_vlan
fe80::2e0:4cff:fe68:27db%re0_vlan6 link#8                        UHS         lo0
fe80::%pppoe0/64                  link#9                        U        pppoe0
fe80::2e0:4cff:fe68:27db%pppoe0   link#9                        UHS         lo0
fe80::2e0:4cff:fe68:27dc%pppoe0   link#9                        UHS         lo0
ff01::%re0/32                     fe80::2e0:4cff:fe68:27db%re0  U           re0
ff01::%re1/32                     2001:981:41db:0:2e0:4cff:fe68:27dc U           re1
ff01::%lo0/32                     ::1                           U           lo0
ff01::%re0_vlan6/32               fe80::2e0:4cff:fe68:27db%re0_vlan6 U      re0_vlan
ff01::%pppoe0/32                  fe80::2e0:4cff:fe68:27db%pppoe0 U        pppoe0
ff02::%re0/32                     fe80::2e0:4cff:fe68:27db%re0  U           re0
ff02::%re1/32                     2001:981:41db:0:2e0:4cff:fe68:27dc U           re1
ff02::%lo0/32                     ::1                           U           lo0
ff02::%re0_vlan6/32               fe80::2e0:4cff:fe68:27db%re0_vlan6 U      re0_vlan
ff02::%pppoe0/32                  fe80::2e0:4cff:fe68:27db%pppoe0 U        pppoe0

[2.3.2-RELEASE][admin@fw.home]/root: pfctl -sa
TRANSLATION RULES:
no nat proto carp all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on pppoe0 inet from 127.0.0.0/8 to any port = isakmp -> 82.161.239.242 static-port
nat on pppoe0 inet from 192.168.178.0/24 to any port = isakmp -> 82.161.239.242 static-port
nat on pppoe0 inet from 127.0.0.0/8 to any -> 82.161.239.242 port 1024:65535
nat on pppoe0 inet from 192.168.178.0/24 to any -> 82.161.239.242 port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/*" all
rdr-anchor "tftp-proxy/*" all
rdr-anchor "miniupnpd" all

FILTER RULES:
scrub on pppoe0 all fragment reassemble
scrub on re1 all fragment reassemble
anchor "relayd/*" all
anchor "openvpn/*" all
anchor "ipsec/*" all
block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick from <snort2c>to any label "Block snort2c hosts"
block drop log quick from any to <snort2c>label "Block snort2c hosts"
block drop in log quick proto tcp from <sshlockout>to (self) port = ssh label "sshlockout"
block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = https label "webConfiguratorlockout"
block drop in log quick from <virusprot>to any label "virusprot overload table"
pass in quick on pppoe0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
pass in quick on pppoe0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
pass out quick on pppoe0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN"
block drop in log quick on pppoe0 from <bogons>to any label "block bogon IPv4 networks from WAN"
block drop in log quick on pppoe0 from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
block drop in log on pppoe0 inet6 from fe80::2e0:4cff:fe68:27db to any
block drop in log on pppoe0 inet6 from fe80::2e0:4cff:fe68:27dc to any
block drop in log on ! pppoe0 inet from 82.161.239.242 to any
block drop in log inet from 82.161.239.242 to any
block drop in log quick on pppoe0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
block drop in log quick on pppoe0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
block drop in log quick on pppoe0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
block drop in log quick on pppoe0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
block drop in log quick on pppoe0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
block drop in log on ! re1 inet6 from 2001:981:41db::/64 to any
block drop in log inet6 from 2001:981:41db:0:2e0:4cff:fe68:27dc to any
block drop in log on re1 inet6 from fe80::1:1 to any
block drop in log on ! re1 inet from 192.168.178.0/24 to any
block drop in log inet from 192.168.178.1 to any
pass in quick on re1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on re1 inet proto udp from any port = bootpc to 192.168.178.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on re1 inet proto udp from 192.168.178.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass quick on re1 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on re1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on re1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass quick on re1 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass in quick on re1 inet6 proto udp from fe80::/10 to 2001:981:41db:0:2e0:4cff:fe68:27dc port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass out quick on re1 inet6 proto udp from 2001:981:41db:0:2e0:4cff:fe68:27dc port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (pppoe0 194.109.5.175) inet from 82.161.239.242 to ! 82.161.239.242 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out on pppoe0 route-to (pppoe0 fe80::2a0:a50f:fc78:5530) inet6 from fe80::2e0:4cff:fe68:27dc to ! fe80::/48 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on re1 proto tcp from any to (re1) port = https flags S/SA keep state label "anti-lockout rule"
pass in quick on re1 proto tcp from any to (re1) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on re1 proto tcp from any to (re1) port = ssh flags S/SA keep state label "anti-lockout rule"
anchor "userrules/*" all
pass quick inet6 proto ipv6-icmp all keep state label "USER_RULE"
pass in quick on pppoe0 reply-to (pppoe0 194.109.5.175) inet proto icmp all keep state label "USER_RULE"
pass in quick on pppoe0 reply-to (pppoe0 fe80::2a0:a50f:fc78:5530) inet6 proto ipv6-icmp all keep state label "USER_RULE"
pass in quick on re1 inet from 192.168.178.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on re1 inet6 from 2001:981:41db::/64 to any flags S/SA keep state label "USER_RULE: Default allow LAN IPv6 to any rule"
anchor "tftp-proxy/*" all
No queue in use

STATES:
---8<--- SNIP ---8<---

---8<--- SNIP ---8<---

INFO:
Status: Enabled for 0 days 23:20:46           Debug: Urgent

Interface Stats for re1               IPv4             IPv6
  Bytes In                       212632837        283813782
  Bytes Out                     1492315433       5846016430
  Packets In
    Passed                         1142930          2278495
    Blocked                           2744             5972
  Packets Out
    Passed                         1257149          4286970
    Blocked                              0                0

State Table                          Total             Rate
  current entries                      436
  searches                        18603154          221.3/s
  inserts                           182085            2.2/s
  removals                          181649            2.2/s
Counters
  match                             216006            2.6/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                 11            0.0/s
  normalize                             18            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                             17            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                      1114            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  divert                                 0            0.0/s

LABEL COUNTERS:
Block IPv4 link-local 212229 0 0 0 0 0 0 0
Block IPv4 link-local 125632 0 0 0 0 0 0 0
Default deny rule IPv4 125632 26832 7404811 26832 7404811 0 0 0
Default deny rule IPv4 193922 0 0 0 0 0 0 0
Default deny rule IPv6 212231 5978 952881 5978 952881 0 0 0
Default deny rule IPv6 86600 15 996 0 0 15 996 0
Block traffic from port 0 199428 0 0 0 0 0 0 0
Block traffic from port 0 197965 0 0 0 0 0 0 0
Block traffic to port 0 171550 0 0 0 0 0 0 0
Block traffic to port 0 170884 0 0 0 0 0 0 0
Block traffic from port 0 199431 0 0 0 0 0 0 0
Block traffic from port 0 197345 0 0 0 0 0 0 0
Block traffic to port 0 27884 0 0 0 0 0 0 0
Block traffic to port 0 27758 0 0 0 0 0 0 0
Block snort2c hosts 199430 0 0 0 0 0 0 0
Block snort2c hosts 199428 0 0 0 0 0 0 0
sshlockout 199434 0 0 0 0 0 0 0
webConfiguratorlockout 34150 0 0 0 0 0 0 0
virusprot overload table 139234 0 0 0 0 0 0 0
allow dhcpv6 client in WAN 136973 0 0 0 0 0 0 0
allow dhcpv6 client in WAN 24831 21 3801 21 3801 0 0 0
allow dhcpv6 client out WAN 84300 24 3696 0 0 24 3696 0
block bogon IPv4 networks from WAN 89023 0 0 0 0 0 0 0
block bogon IPv6 networks from WAN 87735 0 0 0 0 0 0 0
Block private networks from WAN block 10/8 127716 0 0 0 0 0 0 0
Block private networks from WAN block 127/8 126622 0 0 0 0 0 0 0
Block private networks from WAN block 172.16/12 126622 0 0 0 0 0 0 0
Block private networks from WAN block 192.168/16 126622 0 0 0 0 0 0 0
Block ULA networks from WAN block fc00::/7 126926 0 0 0 0 0 0 0
allow access to DHCP server 124287 98 33136 98 33136 0 0 1
allow access to DHCP server 217 434 165597 217 94421 217 71176 2
allow access to DHCP server 139832 0 0 0 0 0 0 0
allow access to DHCPv6 server 88724 0 0 0 0 0 0 0
allow access to DHCPv6 server 0 0 0 0 0 0 0 0
allow access to DHCPv6 server 0 0 0 0 0 0 0 0
allow access to DHCPv6 server 3220 0 0 0 0 0 0 0
allow access to DHCPv6 server 2633 0 0 0 0 0 0 0
allow access to DHCPv6 server 2633 0 0 0 0 0 0 0
pass IPv4 loopback 199120 40 3768 20 1268 20 2500 0
pass IPv4 loopback 40 0 0 0 0 0 0 0
pass IPv6 loopback 62 24 3696 24 3696 0 0 0
pass IPv6 loopback 42 0 0 0 0 0 0 0
let out anything IPv4 from firewall host itself 199096 96 8338 47 4807 49 3531 1
let out anything IPv6 from firewall host itself 62436 6537294 6113385103 4265755 5831145973 2271539 282239130 493
let out anything from firewall host itself 62427 2199794 1645496455 1183552 1451981118 1016242 193515337 796
let out anything from firewall host itself 62437 0 0 0 0 0 0 0
anti-lockout rule 202715 3175 2203691 1421 117700 1754 2085991 0
anti-lockout rule 199961 3175 2203691 1421 117700 1754 2085991 0
anti-lockout rule 199961 4734 2329089 2187 164329 2547 2164760 1
USER_RULE 202669 295 16008 116 5584 179 10424 0
USER_RULE 202605 36 1853 23 1351 13 502 0
USER_RULE 199922 36 1853 23 1351 13 502 0
USER_RULE: Default allow LAN to any rule 138935 2291258 1659445059 1087388 204607559 1203870 1454837500 1090
USER_RULE: Default allow LAN IPv6 to any rule 6767 6516204 6109716448 2260226 281068737 4255978 5828647711 304

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start           115800 states
adaptive.end             231600 states
src.track                     0s

LIMITS:
states        hard limit   193000
src-nodes     hard limit   193000
frags         hard limit     5000
table-entries hard limit   200000

TABLES:
bogons
bogonsv6
snort2c
sshlockout
virusprot
webConfiguratorlockout

OS FINGERPRINTS:
710 fingerprints loaded</bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></performnud,accept_rtadv,auto_linklocal></up,pointopoint,running,noarp,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></performnud,auto_linklocal></promisc></performnud,auto_linklocal></broadcast,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate></up,broadcast,running,simplex,multicast>
              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received