Can't ping IPv6 LAN interface



  • Hi,

    I'm new to pfSense and IPv6 but I have some understanding of firewalls. I've got IPv6 configured for xs4all.nl on a fiber-optic link.

    ping6 www.google.nl works from my laptop on the LAN
    ping6 2001:981:41db:0:2e0:4cff:fe68:27dc (my pfSense) works from the internet
    ping6 2001:981:41db:0:2e0:4cff:fe68:27dc does NOT work from my laptop (sometimes it does)

    However, ping6 to my firewall worked briefly after disabling the bogon network rule. Then it stopped working again after I've enabled it again and I wasn't able to got it to work ever since.

    The main reason I'm digging into this is that I've got some websites which sometimes hang and these are dual-stack sites. So my suspicion is the v6 setup.

    Any help is greatly appreciated.

    pfsense: 2.3.2-RELEASE

    System > Advanced > Networking > IPv6: checked

    WAN: PPPOE interface on VLAN 6 with prio 1
    WAN: IPv4 PPPoE, IPv6 DHCPv6, MTU 1492, req IPv6 prefix through v4, only req v6 prefix, /48 prefix, send v6 prefix hint, block private and bogon networks checked
    LAN: v4 static, v6 track WAN interface id 0, block private and bogon networks UNchecked
    Floating rule: ICMP v6 any any, pass, quick
    WAN: block RFC1918, block bogon
    LAN: anti lockout rule: 80, 443, 22 from LAN
    LAN: Allow all v4 and v6 traffic from LAN net

    Thx
    Frank

    Update:

    I get this pcap on the LAN interface for ICMPv6

    
    21:54:33.635858 IP6 2001:981:41db:0:6e40:8ff:fe94:9378 > ff02::1:ff68:27dc: ICMP6, neighbor solicitation, who has 2001:981:41db:0:2e0:4cff:fe68:27dc, length 32
    21:54:33.635924 IP6 2001:981:41db:0:2e0:4cff:fe68:27dc > 2001:981:41db:0:6e40:8ff:fe94:9378: ICMP6, neighbor advertisement, tgt is 2001:981:41db:0:2e0:4cff:fe68:27dc, length 32
    21:54:34.636090 IP6 2001:981:41db:0:6e40:8ff:fe94:9378 > ff02::1:ff68:27dc: ICMP6, neighbor solicitation, who has 2001:981:41db:0:2e0:4cff:fe68:27dc, length 32
    21:54:34.636162 IP6 2001:981:41db:0:2e0:4cff:fe68:27dc > 2001:981:41db:0:6e40:8ff:fe94:9378: ICMP6, neighbor advertisement, tgt is 2001:981:41db:0:2e0:4cff:fe68:27dc, length 32
    21:54:34.700012 IP6 fe80::6e40:8ff:fe94:9378 > fe80::1:1: ICMP6, neighbor solicitation, who has fe80::1:1, length 32
    21:54:34.700088 IP6 fe80::1:1 > fe80::6e40:8ff:fe94:9378: ICMP6, neighbor advertisement, tgt is fe80::1:1, length 24
    21:54:36.057894 IP6 2001:981:41db:0:6e40:8ff:fe99:c308 > 2001:981:41db:0:2e0:4cff:fe68:27dc: ICMP6, neighbor solicitation, who has 2001:981:41db:0:2e0:4cff:fe68:27dc, length 32
    21:54:36.057983 IP6 2001:981:41db:0:2e0:4cff:fe68:27dc > 2001:981:41db:0:6e40:8ff:fe99:c308: ICMP6, neighbor advertisement, tgt is 2001:981:41db:0:2e0:4cff:fe68:27dc, length 24
    21:54:36.435246 IP6 fe80::1:1 > ff02::1: ICMP6, router advertisement, length 128
    21:54:36.636475 IP6 2001:981:41db:0:6e40:8ff:fe94:9378 > ff02::1:ff68:27dc: ICMP6, neighbor solicitation, who has 2001:981:41db:0:2e0:4cff:fe68:27dc, length 32
    
    

    I would have expected ICMP echo requests and replies but I don't see them.

    Update 2:

    I also can't ssh into the pfSense via v6 from the LAN and pinging my laptop from the pfSense is really slow

    
    [2.3.2-RELEASE][admin@fw.home]/root: ping6 fe80::6e40:8ff:fe94:9378%re1
    PING6(56=40+8+8 bytes) fe80::1:1%re1 --> fe80::6e40:8ff:fe94:9378%re1
    16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=0 hlim=64 time=2.375 ms
    16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=1 hlim=64 time=1369.162 ms
    16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=2 hlim=64 time=368.319 ms
    16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=3 hlim=64 time=1044.073 ms
    16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=4 hlim=64 time=45.291 ms
    16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=5 hlim=64 time=333.452 ms
    16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=6 hlim=64 time=1381.189 ms
    16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=7 hlim=64 time=380.344 ms
    
    

  • LAYER 8 Global Moderator

    Are you saying when you ping your laptop via ipv4 its fast?  that sure looks to be some sort of wifi connection to me with the all over the board response times.  Crappy wifi at that ;)

    So when you say you ping
    2001:981:41db:0:2e0:4cff:fe68:27dc

    is that what is on the pfsense lan or the wan interface?



  • @johnpoz: two issues. Not sure if they are related.

    1. ping pfSense LAN interface not working

    2001:981:41db:0:2e0:4cff:fe68:27dc is on the pfSense LAN interface. I cannot ping this address from the LAN but only from the WAN. See screenshots.

    2. ping laptop -> pfSense is fast, ping pfSense -> laptop is slow

    
    # laptop -> pfSense
    $ ping 192.168.178.1
    PING 192.168.178.1 (192.168.178.1): 56 data bytes
    64 bytes from 192.168.178.1: icmp_seq=0 ttl=64 time=1.267 ms
    64 bytes from 192.168.178.1: icmp_seq=1 ttl=64 time=1.481 ms
    64 bytes from 192.168.178.1: icmp_seq=2 ttl=64 time=1.721 ms
    
    # pfSense -> laptop
    ping 192.168.178.67
    PING 192.168.178.67 (192.168.178.67): 56 data bytes
    64 bytes from 192.168.178.67: icmp_seq=0 ttl=64 time=3.474 ms
    64 bytes from 192.168.178.67: icmp_seq=1 ttl=64 time=1285.005 ms
    64 bytes from 192.168.178.67: icmp_seq=2 ttl=64 time=284.568 ms
    
    

    ![Screen Shot 2016-09-21 at 07.01.53.png](/public/imported_attachments/1/Screen Shot 2016-09-21 at 07.01.53.png)
    ![Screen Shot 2016-09-21 at 07.01.53.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-21 at 07.01.53.png_thumb)
    ![Screen Shot 2016-09-21 at 07.02.04.png](/public/imported_attachments/1/Screen Shot 2016-09-21 at 07.02.04.png)
    ![Screen Shot 2016-09-21 at 07.02.04.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-21 at 07.02.04.png_thumb)
    ![Screen Shot 2016-09-21 at 07.02.14.png](/public/imported_attachments/1/Screen Shot 2016-09-21 at 07.02.14.png)
    ![Screen Shot 2016-09-21 at 07.02.14.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-21 at 07.02.14.png_thumb)
    ![Screen Shot 2016-09-21 at 06.59.18.png](/public/imported_attachments/1/Screen Shot 2016-09-21 at 06.59.18.png)
    ![Screen Shot 2016-09-21 at 06.59.18.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-21 at 06.59.18.png_thumb)


  • LAYER 8 Global Moderator

    what is the global IP your laptop is getting for ipv6?



  • 
    en0: flags=8863 <up,broadcast,smart,running,simplex,multicast>mtu 1500
    	ether 6c:40:08:94:93:78
    	inet6 fe80::6e40:8ff:fe94:9378%en0 prefixlen 64 scopeid 0x4
    	inet 192.168.178.67 netmask 0xffffff00 broadcast 192.168.178.255
    	inet6 2001:981:41db::6e40:8ff:fe94:9378 prefixlen 64 autoconf
    	inet6 2001:981:41db::74f0:5f67:73b9:a6e3 prefixlen 64 autoconf temporary
    	nd6 options=1 <performnud>media: autoselect
    	status: active</performnud></up,broadcast,smart,running,simplex,multicast> 
    


  • and here the pfSense ifconfig -a, netstat -rn and pfctl -sa (sans STATE)

    
    [2.3.2-RELEASE][admin@fw.home]/root: ifconfig -a
    re0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=8209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate>ether 00:e0:4c:68:27:db
    	inet6 fe80::2e0:4cff:fe68:27db%re0 prefixlen 64 scopeid 0x1
    	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
    	status: active
    re1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=8209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate>ether 00:e0:4c:68:27:dc
    	inet 192.168.178.1 netmask 0xffffff00 broadcast 192.168.178.255
    	inet6 2001:981:41db:0:2e0:4cff:fe68:27dc prefixlen 64
    	inet6 fe80::1:1%re1 prefixlen 64 scopeid 0x2
    	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active
    iwn0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 2290
    	ether 00:1e:65:41:11:d1
    	nd6 options=21 <performnud,auto_linklocal>media: IEEE 802.11 Wireless Ethernet autoselect (autoselect)
    	status: no carrier
    pflog0: flags=100 <promisc>metric 0 mtu 33160
    pfsync0: flags=0<> metric 0 mtu 1500
    	syncpeer: 224.0.0.240 maxupd: 128 defer: on
    	syncok: 1
    enc0: flags=0<> metric 0 mtu 1536
    	nd6 options=21 <performnud,auto_linklocal>lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
    	options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet 127.0.0.1 netmask 0xff000000
    	inet6 ::1 prefixlen 128
    	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
    	nd6 options=21 <performnud,auto_linklocal>re0_vlan6: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=3 <rxcsum,txcsum>ether 00:e0:4c:68:27:db
    	inet6 fe80::2e0:4cff:fe68:27db%re0_vlan6 prefixlen 64 scopeid 0x8
    	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
    	status: active
    	vlan: 6 vlanpcp: 1 parent interface: re0
    pppoe0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1492
    	inet 82.161.239.242 --> 194.109.5.175 netmask 0xffffffff
    	inet6 fe80::2e0:4cff:fe68:27db%pppoe0 prefixlen 64 scopeid 0x9
    	inet6 fe80::2e0:4cff:fe68:27dc%pppoe0 prefixlen 64 scopeid 0x9
    	nd6 options=23 <performnud,accept_rtadv,auto_linklocal>[2.3.2-RELEASE][admin@fw.home]/root: netstat -rn
    Routing tables
    
    Internet:
    Destination        Gateway            Flags      Netif Expire
    default            194.109.5.175      UGS      pppoe0
    82.161.239.242     link#9             UHS         lo0
    127.0.0.1          link#7             UH          lo0
    192.168.178.0/24   link#2             U           re1
    192.168.178.1      link#2             UHS         lo0
    194.109.5.175      link#9             UH       pppoe0
    194.109.6.66       194.109.5.175      UGHS     pppoe0
    194.109.9.99       194.109.5.175      UGHS     pppoe0
    
    Internet6:
    Destination                       Gateway                       Flags      Netif Expire
    default                           fe80::2a0:a50f:fc78:5530%pppoe0 UGS      pppoe0
    ::1                               link#7                        UH          lo0
    2001:981:41db::/64                link#2                        U           re1
    2001:981:41db:0:2e0:4cff:fe68:27dc link#2                        UHS         lo0
    fe80::2a0:a50f:fc78:5530          pppoe0                        UHS      pppoe0
    fe80::%re0/64                     link#1                        U           re0
    fe80::2e0:4cff:fe68:27db%re0      link#1                        UHS         lo0
    fe80::%re1/64                     link#2                        U           re1
    fe80::1:1%re1                     link#2                        UHS         lo0
    fe80::%lo0/64                     link#7                        U           lo0
    fe80::1%lo0                       link#7                        UHS         lo0
    fe80::%re0_vlan6/64               link#8                        U      re0_vlan
    fe80::2e0:4cff:fe68:27db%re0_vlan6 link#8                        UHS         lo0
    fe80::%pppoe0/64                  link#9                        U        pppoe0
    fe80::2e0:4cff:fe68:27db%pppoe0   link#9                        UHS         lo0
    fe80::2e0:4cff:fe68:27dc%pppoe0   link#9                        UHS         lo0
    ff01::%re0/32                     fe80::2e0:4cff:fe68:27db%re0  U           re0
    ff01::%re1/32                     2001:981:41db:0:2e0:4cff:fe68:27dc U           re1
    ff01::%lo0/32                     ::1                           U           lo0
    ff01::%re0_vlan6/32               fe80::2e0:4cff:fe68:27db%re0_vlan6 U      re0_vlan
    ff01::%pppoe0/32                  fe80::2e0:4cff:fe68:27db%pppoe0 U        pppoe0
    ff02::%re0/32                     fe80::2e0:4cff:fe68:27db%re0  U           re0
    ff02::%re1/32                     2001:981:41db:0:2e0:4cff:fe68:27dc U           re1
    ff02::%lo0/32                     ::1                           U           lo0
    ff02::%re0_vlan6/32               fe80::2e0:4cff:fe68:27db%re0_vlan6 U      re0_vlan
    ff02::%pppoe0/32                  fe80::2e0:4cff:fe68:27db%pppoe0 U        pppoe0
    
    [2.3.2-RELEASE][admin@fw.home]/root: pfctl -sa
    TRANSLATION RULES:
    no nat proto carp all
    nat-anchor "natearly/*" all
    nat-anchor "natrules/*" all
    nat on pppoe0 inet from 127.0.0.0/8 to any port = isakmp -> 82.161.239.242 static-port
    nat on pppoe0 inet from 192.168.178.0/24 to any port = isakmp -> 82.161.239.242 static-port
    nat on pppoe0 inet from 127.0.0.0/8 to any -> 82.161.239.242 port 1024:65535
    nat on pppoe0 inet from 192.168.178.0/24 to any -> 82.161.239.242 port 1024:65535
    no rdr proto carp all
    rdr-anchor "relayd/*" all
    rdr-anchor "tftp-proxy/*" all
    rdr-anchor "miniupnpd" all
    
    FILTER RULES:
    scrub on pppoe0 all fragment reassemble
    scrub on re1 all fragment reassemble
    anchor "relayd/*" all
    anchor "openvpn/*" all
    anchor "ipsec/*" all
    block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
    block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
    block drop in log inet all label "Default deny rule IPv4"
    block drop out log inet all label "Default deny rule IPv4"
    block drop in log inet6 all label "Default deny rule IPv6"
    block drop out log inet6 all label "Default deny rule IPv6"
    pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
    block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
    block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
    block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
    block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
    block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0"
    block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0"
    block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0"
    block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0"
    block drop log quick from <snort2c>to any label "Block snort2c hosts"
    block drop log quick from any to <snort2c>label "Block snort2c hosts"
    block drop in log quick proto tcp from <sshlockout>to (self) port = ssh label "sshlockout"
    block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = https label "webConfiguratorlockout"
    block drop in log quick from <virusprot>to any label "virusprot overload table"
    pass in quick on pppoe0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
    pass in quick on pppoe0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
    pass out quick on pppoe0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN"
    block drop in log quick on pppoe0 from <bogons>to any label "block bogon IPv4 networks from WAN"
    block drop in log quick on pppoe0 from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
    block drop in log on pppoe0 inet6 from fe80::2e0:4cff:fe68:27db to any
    block drop in log on pppoe0 inet6 from fe80::2e0:4cff:fe68:27dc to any
    block drop in log on ! pppoe0 inet from 82.161.239.242 to any
    block drop in log inet from 82.161.239.242 to any
    block drop in log quick on pppoe0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
    block drop in log quick on pppoe0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
    block drop in log quick on pppoe0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
    block drop in log quick on pppoe0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
    block drop in log quick on pppoe0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
    block drop in log on ! re1 inet6 from 2001:981:41db::/64 to any
    block drop in log inet6 from 2001:981:41db:0:2e0:4cff:fe68:27dc to any
    block drop in log on re1 inet6 from fe80::1:1 to any
    block drop in log on ! re1 inet from 192.168.178.0/24 to any
    block drop in log inet from 192.168.178.1 to any
    pass in quick on re1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on re1 inet proto udp from any port = bootpc to 192.168.178.1 port = bootps keep state label "allow access to DHCP server"
    pass out quick on re1 inet proto udp from 192.168.178.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    pass quick on re1 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
    pass quick on re1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
    pass quick on re1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
    pass quick on re1 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
    pass in quick on re1 inet6 proto udp from fe80::/10 to 2001:981:41db:0:2e0:4cff:fe68:27dc port = dhcpv6-client keep state label "allow access to DHCPv6 server"
    pass out quick on re1 inet6 proto udp from 2001:981:41db:0:2e0:4cff:fe68:27dc port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"
    pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to (pppoe0 194.109.5.175) inet from 82.161.239.242 to ! 82.161.239.242 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out on pppoe0 route-to (pppoe0 fe80::2a0:a50f:fc78:5530) inet6 from fe80::2e0:4cff:fe68:27dc to ! fe80::/48 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass in quick on re1 proto tcp from any to (re1) port = https flags S/SA keep state label "anti-lockout rule"
    pass in quick on re1 proto tcp from any to (re1) port = http flags S/SA keep state label "anti-lockout rule"
    pass in quick on re1 proto tcp from any to (re1) port = ssh flags S/SA keep state label "anti-lockout rule"
    anchor "userrules/*" all
    pass quick inet6 proto ipv6-icmp all keep state label "USER_RULE"
    pass in quick on pppoe0 reply-to (pppoe0 194.109.5.175) inet proto icmp all keep state label "USER_RULE"
    pass in quick on pppoe0 reply-to (pppoe0 fe80::2a0:a50f:fc78:5530) inet6 proto ipv6-icmp all keep state label "USER_RULE"
    pass in quick on re1 inet from 192.168.178.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
    pass in quick on re1 inet6 from 2001:981:41db::/64 to any flags S/SA keep state label "USER_RULE: Default allow LAN IPv6 to any rule"
    anchor "tftp-proxy/*" all
    No queue in use
    
    STATES:
    ---8<--- SNIP ---8<---
    
    ---8<--- SNIP ---8<---
    
    INFO:
    Status: Enabled for 0 days 23:20:46           Debug: Urgent
    
    Interface Stats for re1               IPv4             IPv6
      Bytes In                       212632837        283813782
      Bytes Out                     1492315433       5846016430
      Packets In
        Passed                         1142930          2278495
        Blocked                           2744             5972
      Packets Out
        Passed                         1257149          4286970
        Blocked                              0                0
    
    State Table                          Total             Rate
      current entries                      436
      searches                        18603154          221.3/s
      inserts                           182085            2.2/s
      removals                          181649            2.2/s
    Counters
      match                             216006            2.6/s
      bad-offset                             0            0.0/s
      fragment                               0            0.0/s
      short                                 11            0.0/s
      normalize                             18            0.0/s
      memory                                 0            0.0/s
      bad-timestamp                          0            0.0/s
      congestion                             0            0.0/s
      ip-option                             17            0.0/s
      proto-cksum                            0            0.0/s
      state-mismatch                      1114            0.0/s
      state-insert                           0            0.0/s
      state-limit                            0            0.0/s
      src-limit                              0            0.0/s
      synproxy                               0            0.0/s
      divert                                 0            0.0/s
    
    LABEL COUNTERS:
    Block IPv4 link-local 212229 0 0 0 0 0 0 0
    Block IPv4 link-local 125632 0 0 0 0 0 0 0
    Default deny rule IPv4 125632 26832 7404811 26832 7404811 0 0 0
    Default deny rule IPv4 193922 0 0 0 0 0 0 0
    Default deny rule IPv6 212231 5978 952881 5978 952881 0 0 0
    Default deny rule IPv6 86600 15 996 0 0 15 996 0
    Block traffic from port 0 199428 0 0 0 0 0 0 0
    Block traffic from port 0 197965 0 0 0 0 0 0 0
    Block traffic to port 0 171550 0 0 0 0 0 0 0
    Block traffic to port 0 170884 0 0 0 0 0 0 0
    Block traffic from port 0 199431 0 0 0 0 0 0 0
    Block traffic from port 0 197345 0 0 0 0 0 0 0
    Block traffic to port 0 27884 0 0 0 0 0 0 0
    Block traffic to port 0 27758 0 0 0 0 0 0 0
    Block snort2c hosts 199430 0 0 0 0 0 0 0
    Block snort2c hosts 199428 0 0 0 0 0 0 0
    sshlockout 199434 0 0 0 0 0 0 0
    webConfiguratorlockout 34150 0 0 0 0 0 0 0
    virusprot overload table 139234 0 0 0 0 0 0 0
    allow dhcpv6 client in WAN 136973 0 0 0 0 0 0 0
    allow dhcpv6 client in WAN 24831 21 3801 21 3801 0 0 0
    allow dhcpv6 client out WAN 84300 24 3696 0 0 24 3696 0
    block bogon IPv4 networks from WAN 89023 0 0 0 0 0 0 0
    block bogon IPv6 networks from WAN 87735 0 0 0 0 0 0 0
    Block private networks from WAN block 10/8 127716 0 0 0 0 0 0 0
    Block private networks from WAN block 127/8 126622 0 0 0 0 0 0 0
    Block private networks from WAN block 172.16/12 126622 0 0 0 0 0 0 0
    Block private networks from WAN block 192.168/16 126622 0 0 0 0 0 0 0
    Block ULA networks from WAN block fc00::/7 126926 0 0 0 0 0 0 0
    allow access to DHCP server 124287 98 33136 98 33136 0 0 1
    allow access to DHCP server 217 434 165597 217 94421 217 71176 2
    allow access to DHCP server 139832 0 0 0 0 0 0 0
    allow access to DHCPv6 server 88724 0 0 0 0 0 0 0
    allow access to DHCPv6 server 0 0 0 0 0 0 0 0
    allow access to DHCPv6 server 0 0 0 0 0 0 0 0
    allow access to DHCPv6 server 3220 0 0 0 0 0 0 0
    allow access to DHCPv6 server 2633 0 0 0 0 0 0 0
    allow access to DHCPv6 server 2633 0 0 0 0 0 0 0
    pass IPv4 loopback 199120 40 3768 20 1268 20 2500 0
    pass IPv4 loopback 40 0 0 0 0 0 0 0
    pass IPv6 loopback 62 24 3696 24 3696 0 0 0
    pass IPv6 loopback 42 0 0 0 0 0 0 0
    let out anything IPv4 from firewall host itself 199096 96 8338 47 4807 49 3531 1
    let out anything IPv6 from firewall host itself 62436 6537294 6113385103 4265755 5831145973 2271539 282239130 493
    let out anything from firewall host itself 62427 2199794 1645496455 1183552 1451981118 1016242 193515337 796
    let out anything from firewall host itself 62437 0 0 0 0 0 0 0
    anti-lockout rule 202715 3175 2203691 1421 117700 1754 2085991 0
    anti-lockout rule 199961 3175 2203691 1421 117700 1754 2085991 0
    anti-lockout rule 199961 4734 2329089 2187 164329 2547 2164760 1
    USER_RULE 202669 295 16008 116 5584 179 10424 0
    USER_RULE 202605 36 1853 23 1351 13 502 0
    USER_RULE 199922 36 1853 23 1351 13 502 0
    USER_RULE: Default allow LAN to any rule 138935 2291258 1659445059 1087388 204607559 1203870 1454837500 1090
    USER_RULE: Default allow LAN IPv6 to any rule 6767 6516204 6109716448 2260226 281068737 4255978 5828647711 304
    
    TIMEOUTS:
    tcp.first                   120s
    tcp.opening                  30s
    tcp.established           86400s
    tcp.closing                 900s
    tcp.finwait                  45s
    tcp.closed                   90s
    tcp.tsdiff                   30s
    udp.first                    60s
    udp.single                   30s
    udp.multiple                 60s
    icmp.first                   20s
    icmp.error                   10s
    other.first                  60s
    other.single                 30s
    other.multiple               60s
    frag                         30s
    interval                     10s
    adaptive.start           115800 states
    adaptive.end             231600 states
    src.track                     0s
    
    LIMITS:
    states        hard limit   193000
    src-nodes     hard limit   193000
    frags         hard limit     5000
    table-entries hard limit   200000
    
    TABLES:
    bogons
    bogonsv6
    snort2c
    sshlockout
    virusprot
    webConfiguratorlockout
    
    OS FINGERPRINTS:
    710 fingerprints loaded</bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></performnud,accept_rtadv,auto_linklocal></up,pointopoint,running,noarp,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></performnud,auto_linklocal></promisc></performnud,auto_linklocal></broadcast,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate></up,broadcast,running,simplex,multicast> 
    

Log in to reply