Can't ping IPv6 LAN interface
-
Hi,
I'm new to pfSense and IPv6 but I have some understanding of firewalls. I've got IPv6 configured for xs4all.nl on a fiber-optic link.
ping6 www.google.nl works from my laptop on the LAN
ping6 2001:981:41db:0:2e0:4cff:fe68:27dc (my pfSense) works from the internet
ping6 2001:981:41db:0:2e0:4cff:fe68:27dc does NOT work from my laptop (sometimes it does)However, ping6 to my firewall worked briefly after disabling the bogon network rule. Then it stopped working again after I've enabled it again and I wasn't able to got it to work ever since.
The main reason I'm digging into this is that I've got some websites which sometimes hang and these are dual-stack sites. So my suspicion is the v6 setup.
Any help is greatly appreciated.
pfsense: 2.3.2-RELEASE
System > Advanced > Networking > IPv6: checked
WAN: PPPOE interface on VLAN 6 with prio 1
WAN: IPv4 PPPoE, IPv6 DHCPv6, MTU 1492, req IPv6 prefix through v4, only req v6 prefix, /48 prefix, send v6 prefix hint, block private and bogon networks checked
LAN: v4 static, v6 track WAN interface id 0, block private and bogon networks UNchecked
Floating rule: ICMP v6 any any, pass, quick
WAN: block RFC1918, block bogon
LAN: anti lockout rule: 80, 443, 22 from LAN
LAN: Allow all v4 and v6 traffic from LAN netThx
FrankUpdate:
I get this pcap on the LAN interface for ICMPv6
21:54:33.635858 IP6 2001:981:41db:0:6e40:8ff:fe94:9378 > ff02::1:ff68:27dc: ICMP6, neighbor solicitation, who has 2001:981:41db:0:2e0:4cff:fe68:27dc, length 32 21:54:33.635924 IP6 2001:981:41db:0:2e0:4cff:fe68:27dc > 2001:981:41db:0:6e40:8ff:fe94:9378: ICMP6, neighbor advertisement, tgt is 2001:981:41db:0:2e0:4cff:fe68:27dc, length 32 21:54:34.636090 IP6 2001:981:41db:0:6e40:8ff:fe94:9378 > ff02::1:ff68:27dc: ICMP6, neighbor solicitation, who has 2001:981:41db:0:2e0:4cff:fe68:27dc, length 32 21:54:34.636162 IP6 2001:981:41db:0:2e0:4cff:fe68:27dc > 2001:981:41db:0:6e40:8ff:fe94:9378: ICMP6, neighbor advertisement, tgt is 2001:981:41db:0:2e0:4cff:fe68:27dc, length 32 21:54:34.700012 IP6 fe80::6e40:8ff:fe94:9378 > fe80::1:1: ICMP6, neighbor solicitation, who has fe80::1:1, length 32 21:54:34.700088 IP6 fe80::1:1 > fe80::6e40:8ff:fe94:9378: ICMP6, neighbor advertisement, tgt is fe80::1:1, length 24 21:54:36.057894 IP6 2001:981:41db:0:6e40:8ff:fe99:c308 > 2001:981:41db:0:2e0:4cff:fe68:27dc: ICMP6, neighbor solicitation, who has 2001:981:41db:0:2e0:4cff:fe68:27dc, length 32 21:54:36.057983 IP6 2001:981:41db:0:2e0:4cff:fe68:27dc > 2001:981:41db:0:6e40:8ff:fe99:c308: ICMP6, neighbor advertisement, tgt is 2001:981:41db:0:2e0:4cff:fe68:27dc, length 24 21:54:36.435246 IP6 fe80::1:1 > ff02::1: ICMP6, router advertisement, length 128 21:54:36.636475 IP6 2001:981:41db:0:6e40:8ff:fe94:9378 > ff02::1:ff68:27dc: ICMP6, neighbor solicitation, who has 2001:981:41db:0:2e0:4cff:fe68:27dc, length 32I would have expected ICMP echo requests and replies but I don't see them.
Update 2:
I also can't ssh into the pfSense via v6 from the LAN and pinging my laptop from the pfSense is really slow
[2.3.2-RELEASE][admin@fw.home]/root: ping6 fe80::6e40:8ff:fe94:9378%re1 PING6(56=40+8+8 bytes) fe80::1:1%re1 --> fe80::6e40:8ff:fe94:9378%re1 16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=0 hlim=64 time=2.375 ms 16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=1 hlim=64 time=1369.162 ms 16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=2 hlim=64 time=368.319 ms 16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=3 hlim=64 time=1044.073 ms 16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=4 hlim=64 time=45.291 ms 16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=5 hlim=64 time=333.452 ms 16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=6 hlim=64 time=1381.189 ms 16 bytes from fe80::6e40:8ff:fe94:9378%re1, icmp_seq=7 hlim=64 time=380.344 ms -
Are you saying when you ping your laptop via ipv4 its fast? that sure looks to be some sort of wifi connection to me with the all over the board response times. Crappy wifi at that ;)
So when you say you ping
2001:981:41db:0:2e0:4cff:fe68:27dcis that what is on the pfsense lan or the wan interface?
-
@johnpoz: two issues. Not sure if they are related.
1. ping pfSense LAN interface not working
2001:981:41db:0:2e0:4cff:fe68:27dc is on the pfSense LAN interface. I cannot ping this address from the LAN but only from the WAN. See screenshots.
2. ping laptop -> pfSense is fast, ping pfSense -> laptop is slow
# laptop -> pfSense $ ping 192.168.178.1 PING 192.168.178.1 (192.168.178.1): 56 data bytes 64 bytes from 192.168.178.1: icmp_seq=0 ttl=64 time=1.267 ms 64 bytes from 192.168.178.1: icmp_seq=1 ttl=64 time=1.481 ms 64 bytes from 192.168.178.1: icmp_seq=2 ttl=64 time=1.721 ms # pfSense -> laptop ping 192.168.178.67 PING 192.168.178.67 (192.168.178.67): 56 data bytes 64 bytes from 192.168.178.67: icmp_seq=0 ttl=64 time=3.474 ms 64 bytes from 192.168.178.67: icmp_seq=1 ttl=64 time=1285.005 ms 64 bytes from 192.168.178.67: icmp_seq=2 ttl=64 time=284.568 ms
 -
what is the global IP your laptop is getting for ipv6?
-
en0: flags=8863 <up,broadcast,smart,running,simplex,multicast>mtu 1500 ether 6c:40:08:94:93:78 inet6 fe80::6e40:8ff:fe94:9378%en0 prefixlen 64 scopeid 0x4 inet 192.168.178.67 netmask 0xffffff00 broadcast 192.168.178.255 inet6 2001:981:41db::6e40:8ff:fe94:9378 prefixlen 64 autoconf inet6 2001:981:41db::74f0:5f67:73b9:a6e3 prefixlen 64 autoconf temporary nd6 options=1 <performnud>media: autoselect status: active</performnud></up,broadcast,smart,running,simplex,multicast> -
and here the pfSense ifconfig -a, netstat -rn and pfctl -sa (sans STATE)
[2.3.2-RELEASE][admin@fw.home]/root: ifconfig -a re0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate>ether 00:e0:4c:68:27:db inet6 fe80::2e0:4cff:fe68:27db%re0 prefixlen 64 scopeid 0x1 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>) status: active re1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate>ether 00:e0:4c:68:27:dc inet 192.168.178.1 netmask 0xffffff00 broadcast 192.168.178.255 inet6 2001:981:41db:0:2e0:4cff:fe68:27dc prefixlen 64 inet6 fe80::1:1%re1 prefixlen 64 scopeid 0x2 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>) status: active iwn0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 2290 ether 00:1e:65:41:11:d1 nd6 options=21 <performnud,auto_linklocal>media: IEEE 802.11 Wireless Ethernet autoselect (autoselect) status: no carrier pflog0: flags=100 <promisc>metric 0 mtu 33160 pfsync0: flags=0<> metric 0 mtu 1500 syncpeer: 224.0.0.240 maxupd: 128 defer: on syncok: 1 enc0: flags=0<> metric 0 mtu 1536 nd6 options=21 <performnud,auto_linklocal>lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 nd6 options=21 <performnud,auto_linklocal>re0_vlan6: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=3 <rxcsum,txcsum>ether 00:e0:4c:68:27:db inet6 fe80::2e0:4cff:fe68:27db%re0_vlan6 prefixlen 64 scopeid 0x8 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>) status: active vlan: 6 vlanpcp: 1 parent interface: re0 pppoe0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1492 inet 82.161.239.242 --> 194.109.5.175 netmask 0xffffffff inet6 fe80::2e0:4cff:fe68:27db%pppoe0 prefixlen 64 scopeid 0x9 inet6 fe80::2e0:4cff:fe68:27dc%pppoe0 prefixlen 64 scopeid 0x9 nd6 options=23 <performnud,accept_rtadv,auto_linklocal>[2.3.2-RELEASE][admin@fw.home]/root: netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 194.109.5.175 UGS pppoe0 82.161.239.242 link#9 UHS lo0 127.0.0.1 link#7 UH lo0 192.168.178.0/24 link#2 U re1 192.168.178.1 link#2 UHS lo0 194.109.5.175 link#9 UH pppoe0 194.109.6.66 194.109.5.175 UGHS pppoe0 194.109.9.99 194.109.5.175 UGHS pppoe0 Internet6: Destination Gateway Flags Netif Expire default fe80::2a0:a50f:fc78:5530%pppoe0 UGS pppoe0 ::1 link#7 UH lo0 2001:981:41db::/64 link#2 U re1 2001:981:41db:0:2e0:4cff:fe68:27dc link#2 UHS lo0 fe80::2a0:a50f:fc78:5530 pppoe0 UHS pppoe0 fe80::%re0/64 link#1 U re0 fe80::2e0:4cff:fe68:27db%re0 link#1 UHS lo0 fe80::%re1/64 link#2 U re1 fe80::1:1%re1 link#2 UHS lo0 fe80::%lo0/64 link#7 U lo0 fe80::1%lo0 link#7 UHS lo0 fe80::%re0_vlan6/64 link#8 U re0_vlan fe80::2e0:4cff:fe68:27db%re0_vlan6 link#8 UHS lo0 fe80::%pppoe0/64 link#9 U pppoe0 fe80::2e0:4cff:fe68:27db%pppoe0 link#9 UHS lo0 fe80::2e0:4cff:fe68:27dc%pppoe0 link#9 UHS lo0 ff01::%re0/32 fe80::2e0:4cff:fe68:27db%re0 U re0 ff01::%re1/32 2001:981:41db:0:2e0:4cff:fe68:27dc U re1 ff01::%lo0/32 ::1 U lo0 ff01::%re0_vlan6/32 fe80::2e0:4cff:fe68:27db%re0_vlan6 U re0_vlan ff01::%pppoe0/32 fe80::2e0:4cff:fe68:27db%pppoe0 U pppoe0 ff02::%re0/32 fe80::2e0:4cff:fe68:27db%re0 U re0 ff02::%re1/32 2001:981:41db:0:2e0:4cff:fe68:27dc U re1 ff02::%lo0/32 ::1 U lo0 ff02::%re0_vlan6/32 fe80::2e0:4cff:fe68:27db%re0_vlan6 U re0_vlan ff02::%pppoe0/32 fe80::2e0:4cff:fe68:27db%pppoe0 U pppoe0 [2.3.2-RELEASE][admin@fw.home]/root: pfctl -sa TRANSLATION RULES: no nat proto carp all nat-anchor "natearly/*" all nat-anchor "natrules/*" all nat on pppoe0 inet from 127.0.0.0/8 to any port = isakmp -> 82.161.239.242 static-port nat on pppoe0 inet from 192.168.178.0/24 to any port = isakmp -> 82.161.239.242 static-port nat on pppoe0 inet from 127.0.0.0/8 to any -> 82.161.239.242 port 1024:65535 nat on pppoe0 inet from 192.168.178.0/24 to any -> 82.161.239.242 port 1024:65535 no rdr proto carp all rdr-anchor "relayd/*" all rdr-anchor "tftp-proxy/*" all rdr-anchor "miniupnpd" all FILTER RULES: scrub on pppoe0 all fragment reassemble scrub on re1 all fragment reassemble anchor "relayd/*" all anchor "openvpn/*" all anchor "ipsec/*" all block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local" block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local" block drop in log inet all label "Default deny rule IPv4" block drop out log inet all label "Default deny rule IPv4" block drop in log inet6 all label "Default deny rule IPv6" block drop out log inet6 all label "Default deny rule IPv6" pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0" block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0" block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0" block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0" block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0" block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0" block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0" block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0" block drop log quick from <snort2c>to any label "Block snort2c hosts" block drop log quick from any to <snort2c>label "Block snort2c hosts" block drop in log quick proto tcp from <sshlockout>to (self) port = ssh label "sshlockout" block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = https label "webConfiguratorlockout" block drop in log quick from <virusprot>to any label "virusprot overload table" pass in quick on pppoe0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" pass in quick on pppoe0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" pass out quick on pppoe0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN" block drop in log quick on pppoe0 from <bogons>to any label "block bogon IPv4 networks from WAN" block drop in log quick on pppoe0 from <bogonsv6>to any label "block bogon IPv6 networks from WAN" block drop in log on pppoe0 inet6 from fe80::2e0:4cff:fe68:27db to any block drop in log on pppoe0 inet6 from fe80::2e0:4cff:fe68:27dc to any block drop in log on ! pppoe0 inet from 82.161.239.242 to any block drop in log inet from 82.161.239.242 to any block drop in log quick on pppoe0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8" block drop in log quick on pppoe0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8" block drop in log quick on pppoe0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12" block drop in log quick on pppoe0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16" block drop in log quick on pppoe0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7" block drop in log on ! re1 inet6 from 2001:981:41db::/64 to any block drop in log inet6 from 2001:981:41db:0:2e0:4cff:fe68:27dc to any block drop in log on re1 inet6 from fe80::1:1 to any block drop in log on ! re1 inet from 192.168.178.0/24 to any block drop in log inet from 192.168.178.1 to any pass in quick on re1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" pass in quick on re1 inet proto udp from any port = bootpc to 192.168.178.1 port = bootps keep state label "allow access to DHCP server" pass out quick on re1 inet proto udp from 192.168.178.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server" pass quick on re1 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server" pass quick on re1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server" pass quick on re1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server" pass quick on re1 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server" pass in quick on re1 inet6 proto udp from fe80::/10 to 2001:981:41db:0:2e0:4cff:fe68:27dc port = dhcpv6-client keep state label "allow access to DHCPv6 server" pass out quick on re1 inet6 proto udp from 2001:981:41db:0:2e0:4cff:fe68:27dc port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server" pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself" pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" pass out route-to (pppoe0 194.109.5.175) inet from 82.161.239.242 to ! 82.161.239.242 flags S/SA keep state allow-opts label "let out anything from firewall host itself" pass out on pppoe0 route-to (pppoe0 fe80::2a0:a50f:fc78:5530) inet6 from fe80::2e0:4cff:fe68:27dc to ! fe80::/48 flags S/SA keep state allow-opts label "let out anything from firewall host itself" pass in quick on re1 proto tcp from any to (re1) port = https flags S/SA keep state label "anti-lockout rule" pass in quick on re1 proto tcp from any to (re1) port = http flags S/SA keep state label "anti-lockout rule" pass in quick on re1 proto tcp from any to (re1) port = ssh flags S/SA keep state label "anti-lockout rule" anchor "userrules/*" all pass quick inet6 proto ipv6-icmp all keep state label "USER_RULE" pass in quick on pppoe0 reply-to (pppoe0 194.109.5.175) inet proto icmp all keep state label "USER_RULE" pass in quick on pppoe0 reply-to (pppoe0 fe80::2a0:a50f:fc78:5530) inet6 proto ipv6-icmp all keep state label "USER_RULE" pass in quick on re1 inet from 192.168.178.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" pass in quick on re1 inet6 from 2001:981:41db::/64 to any flags S/SA keep state label "USER_RULE: Default allow LAN IPv6 to any rule" anchor "tftp-proxy/*" all No queue in use STATES: ---8<--- SNIP ---8<--- ---8<--- SNIP ---8<--- INFO: Status: Enabled for 0 days 23:20:46 Debug: Urgent Interface Stats for re1 IPv4 IPv6 Bytes In 212632837 283813782 Bytes Out 1492315433 5846016430 Packets In Passed 1142930 2278495 Blocked 2744 5972 Packets Out Passed 1257149 4286970 Blocked 0 0 State Table Total Rate current entries 436 searches 18603154 221.3/s inserts 182085 2.2/s removals 181649 2.2/s Counters match 216006 2.6/s bad-offset 0 0.0/s fragment 0 0.0/s short 11 0.0/s normalize 18 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 17 0.0/s proto-cksum 0 0.0/s state-mismatch 1114 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s divert 0 0.0/s LABEL COUNTERS: Block IPv4 link-local 212229 0 0 0 0 0 0 0 Block IPv4 link-local 125632 0 0 0 0 0 0 0 Default deny rule IPv4 125632 26832 7404811 26832 7404811 0 0 0 Default deny rule IPv4 193922 0 0 0 0 0 0 0 Default deny rule IPv6 212231 5978 952881 5978 952881 0 0 0 Default deny rule IPv6 86600 15 996 0 0 15 996 0 Block traffic from port 0 199428 0 0 0 0 0 0 0 Block traffic from port 0 197965 0 0 0 0 0 0 0 Block traffic to port 0 171550 0 0 0 0 0 0 0 Block traffic to port 0 170884 0 0 0 0 0 0 0 Block traffic from port 0 199431 0 0 0 0 0 0 0 Block traffic from port 0 197345 0 0 0 0 0 0 0 Block traffic to port 0 27884 0 0 0 0 0 0 0 Block traffic to port 0 27758 0 0 0 0 0 0 0 Block snort2c hosts 199430 0 0 0 0 0 0 0 Block snort2c hosts 199428 0 0 0 0 0 0 0 sshlockout 199434 0 0 0 0 0 0 0 webConfiguratorlockout 34150 0 0 0 0 0 0 0 virusprot overload table 139234 0 0 0 0 0 0 0 allow dhcpv6 client in WAN 136973 0 0 0 0 0 0 0 allow dhcpv6 client in WAN 24831 21 3801 21 3801 0 0 0 allow dhcpv6 client out WAN 84300 24 3696 0 0 24 3696 0 block bogon IPv4 networks from WAN 89023 0 0 0 0 0 0 0 block bogon IPv6 networks from WAN 87735 0 0 0 0 0 0 0 Block private networks from WAN block 10/8 127716 0 0 0 0 0 0 0 Block private networks from WAN block 127/8 126622 0 0 0 0 0 0 0 Block private networks from WAN block 172.16/12 126622 0 0 0 0 0 0 0 Block private networks from WAN block 192.168/16 126622 0 0 0 0 0 0 0 Block ULA networks from WAN block fc00::/7 126926 0 0 0 0 0 0 0 allow access to DHCP server 124287 98 33136 98 33136 0 0 1 allow access to DHCP server 217 434 165597 217 94421 217 71176 2 allow access to DHCP server 139832 0 0 0 0 0 0 0 allow access to DHCPv6 server 88724 0 0 0 0 0 0 0 allow access to DHCPv6 server 0 0 0 0 0 0 0 0 allow access to DHCPv6 server 0 0 0 0 0 0 0 0 allow access to DHCPv6 server 3220 0 0 0 0 0 0 0 allow access to DHCPv6 server 2633 0 0 0 0 0 0 0 allow access to DHCPv6 server 2633 0 0 0 0 0 0 0 pass IPv4 loopback 199120 40 3768 20 1268 20 2500 0 pass IPv4 loopback 40 0 0 0 0 0 0 0 pass IPv6 loopback 62 24 3696 24 3696 0 0 0 pass IPv6 loopback 42 0 0 0 0 0 0 0 let out anything IPv4 from firewall host itself 199096 96 8338 47 4807 49 3531 1 let out anything IPv6 from firewall host itself 62436 6537294 6113385103 4265755 5831145973 2271539 282239130 493 let out anything from firewall host itself 62427 2199794 1645496455 1183552 1451981118 1016242 193515337 796 let out anything from firewall host itself 62437 0 0 0 0 0 0 0 anti-lockout rule 202715 3175 2203691 1421 117700 1754 2085991 0 anti-lockout rule 199961 3175 2203691 1421 117700 1754 2085991 0 anti-lockout rule 199961 4734 2329089 2187 164329 2547 2164760 1 USER_RULE 202669 295 16008 116 5584 179 10424 0 USER_RULE 202605 36 1853 23 1351 13 502 0 USER_RULE 199922 36 1853 23 1351 13 502 0 USER_RULE: Default allow LAN to any rule 138935 2291258 1659445059 1087388 204607559 1203870 1454837500 1090 USER_RULE: Default allow LAN IPv6 to any rule 6767 6516204 6109716448 2260226 281068737 4255978 5828647711 304 TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 115800 states adaptive.end 231600 states src.track 0s LIMITS: states hard limit 193000 src-nodes hard limit 193000 frags hard limit 5000 table-entries hard limit 200000 TABLES: bogons bogonsv6 snort2c sshlockout virusprot webConfiguratorlockout OS FINGERPRINTS: 710 fingerprints loaded</bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></performnud,accept_rtadv,auto_linklocal></up,pointopoint,running,noarp,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></performnud,auto_linklocal></promisc></performnud,auto_linklocal></broadcast,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate></up,broadcast,running,simplex,multicast>
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.