PfBlockerNG v. 2.1.1_4 not blocking IPv6?



  • Hello all,

    I am running pfBlockerNG v. 2.1.1_4 on 2.3.2-RELEASE (i386), and have selected countries to block using GeoIP.  I have allocated enough memory, and reloads and updates work fine with no errors.  Under prior versions, before the GeoIP2 changes I would regularly match and block inbound IPv6 packets.  With this latest version, which is the first GeoIP2 version I have running smoothly, I see no matches on IPv6 traffic at all.

    Am I missing something, or is something broken with respect to IPv6?

    (I know that blocking the world is discouraged, but it is my choice.  This post is not about that.)

    Attached is a snapshot of a portion of the pfBlockerNG dashboard which shows the blocked packet counts at zero for IPv6.

    Cheers,
    Bennett
    ![Screen Shot 2016-09-22 at 12.24.52 PM.png](/public/imported_attachments/1/Screen Shot 2016-09-22 at 12.24.52 PM.png)
    ![Screen Shot 2016-09-22 at 12.24.52 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-22 at 12.24.52 PM.png_thumb)


  • Moderator

    Hi,

    It shows that you have one rule for each Alias… So I assume that your blocking outbound traffic...

    You will only get alerts for IPv6, if a device on the LAN is making an IPv6 request to an IP that is in the Blocklist...

    Also ensure that the Block rules are above any Permit rules (typically speaking)...



  • @BBcan177:

    It shows that you have one rule for each Alias… So I assume that your blocking outbound traffic...

    To the contrary, I am blocking inbound and using floating rules.  The blocked packet counts for IPv4  in the dashboard snapshot above indicate that inbound IPv4 blocking is working correctly.  Here is a snippet of the GeoIP config for Asia.  It seems that something is amiss with inbound IPv6 blocking.

    Cheers,
    Bennett

    ![Screen Shot 2016-09-24 at 12.46.50 AM.png](/public/imported_attachments/1/Screen Shot 2016-09-24 at 12.46.50 AM.png)
    ![Screen Shot 2016-09-24 at 12.46.50 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-24 at 12.46.50 AM.png_thumb)


  • Moderator

    @bfeitell:

    @BBcan177:

    It shows that you have one rule for each Alias… So I assume that your blocking outbound traffic...

    To the contrary, I am blocking inbound and using floating rules.  The blocked packet counts for IPv4  in the dashboard snapshot above indicate that inbound IPv4 blocking is working correctly.  Here is a snippet of the GeoIP config for Asia.  It seems that something is amiss with inbound IPv6 blocking.

    Cheers,
    Bennett

    Keep in mind, that if you do not have any Open ports on the WAN, then a Blanket block for All Inbound ports doesn't do anything, except fill your widget/logs with noise that is already being blocked by the Inbound Implicit block rule…. (Unsolicited Inbound traffic).... Not to mention slowing down your network unnecessarily...

    So I would recommend only blocking the Open Inbound WAN ports...

    Also recommended to block the Outbound, since you may not want your Internal LAN making a request to any of those GeoIPs that you selected... Just because your blocking the Inbound, that won't stop a LAN device from communicating with those blocked GeoIPs since the outbound traffic will create a firewall state, that bypasses those block rules....

    For the IPv6, I guess there is no traffic hitting it? Or you might have IPv6 disabled?  Also ensure that "Logging" is enabled for those rules...



  • @BBcan177:

    For the IPv6, I guess there is no traffic hitting it? Or you might have IPv6 disabled?  Also ensure that "Logging" is enabled for those rules…

    There is something funny going on.  It may not be your pfBlockerNG that is at fault.  Upon deeper investigation, I suspect that there is a something wrong with IPv6 logging on 2.3.2-RELEASE.  I see no IPv6 traffic in either the pfBlockerNG alerts interface, or the firewall log.  Pfinfo shows high packet counts indicating that blocking is occurring, but the blocked packets just don't seem to be registering in the logs.  I definitely have functional IPv6 connectivity, although it is via a tunnel broker.  Log default blocks is active, and I don't even see those happening.

    This is a sanitized ping run from the pfSense command line:

    /root: ping6 -c3 ipv6.google.com
    PING6(56=40+8+8 bytes) 2f00:f000:f000:f000::2 –> 2607:f8b0:4006:80a::200e
    16 bytes from 2607:f8b0:4006:80a::200e, icmp_seq=0 hlim=59 time=23.569 ms
    16 bytes from 2607:f8b0:4006:80a::200e, icmp_seq=1 hlim=59 time=23.548 ms
    16 bytes from 2607:f8b0:4006:80a::200e, icmp_seq=2 hlim=59 time=23.593 ms

    --- ipv6.l.google.com ping6 statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/std-dev = 23.548/23.570/23.593/0.018 ms

    In prior releases I definitely saw blocked IPv6 packets getting logged.

    Cheers,
    Bennett


  • Moderator

    @bfeitell:

    In prior releases I definitely saw blocked IPv6 packets getting logged.

    I haven't seen any other threads about this issue? Maybe post in the IPv6 section? Or Redmine?

    Check the WAN rules, maybe there is a permit rule above the Block rules? Or add a temporary rule on the WAN to block all IPv6 traffic (with logging enabled) and see if that logs?  Are you using "Adv. In/Outbound" settings in pfBlockerNG… If so, check the "Protocol" setting...

    Not sure what else to suggest...



  • I know this thread is old but I have the same issue on two different machines. I'm using pfSense 2.4.5 stable and pfBlocker-NG devel 2.2.5_32. The IPv6 filtering works fine but I don't get any logs showing this.

    If I click on the "37" for the matched IPv6 addresses it shows nothing.

    Unbenannt.JPG

    Unbenannt2.JPG


Log in to reply