Firewall Log Overrun with IPv6 Errors I can't get rid of
-
Thanks Chpalmer….
Go back to that box you checked and read the whole option..
maybe they need to re-label that box butall it does is block ipv6 traffic. Doe not actually stop the box or anything connected to it from trying. Nevermind renaming as it already details what it does.Learn the rule structure.. learn to love the rules structure.
Edit- Looking at the "system/advanced/networking" tab..
Allow IPv6 All IPv6 traffic will be blocked by the firewall unless this box is checked
NOTE: This does not disable any IPv6 features on the firewall, it only blocks traffic.Pretty self explanatory.. All your doing by clicking the box is making sure you can't override the default block rule already in place.
That makes it much much clearer - for some reason I missed the NOTE. I don't remember it being there when I first set things up several months ago (v2.3.RC?). Maybe it was and I just forgot. It was only once Johnpoz gave me pfctl -vvsr so I could see what is going on under the hood that the light went on.
Then as Johnpoz said..
If you enable IPv6, and then do not actually enable it on any interface. Its the same as block rule..
Begins to make sense… right? Your better off going to each interface and setting IPv6 as None. And then also go to each workstation and set them as None.
This is a point that I missed… if every interface is set to IPv4 only... no way for IPv6 to get in.
Another question.. Do you even have a routable IPv6 address on your WAN?
Since I'm just testing, all I have is one box connected to pfSense. It's Linux, and I just figured out how to disable IPv6 yesterday. I was using a Windows box and it is was creating IPv6 (couldn't figure out how to turn it off)… Also a ton of Torredo... They sure have that protocol well named... it does burrow like a parasitic worm!
At this point, I don't THINK so... but I'm not sure... I've been doing my best to get it turned off.
I haven't got a switch YET that has port snooping, but I've got an SG-300 on order.
-
On windows the simple way to disable ipv6 and all those nonsense isatap, teredo, 6to4 is just simple reg entry
reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255
Now you get a clean ipconfig /all as well ;)
> ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : i5-win Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : local.lan Ethernet adapter Local: Connection-specific DNS Suffix . : local.lan Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet Physical Address. . . . . . . . . : 18-03-73-B1-0D-D3 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.9.100(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Sunday, January 15, 2017 8:15:14 AM Lease Expires . . . . . . . . . . : Friday, January 20, 2017 8:15:13 AM Default Gateway . . . . . . . . . : 192.168.9.253 DHCP Server . . . . . . . . . . . : 192.168.9.253 DNS Servers . . . . . . . . . . . : 192.168.3.10 NetBIOS over Tcpip. . . . . . . . : Enabled -
Thanks… That also helps alot!
