IPv6 no firewall log entries

pablot

Hi, I've been using my "HE tunnel IPv6" enabled network for some days and everything seems to be working fine, but I'm a bit worried because I have not see any blocked traffic on the HE interface.

My two wans and my lan are appearing as usual in the firewall logs with blocked entries, but no tunnel interface appears with blocked traffic.

Perhaps this is fine, but I'm not sure if this is normal.

Thanks,
Pablo

johnpoz

What are you rules on your tunnel? What sort of traffic do you think you should see? are you logging the default block rule? There is not nearly as much noise on ipv6.. The IP space is so freaking HUGE!!! But if you want to to check.. use one of the canyouseeme sort of sites for ipv6 and send something to your ipv6 addresses..

So for example just did a port check for a port I have closed to one of my ipv6 hosts that I have in the ipv6 ntppool and gets traffic all the time.. You can see its logged in pfsense firewall.

But again - ipv6 is HUGE!!! your prob not going to see anywhere close to the noise you see on ipv4.. for example that 22 and 23 ports you see in my screenshot to my normal ipv4 wan.

Here are 2 ipv6 online scanners you can use
http://www.ipv6scanner.com/cgi-bin/main.py
http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php

Normally I would not log that UDP noise - but I had recently turned back on the default logging rule to check something, and had not turned it back off. That is why you see the blocks in the log from clean (my rule) that only logs tcp syn, and then that udp block to my wan.. Normally I do not log that noise and only log tcp syn traffic.

ipv6scan.png_thumb

firewallrulesHEtunnel.png_thumb

pablot

Thanks, you were right. I've done a port scan, everything is filtered and the firewall logs showed me all the attempts.

I guess it was a combination of the HUGE address space and less noise on IPv6.

I do not have rules for my tunnel, just the default. Which is everything filtered if I'm not wrong.

Thanks!!!

![Sin título.png](/public/imported_attachments/1/Sin título.png)
![Sin título.png_thumb](/public/imported_attachments/1/Sin título.png_thumb)

johnpoz

yeah from those default rules then all unsolicited inbound would be blocked..

With such a huge space.. its almost impossible to just scans of the space.. Unlike ipv4 where you can scan for open ssh servers.. In 1 /64 your talking 18,446,744,073,709,551,616 IPs you would need to scan ;)

All of ipv4 space - all of it is total possible only 4,294,967,296 in comparison ;)