Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 not allowed, but how to stop flooding firewall log?

    Scheduled Pinned Locked Moved IPv6
    5 Posts 4 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Room 7609
      last edited by

      I've disabled IPv6 in pfSense (version 2.3.4-RELEASE-p1) by unchecking "Allow IPv6" in System->Advanced->Networking.

      However, now IPv6 packets coming from the ISP are flooding the firewall log (see attachment). The packets are ICMP multicasts and I'd prefer not to log those.

      I've tried adding my own rule to stop these packets from being logged, but they continue to match the default rule:

      @5(1000000003) block drop in log quick inet6 all label "Block all IPv6"
      

      It seems as if the "Block all IPv6" rule must have higher priority than my own. Is that the case? Because it seems like we ought to be able to turn off IPv6 globally and still have choices about which IPv6 packets get logged.
      ![IPv6 ICMP.png](/public/imported_attachments/1/IPv6 ICMP.png)
      ![IPv6 ICMP.png_thumb](/public/imported_attachments/1/IPv6 ICMP.png_thumb)

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        You could untick the default logging :-

        Status ->System Logs -> Settings

        Log packets matched from the default block rules in the ruleset

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • R
          Room 7609
          last edited by

          @NogBadTheBad:

          You could untick the default logging :-

          Status ->System Logs -> Settings

          Log packets matched from the default block rules in the ruleset

          Yes that would stop the unwanted IPv6 packets from getting logged, but then I would lose the default IPv4 logging as well.

          1 Reply Last reply Reply Quote 0
          • K
            kpa
            last edited by

            Why do you want to watch hundred of log entries of useless noise? You'd be much better off logging only what you really want to log, the default deny rules catch all kinds of junk like improperly torn down TCP connections that in almost all cases can be ignored.

            1 Reply Last reply Reply Quote 0
            • M
              mike98
              last edited by

              If you disable dhcp6 server and disable dhcp6 on wan/LAN interfaces it stops the flood. In pfsense 2.4

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.