Flood DHCP V6 on esxi

demonium

Dear All,
I have a dedicated server with ESXI on it.
I have 2 network card one for internet and another one for a private network.
I have setting up pfsense with an access on both interface. My VM can have access on internet and can communicate between them.
The problem is, for some restriction on the dedicated server my network card for the private LAN is always down because of a lot of flood dhcpv6 that come from my firewall on the LAN interface.
The think is I have no DHCPV6 configured on my pfsense so the dhcpv6 server musn't start, but is start.

Does any possibility to disable the DHCPv6 server permanently?

Could you please help me on this, I'm working on pfsense 2.4.2 release p1.
Thanks for your help

demonium

For more details under services > DHCPV6 server & RA I have the message below:
"the dhcpv6 server can only be enabled on interfaces configured with static ip addresses"

johnpoz

Then clearly its not running ;)

Did you set your interface to dhcp for IPv6?

If your saying there are floods of dhcpv6 requests - that is not a dhvpv6 server.. Sniff the traffic and you will see the MAC that is sending the requests or whatever it is exactly. Then you can track down the device/machine/vm sending the flood.

You can do a packet capture on pfsense lan interface via diag, packet capture..

So here I sniffed on lan interface for ipv6 traffic… open it up in wireshark and look at the traffic that is flooding.. And what is the mac address of the sender? From that you can find what box is flooding.

ipv6trafficflood.png_thumb

demonium

Hi johnpoz,
regarding your question : Did you set your interface to dhcp for IPv6? No

I have restarted my esxi host and started only my pfsense server after a few minutes during the boot sequence I see "Starting " the my network card on the private network was down so I presume this is it…

On the other VM I have disabled the support of IPV6 to avoid issue on them.

I made a tcpdump on my esxi host see the log below:
[root@inv-db:~] tcpdump-uw -i vmk1 -vvv
tcpdump-uw: listening on vmk1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:05:25.910063 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.8.0.1 tell 10.8.0.1, length 46 –> when this line appear the card is locked
14:05:26.751448 ARP, Ethernet (len 6), IPv4 (len 4), Reverse Request who-is 00:0c:29:d6:37:24 (oui Unknown) tell 00:0c:29:d6:37:24 (oui Unknown), length 46
14:05:26.781924 ARP, Ethernet (len 6), IPv4 (len 4), Reverse Request who-is 00:0c:29:d6:37:24 (oui Unknown) tell 00:0c:29:d6:37:24 (oui Unknown), length 46
14:05:27.781950 ARP, Ethernet (len 6), IPv4 (len 4), Reverse Request who-is 00:0c:29:d6:37:24 (oui Unknown) tell 00:0c:29:d6:37:24 (oui Unknown), length 46
14:05:28.781924 ARP, Ethernet (len 6), IPv4 (len 4), Reverse Request who-is 00:0c:29:d6:37:24 (oui Unknown) tell 00:0c:29:d6:37:24 (oui Unknown), length 46
14:05:30.781937 ARP, Ethernet (len 6), IPv4 (len 4), Reverse Request who-is 00:0c:29:d6:37:24 (oui Unknown) tell 00:0c:29:d6:37:24 (oui Unknown), length 46
14:05:33.781948 ARP, Ethernet (len 6), IPv4 (len 4), Reverse Request who-is 00:0c:29:d6:37:24 (oui Unknown) tell 00:0c:29:d6:37:24 (oui Unknown), length 46
14:05:38.781923 ARP, Ethernet (len 6), IPv4 (len 4), Reverse Request who-is 00:0c:29:d6:37:24 (oui Unknown) tell 00:0c:29:d6:37:24 (oui Unknown), length 46
14:05:46.781911 ARP, Ethernet (len 6), IPv4 (len 4), Reverse Request who-is 00:0c:29:d6:37:24 (oui Unknown) tell 00:0c:29:d6:37:24 (oui Unknown), length 46

johnpoz

That is 10.8.0.1 asking for itself??

00:0c:29

Is for sure a VM.. That is a vmware mac..

If you install the nmap package it should show you the vendor of the mac address..

demonium

Hi,
I put my esxi in promiscous mode and I have more log now see below:
[root@inv-db:~] tcpdump-uw -i vmk1 -s 1514 -vvv
tcpdump-uw: listening on vmk1, link-type EN10MB (Ethernet), capture size 1514 bytes
16:45:14.877025 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.8.0.1 tell 10.8.0.1, length 46
16:45:14.880502 IP6 (hlim 1, next-header Options (0) payload length: 36) :: > ff02::16: HBH (padn)(rtalert: 0x0000) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::1:ffd6:3724 to_ex { }]
16:45:15.403002 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) :: > ff02::1:ffd6:3724: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::20c:29ff:fed6:3724
unknown option (14), length 8 (1):
0x0000: 15b6 6c6a 97b1
16:45:15.486722 IP6 (hlim 1, next-header Options (0) payload length: 56) :: > ff02::16: HBH (padn)(rtalert: 0x0000) [icmp6 sum ok] ICMP6, multicast listener report v2, 2 group record(s) [gaddr ff02::2:1861:20ce to_ex { }] [gaddr ff02::2:ff18:6120 to_ex { }]
16:45:15.721518 ARP, Ethernet (len 6), IPv4 (len 4), Reverse Request who-is 00:0c:29:d6:37:24 (oui Unknown) tell 00:0c:29:d6:37:24 (oui Unknown), length 46
16:45:15.781635 ARP, Ethernet (len 6), IPv4 (len 4), Reverse Request who-is 00:0c:29:d6:37:24 (oui Unknown) tell 00:0c:29:d6:37:24 (oui Unknown), length 46
16:45:16.086754 IP6 (hlim 1, next-header Options (0) payload length: 36) :: > ff02::16: HBH (padn)(rtalert: 0x0000) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::1:ffd6:3724 to_ex { }]
16:45:16.480517 IP6 (hlim 1, next-header Options (0) payload length: 56) fe80::20c:29ff:fed6:3724 > ff02::16: HBH (padn)(rtalert: 0x0000) [icmp6 sum ok] ICMP6, multicast listener report v2, 2 group record(s) [gaddr ff02::2:1861:20ce to_ex { }] [gaddr ff02::2:ff18:6120 to_ex { }]
16:45:16.781667 ARP, Ethernet (len 6), IPv4 (len 4), Reverse Request who-is 00:0c:29:d6:37:24 (oui Unknown) tell 00:0c:29:d6:37:24 (oui Unknown), length 46
16:45:17.781651 ARP, Ethernet (len 6), IPv4 (len 4), Reverse Request who-is 00:0c:29:d6:37:24 (oui Unknown) tell 00:0c:29:d6:37:24 (oui Unknown), length 46
16:45:19.781636 ARP, Ethernet (len 6), IPv4 (len 4), Reverse Request who-is 00:0c:29:d6:37:24 (oui Unknown) tell 00:0c:29:d6:37:24 (oui Unknown), length 46
16:45:22.781668 ARP, Ethernet (len 6), IPv4 (len 4), Reverse Request who-is 00:0c:29:d6:37:24 (oui Unknown) tell 00:0c:29:d6:37:24 (oui Unknown), length 46
16:45:27.781637 ARP, Ethernet (len 6), IPv4 (len 4), Reverse Request who-is 00:0c:29:d6:37:24 (oui Unknown) tell 00:0c:29:d6:37:24 (oui Unknown), length 46
16:45:35.781647 ARP, Ethernet (len 6), IPv4 (len 4), Reverse Request who-is 00:0c:29:d6:37:24 (oui Unknown) tell 00:0c:29:d6:37:24 (oui Unknown), length 46
16:45:48.781648 ARP, Ethernet (len 6), IPv4 (len 4), Reverse Request who-is 00:0c:29:d6:37:24 (oui Unknown) tell 00:0c:29:d6:37:24 (oui Unknown), length 46

Could you please help me on how to remove the kind of request?

Thanks and regards.

johnpoz

What are you looking to get rid of the Reverse Arps?

Reverse Request who-is 00:0c:29:d6:37:24

Which of your VMs has that mac?

The other traffic is going to happen on any IPv6 network.. With any IPv6 at all you will have NDP https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol

Your few packets is not a flood ;)

You can for sure disable IPv6 on your VMs if that is what your looking to do - what OSes are you running.. Google for disable IPv6… Windows is a simple regedit, linux can be a bit more tricky but sure it can be done pretty easy as well. Its the IoT sort of devices that if they support ipv6 is hard to turn off.

But having some ipv6 noise on your network is not going to shut anything down be a flood other than maybe log spam in say pfsense - is that what your looking to stop?

JKnott

Does any possibility to disable the DHCPv6 server permanently?

It's quite common to run without DHCPv6. The alternative is SLAAC, which I use here. With SLAAC, the IPv6 address is determined by the prefix advertised by the router and either the MAC address or a random number. Typically, both are used, with the random number address being used for outgoing traffic and the MAC one used for incoming. On Windows, a static random number is often used in place of the MAC address.

https://en.wikipedia.org/wiki/IPv6#Stateless_address_autoconfiguration_.28SLAAC.29

demonium

johnpoz,

Which of your VMs has that mac? Is the mac address of my pfsense server for the LAN interface

You can for sure disable IPv6 on your VMs if that is what your looking to do - what OSes are you running.. Google for disable IPv6… Windows is a simple regedit, linux can be a bit more tricky but sure it can be done pretty easy as well. Its the IoT sort of devices that if they support ipv6 is hard to turn off. --> has is my pfsense server I don't know how to do it...

is that what your looking to stop? The think is from my understanding and your response, this request is just to discover the IPV6 network, but on my the dedicated vendor for my server they are no IPV6 on the private network this is why they block my card when they detect any IPV6 request.

I just want to disable IPV6 on my pfsense server...
How to proceed?
Thanks for your help

johnpoz

Do not give any interface an IPv6 address.. It will not send out NDP then..

This your LAN interface then the IPv6 on lan should be set to NONE. I have some interfaces on pfsense that does not have IPv6 on them… Let me verify that they do not send any NDP.. If they do let me look to see how you stop that (if you can - which I would assume you could worse case disable everything not just specific interface).

Give me a bit.

Edit: Ok I just ran packet capture on my wlan interface that has NONE set for ipv6... I see no NDP or any sort of IPV6 traffic on this network..

I could let it run for longer.. I don't think pfsense will even let you turn on RA on an interface that doesn't have IPv6 set.. It doesn't even list the interface under dhcpv6/RA if the interface does not have an IPv6 set..

edit2: your sniffs do not show the MAC of the IPv6 traffic your showing.. Those arps and reverse arps are IPV4 Your going to have to open sniff in wireshark if you want to see.. Or if capturing in pfsense packet capture set it up to normal… See attached sniff of RA my pfsense sent out on its lan interface - which has IPv6 enabled.

ipv6off.png_thumb

mac.png_thumb

demonium

I didn't give any IPV6 address on my interface.
Another point I made a change on the file /etc/default/rc.conf and set the option ipv6_network_interface="none"
I have rebooted my pfsense server and they are still the ICMPV6 request on tcpdump.
I have also check on another server with pfsense and I didn't see any IPV6 request.
I have also download the configuration of the second server to my new pfsense server and I have the same result….

johnpoz

And see my edit… Your sniff doesn't show the mac of the ipv6 traffic... Your going to have to open in wireshark, or download and post so I can or set your sniff to atleast medium in pfsense to be able to see the mac of that ipv6 traffic

demonium

Thanks but i have only my fsense server that is running but i have the pcap file that I can provide but now i'm on my phone i will send you later
Thanks for your help

johnpoz

Here did a tcpdump on pfsense so can see mac on the ip6 traffic…

See source link, and dest link address there 00:08:a2 is my pfsense interface on lan... And that 18:03:73 is my PC..

tcpdumpip6.png_thumb

demonium

So if i understand you have ipv6 request with icmp to discover the network ? So it's normal ?

johnpoz

But he is saying that ANY ipv6 traffic and wherever this server is located gets blocked, like it shuts down the switch port for all traffic or something..

Never ever ever heard of such a thing.. Seems nuts to me.. But from sniff I did if pfsense has no IPv6 set on its interface its not going to be sending out any sort of NDP or other noise on ipv6..

His sniffs didn't show the MAC of the ipv6 traffic so not sure where its coming from.

You ever here of DC or colo or anywhere shutting you down if you send out an IPv6 packet?

JKnott

@demonium:

So if i understand you have ipv6 request with icmp to discover the network ? So it's normal ?

Normally, with IPv6, you'd use DHCPv6-PD to get your WAN IP and LAN prefix. On the LAN side, the router will announce the prefix, with router advertisements and then the device adds the least significant 64 bits. DHCPv6 (without PD) can also be used to assign the device address. Router advertisements are carried via ICMP6.

demonium

Hi,
You can find below my pcap file

ipv6.pcap

JKnott

Most of that capture is RARP with 00:0c:29:c0:91:db asking who is 00:0c:29:c0:91:db.

I have no idea why it's doing that, as RARP is obsolete.

https://en.wikipedia.org/wiki/Reverse_Address_Resolution_Protocol

johnpoz

The reverse arps are not IPv6 The IPv6 traffic is coming from

Source: Vmware_d6:37:24 (00:0c:29:d6:37:24)

You got something messed up with pfsense… I do not see any ipv6 coming off my pfsense once you set ipv6 to none..

I sure and the hell do not recall ever seeing a rarp from pfsense..

You sure that is your pfsense.. lets see iconfig from the pfsense VM..