Default IPv6 DENY Rule in system logs even tho default is PASS



  • I confirmed this by resetting by pfsense machine to factory defaults.  Advanced–>networking's setting for IPv6 is "allow".  The WAN side is set up to take an IP address with a prefix hint and a prefix size of 64.  The LAN is set to tracking and the interface to track is WAN.  I can view the https page on the LAN side of the pfsense machine and I can ssh between two LAN-side linux machines using the IPv6 IP addresses that they got from pfsense.

    But, when I try to do anything that requires crossing thru the PfSense firewall from LAN to WAN, it gets dropped.  System logs show:

    
    May 12 15:44:33	LAN	Default deny rule IPv6 (1000000105)	  [fe80::5f46:816a:a7f7:b377]:60400	  [2607:f8b0:4004:808::200e]:443
    

    But, this makes no sense.  The default rules for the LAN side (not touched by me) are:

    
    	States	Protocol	Source	Port	Destination	Port	Gateway	Queue	Schedule	Description	Actions
    2 /6.56 MiB
    *	*	*	LAN Address	443
    80
    22	*	*		Anti-Lockout Rule	
    		24 /4.76 MiB
    IPv4 *	LAN net	*	*	*	*	none	 	Default allow LAN to any rule	   
    		11 /87 KiB
    IPv6 *	LAN net	*	*	*	*	none	 	Default allow LAN IPv6 to any rule	  
    

    How can I fix this?  Thanks in advance!

    [2.4.3-RELEASE][root@aquaduct.barcroft]/root: cat /tmp/rules.debug
    set optimization normal
    set limit states 803000
    set limit src-nodes 803000
    
    #System aliases
    
    loopback = "{ lo0 }"
    WAN = "{ em0 }"
    LAN = "{ em1 }"
    
    #SSH Lockout Table
    table <sshlockout>persist
    table <webconfiguratorlockout>persist
    #Snort tables
    table <snort2c>table <virusprot>table <bogons>persist file "/etc/bogons"
    table <negate_networks># User Aliases 
    
    # Gateways
    GWWAN_DHCP = " route-to ( em0 192.168.88.1 ) "
    GWWAN_DHCP6 = " route-to ( em0 fe80::1256:11ff:fe72:bd3a ) "
    
    set loginterface em1
    
    set skip on pfsync0
    
    scrub on $WAN all    fragment reassemble
    scrub on $LAN all    fragment reassemble
    
    no nat proto carp
    no rdr proto carp
    nat-anchor "natearly/*"
    nat-anchor "natrules/*"
    
    # Outbound NAT rules (automatic)
    
    # Subnets to NAT 
    tonatsubnets	= "{ 127.0.0.0/8 192.168.1.0/24 }"
    nat on $WAN  from $tonatsubnets to any port 500 -> 192.168.88.104/32  static-port
    nat on $WAN  from $tonatsubnets to any -> 192.168.88.104/32 port 1024:65535  
    
    # Load balancing anchor
    rdr-anchor "relayd/*"
    # TFTP proxy
    rdr-anchor "tftp-proxy/*"
    # UPnPd rdr anchor
    rdr-anchor "miniupnpd"
    
    anchor "relayd/*"
    anchor "openvpn/*"
    anchor "ipsec/*"
    # block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device,
    # and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but
    # route-to can override that, causing problems such as in redmine #2073
    block in log quick from 169.254.0.0/16 to any tracker 1000000101 label "Block IPv4 link-local"
    block in log quick from any to 169.254.0.0/16 tracker 1000000102 label "Block IPv4 link-local"
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    block in log inet all tracker 1000000103 label "Default deny rule IPv4"
    block out log inet all tracker 1000000104 label "Default deny rule IPv4"
    block in log inet6 all tracker 1000000105 label "Default deny rule IPv6"
    block out log inet6 all tracker 1000000106 label "Default deny rule IPv6"
    
    # IPv6 ICMP is not auxilary, it is required for operation
    # See man icmp6(4)
    # 1    unreach         Destination unreachable
    # 2    toobig          Packet too big
    # 128  echoreq         Echo service request
    # 129  echorep         Echo service reply
    # 133  routersol       Router solicitation
    # 134  routeradv       Router advertisement
    # 135  neighbrsol      Neighbor solicitation
    # 136  neighbradv      Neighbor advertisement
    pass  quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker 1000000107 keep state
    
    # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
    pass out  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker 1000000108 keep state
    pass out  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker 1000000109 keep state
    pass in  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000000110 keep state
    pass in  quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000000111 keep state
    pass in  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker 1000000112 keep state
    # We use the mighty pf, we cannot be fooled.
    block log quick inet proto { tcp, udp } from any port = 0 to any tracker 1000000113 label "Block traffic from port 0"
    block log quick inet proto { tcp, udp } from any to any port = 0 tracker 1000000114 label "Block traffic to port 0"
    block log quick inet6 proto { tcp, udp } from any port = 0 to any tracker 1000000115 label "Block traffic from port 0"
    block log quick inet6 proto { tcp, udp } from any to any port = 0 tracker 1000000116 label "Block traffic to port 0"
    
    # Snort package
    block log quick from <snort2c>to any tracker 1000000117 label "Block snort2c hosts"
    block log quick from any to <snort2c>tracker 1000000118 label "Block snort2c hosts"
    
    # SSH lockout
    block in log quick proto tcp from <sshlockout>to (self) port 22 tracker 1000000301 label "sshlockout"
    
    # webConfigurator lockout
    block in log quick proto tcp from <webconfiguratorlockout>to (self) port 443 tracker 1000000351 label "webConfiguratorlockout"
    block in log quick from <virusprot>to any tracker 1000000400 label "virusprot overload table"
    # allow our DHCPv6 client out to the WAN
    pass in  quick on $WAN proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker 1000000561 label "allow dhcpv6 client in WAN"
    pass in  quick on $WAN proto udp from any port = 547 to any port = 546 tracker 1000000562 label "allow dhcpv6 client in WAN"
    # Add Priority to dhcp6c packets if enabled
    pass out  quick on $WAN proto udp from any port = 546 to any port = 547 tracker 1000000563 label "allow dhcpv6 client out WAN" 
    antispoof log for $WAN tracker 1000001570
    # allow our DHCP client out to the WAN
    pass in  on $WAN proto udp from any port = 67 to any port = 68 tracker 1000001591 label "allow dhcp client out WAN"
    pass out  on $WAN proto udp from any port = 68 to any port = 67 tracker 1000001592 label "allow dhcp client out WAN"
    # Not installing DHCP server firewall rules for WAN which is configured for DHCP.
    antispoof log for $LAN tracker 1000002620
    # allow access to DHCP server on LAN
    pass in  quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 tracker 1000002641 label "allow access to DHCP server"
    pass in  quick on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 tracker 1000002642 label "allow access to DHCP server"
    pass out  quick on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 tracker 1000002643 label "allow access to DHCP server"
    # allow access to DHCPv6 server on LAN
    # We need inet6 icmp for stateless autoconfig and dhcpv6
    pass  quick on $LAN inet6 proto udp from fe80::/10 to fe80::/10 port = 546 tracker 1000002651 label "allow access to DHCPv6 server"
    pass  quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 tracker 1000002652 label "allow access to DHCPv6 server"
    pass  quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 tracker 1000002653 label "allow access to DHCPv6 server"
    pass  quick on $LAN inet6 proto udp from ff02::/16 to fe80::/10 port = 547 tracker 1000002654 label "allow access to DHCPv6 server"
    pass in  quick on $LAN inet6 proto udp from fe80::/10 to 2600:8806:2400:6d3e:2eb:caff:fee0:5f2 port = 546 tracker 1000002655 label "allow access to DHCPv6 server"
    pass out  quick on $LAN inet6 proto udp from 2600:8806:2400:6d3e:2eb:caff:fee0:5f2 port = 547 to fe80::/10 tracker 1000002656 label "allow access to DHCPv6 server"
    
    # loopback
    pass in  on $loopback inet all tracker 1000002661 label "pass IPv4 loopback"
    pass out  on $loopback inet all tracker 1000002662 label "pass IPv4 loopback"
    pass in  on $loopback inet6 all tracker 1000002663 label "pass IPv6 loopback"
    pass out  on $loopback inet6 all tracker 1000002664 label "pass IPv6 loopback"
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out  inet all keep state allow-opts tracker 1000002665 label "let out anything IPv4 from firewall host itself"
    pass out  inet6 all keep state allow-opts tracker 1000002666 label "let out anything IPv6 from firewall host itself"
    
    pass out  route-to ( em0 192.168.88.1 ) from 192.168.88.104 to !192.168.88.0/24 tracker 1000002761 keep state allow-opts label "let out anything from firewall host itself"
    pass out  route-to ( em0 fe80::1256:11ff:fe72:bd3a ) inet6 from 2600:8806:2400:6d30:f944:110a:7774:15a2 to !2600:8806:2400:6d30:f944:110a:7774:15a2/64 tracker 1000002762 keep state allow-opts label "let out anything from firewall host itself"
    # make sure the user cannot lock himself out of the webConfigurator or SSH
    pass in  quick on em1 proto tcp from any to (em1) port { 443 80 22 } tracker 10000 keep state label "anti-lockout rule"
    
    # User-defined rules follow
    
    anchor "userrules/*"
    pass  in  quick  on $LAN inet from 192.168.1.0/24 to any tracker 0100000101 keep state  label "USER_RULE: Default allow LAN to any rule"
    pass  in  quick  on $LAN inet6 from 2600:8806:2400:6d3e::/63 to any tracker 0100000102 keep state  label "USER_RULE: Default allow LAN IPv6 to any rule"
    
    # VPN Rules
    
    anchor "tftp-proxy/*"</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></bogons></virusprot></snort2c></webconfiguratorlockout></sshlockout> 
    


  • You have to set in the IPv6 allow all rule "any" instead of "LAN net".


  • Netgate

    @mrsunfire:

    You have to set in the IPv6 allow all rule "any" instead of "LAN net".

    No.

    Your connections are coming to pfSense sourced from a link-local address [fe80::5f46:816a:a7f7:b377], not from a routable address.

    You still have a /63 on LAN. That will not work and you need a corrected and working IPv6 configuration first.

    Cox should give you a /56 prefix delegation automatically if you ask for it using the DHCP client.

    I would try running the following procedure:

    • power off your cable modem

    • Save the /56 prefix request WAN configuration as shown in the other thread. Be sure DHCP6 debug output is checked.

    • Put one of the inside interfaces on Track Interface

    • Go to System > Advanced, Networking and be sure the DUID is set to be saved. The default format is DUID-LLT. You can increment that time in seconds by one or figure out what the current number would be based on the current time. The point is to use a new DUID the next time it requests a PD.

    • Halt the system and power it off

    • Power on the cable modem and let it go green

    • Power on the firewall.

    • When it settles in, look at the logs in Status > System Logs, DHCP. Filter on command dhcp6c. That will tell you exactly what happened.



  • Thanks to both of you for your input.  I am trying to fix this as per the last post.