Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange entries in the LAN f/w blocked log

    Scheduled Pinned Locked Moved IPv6
    27 Posts 4 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • lohphatL
      lohphat
      last edited by

      I started seeing entries like these in the LAN f/w logs as blocked despite having the default allow IPv6 any any any rule:

      [fe80::e102:xxxx:yyyy:zzzz]:56943 [ff02::c]:3702
      and
      [fe80::5548:xxxx:yyyy:zzzz]:54184 [ff02::1:3]:5355
      and
      [fe80::6a54:xxxx:yyyy:zzzz]:5353 [ff02::fb]:5353

      Only one of these local link addresses are in the NDP table the other's are not from the local LAN. But if they're not, where are they coming from? The 6to4 pass-through tunnel? If that's the case, why aren't these being blocked on the WAN interface?

      When I traceroute the addresses they are 1 hop away.

      SG-3100 24.11-RELEASE (arm) | Avahi (2.2_6) | ntopng (5.6.0_1) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.1_20) | System_Patches (2.2.20_5)

      1 Reply Last reply Reply Quote 0
      • lohphatL
        lohphat
        last edited by lohphat

        Whelp, I found this thread from a while back:

        https://forum.netgate.com/topic/36262/ipv6-multicast-being-blocked-on-lan

        But it's still not explained why the default permit IPv6 LAN any any any traffic is not allowing it. Doesn't allow "any" mean "any"?

        SG-3100 24.11-RELEASE (arm) | Avahi (2.2_6) | ntopng (5.6.0_1) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.1_20) | System_Patches (2.2.20_5)

        1 Reply Last reply Reply Quote 0
        • NogBadTheBadN
          NogBadTheBad
          last edited by NogBadTheBad

          They are Link-local unicast addresses fe80::/10, if you have multiple LANS add the following rules to each interface if you want to pass multicast traffic:-

          0_1530093068416_Untitled.jpeg

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          lohphatL IsaacFLI 2 Replies Last reply Reply Quote 0
          • lohphatL
            lohphat @NogBadTheBad
            last edited by

            @nogbadthebad That's the thing, I only have one LAN i/f.

            SG-3100 24.11-RELEASE (arm) | Avahi (2.2_6) | ntopng (5.6.0_1) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.1_20) | System_Patches (2.2.20_5)

            NogBadTheBadN 1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad @lohphat
              last edited by NogBadTheBad

              @lohphat said in Strange entries in the LAN f/w blocked log:

              @nogbadthebad That's the thing, I only have one LAN i/f.

              Then just add the above rule and set it to block and not log if you don't want to see the entries in your firewall log :)

              If your running AVAHI on the router you'll still need the rule regardless.

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              lohphatL 1 Reply Last reply Reply Quote 0
              • lohphatL
                lohphat @NogBadTheBad
                last edited by

                @nogbadthebad So, for my IPv6-fu why weren't the fe80::/10 addresses local to the LAN segment not permitted by the IPv6 allow any any any rule in the first place?

                SG-3100 24.11-RELEASE (arm) | Avahi (2.2_6) | ntopng (5.6.0_1) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.1_20) | System_Patches (2.2.20_5)

                NogBadTheBadN 1 Reply Last reply Reply Quote 0
                • NogBadTheBadN
                  NogBadTheBad @lohphat
                  last edited by NogBadTheBad

                  @lohphat said in Strange entries in the LAN f/w blocked log:

                  @nogbadthebad So, for my IPv6-fu why weren't the fe80::/10 addresses local to the LAN segment not permitted by the IPv6 allow any any any rule in the first place?

                  Because it's IPv6 local link rather than the IPv6 subnet you've defined on the LAN interface.

                  From my Mac:-

                  mac-pro:~ andy$ ifconfig en0
                  en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
                  options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
                  ether 00:3e:e1:c1:af:07
                  inet 172.16.2.20 netmask 0xffffff00 broadcast 172.16.2.255
                  inet6 fe80::1cf1:d55:da78:975%en0 prefixlen 64 secured scopeid 0x6
                  inet6 2a02:xxxx:yyyy:2::14 prefixlen 64 dynamic
                  nd6 options=201<PERFORMNUD,DAD>
                  media: autoselect (1000baseT <full-duplex,energy-efficient-ethernet>)
                  status: active
                  mac-pro:~ andy$

                  2a02:xxxx:yyyy:2::14 is via DHCP

                  fe80::1cf1:d55:da78:975%en0 is set by the host

                  Andy

                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                  lohphatL 1 Reply Last reply Reply Quote 0
                  • lohphatL
                    lohphat @NogBadTheBad
                    last edited by

                    @nogbadthebad So that raises an additional question: How does pfSense determine from a security perspective which link local addresses belong to which interface? Shouldn't it keep track as to which fe80:: addresses correspond to their associated i/f so that the rulebase can act accordingly? Or is the best practice to just block all fe80:: addresses and force the host to use their assigned real addressing? From my limited IPv6-fu I thought that the fe80:: addresses perform critical operations to keep multicast groups (e.g. NDP) working, so they need to be permitted.

                    SG-3100 24.11-RELEASE (arm) | Avahi (2.2_6) | ntopng (5.6.0_1) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.1_20) | System_Patches (2.2.20_5)

                    1 Reply Last reply Reply Quote 0
                    • NogBadTheBadN
                      NogBadTheBad
                      last edited by NogBadTheBad

                      Link local are only needed on the local lan segment till you want multicast from one lan segment to another.

                      Andy

                      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                      lohphatL 1 Reply Last reply Reply Quote 0
                      • lohphatL
                        lohphat @NogBadTheBad
                        last edited by

                        @nogbadthebad So I modified the rule so that the FE80::%mvneta2/10 now includes the scope ID of the LAN.

                        So why aren't FE80:: addresses included in the LAN Segment and WAN Segment definitions by their scope ID so that they are covered by the rulebase for the segment since those packets originate there?

                        SG-3100 24.11-RELEASE (arm) | Avahi (2.2_6) | ntopng (5.6.0_1) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.1_20) | System_Patches (2.2.20_5)

                        lohphatL 1 Reply Last reply Reply Quote 0
                        • lohphatL
                          lohphat @lohphat
                          last edited by

                          @lohphat And THAT was a FAIL as the UI accepted adding the scope but the rule processor choked on it.

                          SG-3100 24.11-RELEASE (arm) | Avahi (2.2_6) | ntopng (5.6.0_1) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.1_20) | System_Patches (2.2.20_5)

                          NogBadTheBadN 1 Reply Last reply Reply Quote 0
                          • NogBadTheBadN
                            NogBadTheBad @lohphat
                            last edited by

                            @lohphat said in Strange entries in the LAN f/w blocked log:

                            @lohphat And THAT was a FAIL as the UI accepted adding the scope but the rule processor choked on it.

                            So what exactly did you put in ?

                            Andy

                            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                            lohphatL 1 Reply Last reply Reply Quote 0
                            • lohphatL
                              lohphat @NogBadTheBad
                              last edited by

                              @nogbadthebad allow IPv6(any) from-network fe80::%mvneta2 /10 to-network ff02:: /16

                              SG-3100 24.11-RELEASE (arm) | Avahi (2.2_6) | ntopng (5.6.0_1) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.1_20) | System_Patches (2.2.20_5)

                              NogBadTheBadN 1 Reply Last reply Reply Quote 0
                              • NogBadTheBadN
                                NogBadTheBad @lohphat
                                last edited by

                                @lohphat said in Strange entries in the LAN f/w blocked log:

                                @nogbadthebad allow IPv6(any) from-network fe80::%mvneta2 /10 to-network ff02:: /16

                                Look at my screenshot, it's fe80:: /10 -> ff02:: /16 and they're Networks !

                                Andy

                                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                lohphatL 1 Reply Last reply Reply Quote 0
                                • lohphatL
                                  lohphat @NogBadTheBad
                                  last edited by

                                  @nogbadthebad I saw that but the concern I have is that there are fe80 addresses on the WAN too. If I just want to permit fe80 traffic originating from the LAN i/f how do is that restricted? It seems your example permits any fe80 traffic no matter the origin.

                                  SG-3100 24.11-RELEASE (arm) | Avahi (2.2_6) | ntopng (5.6.0_1) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.1_20) | System_Patches (2.2.20_5)

                                  NogBadTheBadN 1 Reply Last reply Reply Quote 0
                                  • NogBadTheBadN
                                    NogBadTheBad @lohphat
                                    last edited by NogBadTheBad

                                    @lohphat

                                    It won’t forward anything to the WAN.

                                    You don’t enable AVAHI on the WAN interface do you?

                                    Andy

                                    1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                    lohphatL 1 Reply Last reply Reply Quote 0
                                    • lohphatL
                                      lohphat @NogBadTheBad
                                      last edited by

                                      @nogbadthebad No. But I'm seeing link local addresses not in the NDP table. I'm concerned where they're coming from.

                                      SG-3100 24.11-RELEASE (arm) | Avahi (2.2_6) | ntopng (5.6.0_1) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.1_20) | System_Patches (2.2.20_5)

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        Then sniff and get the mac so you can track it down. link local is layer 2 only.. So if your seeing it on your lan - then it has to be from a device on the layer 2 your lan is connected to.

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • NogBadTheBadN
                                          NogBadTheBad
                                          last edited by

                                          You’ll see them on every segment with IPv6 enabled.

                                          Andy

                                          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                          lohphatL 1 Reply Last reply Reply Quote 0
                                          • lohphatL
                                            lohphat @NogBadTheBad
                                            last edited by

                                            @nogbadthebad That's my point. They're on every segment so how can I restrict source fe80 address which only exist on the LAN segment? I only have WAN adn LAN and I'm concerned about how to separate them instead of fe80 addresses being flat and not associated with an i/f in the ruleset.

                                            SG-3100 24.11-RELEASE (arm) | Avahi (2.2_6) | ntopng (5.6.0_1) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.1_20) | System_Patches (2.2.20_5)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.