Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6: doing something wrong OR bug?

    Scheduled Pinned Locked Moved pfBlockerNG
    8 Posts 4 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jpgpi250J
      jpgpi250
      last edited by

      I've got a device with 4 ethernet adapters + wifi.
      I only enabled IPv6 on WAN and 2 adapters, using track interface. This works perfect for me, don't want / need IPv6 on the other subnets.
      I've installed pfblockerNG (version 2.1.4_9)

      Under firewall / pfblockerNG / ipv6, I've added a list, which is downloaded daily from my webserver, containing a list with IPv6 addresses I want to block.

      So far so good, the list with IP addresses is downloaded, the content of the alias (firewall / aliases / URLs) matches the list on the webserver

      problem 1: pfblockerNG now creates firewall rules on ALL of the interfaces, I would expect the rules to be created only on the interfaces that have an IPv6 address.
      problem 2: pfblockerNG creates rules that match "Address Family" IPv4.
      On the WAN adapter, the source is "single host or alias", the list with IPv6 addresses, the destination is any
      On the other adapters, the source is any, the destination is "single host or alias", the list with IPv6 addresses
      Since the rules are all targeting "Address Family" IPv4, the rule never applies to anything.

      Doing something wrong here, or is this a bug?

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        Uninstall pfBlockerNG and install pfBlockerNG-devel. This has been fixed there.

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • jpgpi250J
          jpgpi250
          last edited by jpgpi250

          Almost a year later, running the latest version of pfblockerNG (system / packagemanager). The problem still exists in the production version of pfblockerNG.

          Any change of getting this fixed, whitout having to install a developer package?

          A new IPv4 and IPv6 list has been published on GitHub, in an attempt to fight the DOH malware, that recently (zero day) surfaced

          edit
          if a specific interface hasn't been selected on inbound firewall rules and outbound firewall rules, no rules are created, which is correct
          if a specific interface has only an IPv4 address and no IPv6 address, rules for both IPv4 and IPv6 are created
          all rules, regardless if they are created on the IPv4 or IPv6 category (tab) are crated with protocol IPv4, see screenshot

          2019_07_04_12_27_12_Microsoft_Edge.png
          /edit

          1 Reply Last reply Reply Quote 0
          • JeGrJ
            JeGr LAYER 8 Moderator
            last edited by

            @jpgpi250 said in IPv6: doing something wrong OR bug?:

            Any change of getting this fixed, whitout having to install a developer package?

            pfBlocker-devel isn't that much a developer package as more or less the "next" version of pfBlockerNG.
            But if you want to fix / workaround that problem in the current stable, don't use "create rules" in the IP list sections but instead let pfBlocker only create Aliases (like pfB_IPv4web) and create the rules yourself. That way you can also rearrange them as needed and pfBlocker won't interfere with the sorting or rule configuration itself but will update and refresh those aliases and IP lists as needed.

            Greets

            Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

            If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

            jpgpi250J 1 Reply Last reply Reply Quote 0
            • maverickwsM
              maverickws
              last edited by

              So when will pfBlocker-devel move to "not-devel" ?
              Are people supposed to guess they must install a -devel package instead of simply releasing into production? Am I missing something? Sorry but I'm not following

              1 Reply Last reply Reply Quote 0
              • jpgpi250J
                jpgpi250 @JeGr
                last edited by

                @JeGr
                Thank you for this (don't use " create rules"), this is a good work around for the problem, although a little bit more work.

                I'm only using the IP blocking feature of pfblockerNG, using some internet lists (talos, Firehole and DOH). Would I benefit from using the "devel" package instead of the original one, or would this be an overkill

                Thank you for your time and effort.

                1 Reply Last reply Reply Quote 0
                • JeGrJ
                  JeGr LAYER 8 Moderator
                  last edited by

                  @jpgpi250 said in IPv6: doing something wrong OR bug?:

                  Would I benefit from using the "devel" package instead of the original one, or would this be an overkill

                  It's a good bit more current and has many lists already predefined so you can just get there, click add and have a pretty decent starting point. Also other features und bugs have been adresses, so I'd guess "yes" you'd benefit already.

                  @maverickws said in IPv6: doing something wrong OR bug?:

                  Are people supposed to guess they must install a -devel package instead of simply releasing into production? Am I missing something? Sorry but I'm not following

                  That is an answer only @BBcan177 can give you when and how he'll fade out the current stable in favor of the devel version.

                  Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                  If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                  jpgpi250J 1 Reply Last reply Reply Quote 1
                  • jpgpi250J
                    jpgpi250 @JeGr
                    last edited by jpgpi250

                    @JeGr I shouted 'victory' to soon, or I'm missing something.

                    I assumed, I would simply select no interfaces in 'General Settings' / 'Interface/Rules configuration, but it appears you have to select at least one interface. What am I missing.

                    Thanks a lot for your help.

                    edit
                    never mind / found it: List action: Alias Native, Looks like the rule isn't created with this option, only the alias
                    /edit

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.