Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Does pfBlockerNG work in pure ipv6 environment?

    Scheduled Pinned Locked Moved pfBlockerNG
    6 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • IsaacFLI
      IsaacFL
      last edited by

      I am currently using the pfBlockerNG Dev vers. 2.2.5_19.

      It can not tell if it is working on my ipv6 subnets. The Geoipv6 portion works, but I never see any the DNSBL entries coming from the ipv6 subnets in the logs. Also the autorule created only has ipv4. (see below).

      0_1542472388095_Annotation 2018-11-17 082502.jpg

      I am in the process of eliminating my last ipv4 subnet moving to NAT64 and am not sure that I will be able to use pfBlockerNG.

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by NogBadTheBad

        All the DNSBL FQDNS point to a virtual IPv4 address, you'll never see any IPv6 traffic as the clients can only talk using IPv4.

        mac-pro:~ andy$ ifconfig en0
        en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
        ether 00:3e:e1:c1:af:07
        inet6 fe80::14ea:7c2e:685e:f6e2%en0 prefixlen 64 secured scopeid 0x6
        inet 172.16.2.20 netmask 0xffffff00 broadcast 172.16.2.255
        inet6 2a02:xxxx:xxxx:2::14 prefixlen 128 dynamic
        nd6 options=201<PERFORMNUD,DAD>
        media: autoselect (1000baseT <full-duplex,energy-efficient-ethernet>)
        status: active
        mac-pro:~ andyk$

        mac-pro:~ andy$ host adservice.google.com
        adservice.google.com has address 172.16.255.1
        mac-pro:~ andy$ host e.crashlytics.com
        e.crashlytics.com has address 172.16.255.1
        mac-pro:~ andy$ host google.com
        google.com has address 216.58.206.110
        google.com has IPv6 address 2a00:1450:4009:810::200e
        google.com mail is handled by 50 alt4.aspmx.l.google.com.
        google.com mail is handled by 30 alt2.aspmx.l.google.com.
        google.com mail is handled by 40 alt3.aspmx.l.google.com.
        google.com mail is handled by 20 alt1.aspmx.l.google.com.
        google.com mail is handled by 10 aspmx.l.google.com.
        mac-pro:~ andy$

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • IsaacFLI
          IsaacFL
          last edited by

          So it is effectively blocking ipv6 based ads by way of converting them into ipv4 addresses then.

          But it will never show up in the logs then so no way to watch for false positives or whitelist.

          NogBadTheBadN 1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad @IsaacFL
            last edited by NogBadTheBad

            @isaacfl

            The lookup against the FQDN will only ever return an IPv4 IP address, if the clients are dual stack it will try and connect to the IPv4 address.

            Try doing a lookup against some of the FQDNS that it's blocking.

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            IsaacFLI 1 Reply Last reply Reply Quote 0
            • IsaacFLI
              IsaacFL @NogBadTheBad
              last edited by

              @nogbadthebad

              When I nslookup adservice.google.com I get:

              Name: adservice.google.com
              Address: 10.10.10.1

              So there is no AAAA record.

              ping adservice.google.com gives me:
              Ping request could not find host adservice.google.com. Please check the name and try again

              Nothing ever shows in the pfBlockerNg logs though.

              So probably not going to work very well in an ipv6 only environment.
              My prior adblocker would always respond with both an A and an AAAA record for blocked sites.

              NogBadTheBadN 1 Reply Last reply Reply Quote 0
              • NogBadTheBadN
                NogBadTheBad @IsaacFL
                last edited by

                @BBcan177 Maybe enable the ability for the web server to also run on IPv6 and add AAAA records.

                @isaacfl said in Does pfBlockerNG work in pure ipv6 environment?:

                @nogbadthebad

                When I nslookup adservice.google.com I get:

                Name: adservice.google.com
                Address: 10.10.10.1

                So there is no AAAA record.

                ping adservice.google.com gives me:
                Ping request could not find host adservice.google.com. Please check the name and try again

                Nothing ever shows in the pfBlockerNg logs though.

                So probably not going to work very well in an ipv6 only environment.
                My prior adblocker would always respond with both an A and an AAAA record for blocked sites.

                Andy

                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.