ipv6 disable on Pfsense

bimmerdriver

@Derelict said in ipv6 disable on Pfsense:

Right - but if you're not ready to deal with it it breaks stuff. Best thing to do in that case is, often, to turn it off until you're ready to deal with it.

Using a workstation that thinks it has IPv6 but doesn't is not a good experience.

Maybe this is a sweeping generality, but I would hope that anyone who can set up pfsense (or something similar) and set up a tunnel should be able to determine if IPv6 is working properly or not.

Also, I agree that using a computer that thinks it has IPv6, but it doesn't isn't a good experience. I've experienced exactly that, but the other way around. A company I worked for did not "support" IPv6. As far as I know, IPv6 was "disabled" by the IT department using a third party security solution installed on the computer. As long as the computer was on a network that didn't support IPV6, it worked fine. As soon as it was connected to a network that had working IPv6, it got an IPv6 address, and the Office 365 applications (Outlook, Skype, etc.) used it, because that's what they're supposed to do. Of course, since IPv6 on the computer was broken, these applications didn't work properly. Every time they tried to go to the network, the request over IPv6 had to time out, so they basically ground to a halt. The only way this could be "fixed" was by disabling IPv6 in the network adapter. None of this would have happened if IPv6 was just allowed to work out of the box, the way it's supposed to.

JKnott

@bimmerdriver said in ipv6 disable on Pfsense:

started using IPv6 long before my ISP offered it by using a tunnel from HE.

I also used a 6in4 tunnel, but not from HE.

Or give the techs "real" computers to use.

He had one of those rugged Panasonic computers, but it was running Windows. I find Linux is much better for working on networking issues.

lucas1

In the properties of the interfaces IPv6 set in Pfsense "None".

I repeat,
this is interested in turning off:
1.how to disable ipv6 on PfSense? for ifconfig not to give out a string inet6?
2. And DNS Resolver in Diagnostics\Tables\Table to Display not resolution ipv6 addresses?
for example:
178.18.231.121
178.18.231.122
2a02:26f0:d8:394::356e
2a02:26f0:d8:3a2::356e

how is it most likely done by means FreeBSD 11?
Through rc.conf, loader.conf, sysctl I did not find how to do it or in other ways.

JeGr

@lucas1 said in ipv6 disable on Pfsense:

1.how to disable ipv6 on PfSense? for ifconfig not to give out a string inet6?

Why do you persist in that, if you are told multiple times now, that it simply isn't necessary?! It doesn't matter if the interface still outputs an inet6 with a fe80 link local address - if the general switch is off OR you didn't configure any IPv6 rules on an interface, all IPv6 traffic is blocked and ignored!

2. And DNS Resolver in Diagnostics\Tables\Table to Display not resolution ipv6 addresses?

DNS is supposed to answer your request with what is configured in the DNS zone. If the domain has AAAA entries, those are shown. If your client has no IPv6 capable interface, it won't use them. If you're not sure your clients behave correctly you can also set the advanced option to prefer IPv4 over IPv6 when answering.
Otherwise I don't see the problem - an interface configured without IPv6 doesn't talk over IPv6.

johnpoz

Just turn off get dns from dhcp and those go away.. Out of the box pfsense should be resolving anyway - you have zero need for any dns from your isp be it ipv4 or ipv6.

lucas1

A good answer is just a little nervous start. -> ?!

Yes, I agree about resolution DNS in Diagnostics\Tables\Table and so what IPv6 traffic is blocked
and option to prefer IPv4 .

But you yourself wrote - an interface configured without IPv6 doesn't talk over IPv6.
This action (interface configured without IPv6) immediately performs and replaces the necessary settings System\Advanced\Networking.
And in general, why should I not learn how to disable IPv6 in FreeBSD and/or PfSense?

Gertjan

@johnpoz said in ipv6 disable on Pfsense:

So only 21% of top 1000 sites are IPv6... Doesn't seem like majority protocol to me..

Ok, very true, if you "isolate" your view to public stats, taken from 'public' routers.

When I wrote "the main network protocol" is was more thinking about all network traffic, thus also what's being used locally, on our LAN's - device to device, etc.
Example : when my ISP (Orange, France) starts to deploy 'IPv6' a whopping 30 million users will suddenly throwing out IPv6 traffic if a point-to-point connection can be made.

JeGr

@Gertjan Additionally, the graph from Google clearly states "among Google users". Not everyone (including border routers, servers, etc.) is a Google user ;) So ~23% from Google ist definitly lower than reality.

johnpoz

Here is the thing I work in the space... I just came out of discussion with up and coming security/sdwan company... 42 Pops globally, etc.. Asked them about their ipv6 support, if on their roadmap, etc..

Nope ;) Their solution arch stated they kind of waiting to see if anyone actually uses it ;) hehehehe

You guys can all dream about it all you want... I work in the biz... While there might be traffic... Its not a major player at all unless you count mobile devices... Which really account for most of the traffic to be honest.. .Yeah when you have a bajillion phones kind of hard to give the IPv4 ;)

But once you move those all to IPv6 - the rest of its going to be slow to come to the plate..

JKnott

@johnpoz said in ipv6 disable on Pfsense:

Its not a major player at all unless you count mobile devices... Which really account for most of the traffic to be honest.. .Yeah when you have a bajillion phones kind of hard to give the IPv4 ;)

My cell phone is IPv6 only. It uses 464XLAT to handle IPv4.

BTW, more fun with my Internet connection (same company). I just found out that the guys who are supposed to fix this closed the ticket, because I have my own router/firewall!!! This is after a senior tech came to my home with another modem, in gateway mode, and it failed too! He also went back to the head end and tried 3 other CMTS, in addition to the one I'm connected to. It failed only on mine. Yet these Bozos are once again trying to blame pfSense, after their own senior tech proved otherwise and tier 2 support verified, back in January, that the problem was on the CMTS.

bimmerdriver

@JKnott said in ipv6 disable on Pfsense:

@johnpoz said in ipv6 disable on Pfsense:

Its not a major player at all unless you count mobile devices... Which really account for most of the traffic to be honest.. .Yeah when you have a bajillion phones kind of hard to give the IPv4 ;)

My cell phone is IPv6 only. It uses 464XLAT to handle IPv4.

BTW, more fun with my Internet connection (same company). I just found out that the guys who are supposed to fix this closed the ticket, because I have my own router/firewall!!! This is after a senior tech came to my home with another modem, in gateway mode, and it failed too! He also went back to the head end and tried 3 other CMTS, in addition to the one I'm connected to. It failed only on mine. Yet these Bozos are once again trying to blame pfSense, after their own senior tech proved otherwise and tier 2 support verified, back in January, that the problem was on the CMTS.

Some of my colleagues in Germany have an ISP that provides IPv4 over IPv6.

Sorry to hear about your ISP grief. What a PITA. FWIW, Telus has no issues at all with pfSense.

bimmerdriver

@johnpoz said in ipv6 disable on Pfsense:

Here is the thing I work in the space... I just came out of discussion with up and coming security/sdwan company... 42 Pops globally, etc.. Asked them about their ipv6 support, if on their roadmap, etc..

Nope ;) Their solution arch stated they kind of waiting to see if anyone actually uses it ;) hehehehe

You guys can all dream about it all you want... I work in the biz... While there might be traffic... Its not a major player at all unless you count mobile devices... Which really account for most of the traffic to be honest.. .Yeah when you have a bajillion phones kind of hard to give the IPv4 ;)

But once you move those all to IPv6 - the rest of its going to be slow to come to the plate..

They are waiting to see if anyone actually uses it? Seriously? If that wasn't a tongue in cheek comment, it's a demonstration of ignorance, not intelligence. Microsoft, as much as everyone likes to bash them, has embraced IPv6 since the Windows 7 era. Unless someone goes out of their way to disable IPv6, every PC running Windows 7 or newer is IPv6 ready out of the box. AFAIK, all new mobile phones support it and have so for several years. Macs support it. Many websites support IPv6, in particular a lot of high usage websites. The only reason IPv6 isn't the overwhelming majority protocol is because IPSs have dragged their asses to support it.

JKnott

@bimmerdriver said in ipv6 disable on Pfsense:

FWIW, Telus has no issues at all with pfSense.

Rogers also works fine with pfSense. The issue is with the CMTS I'm connected to. The people who are responsible for fixing this don't seem to want to as I have my own firewall/router, despite the fact that it also fails in gateway mode, affects a neighbour and even when the senior tech came with his own modem and it also failed. Despite all that and much more, including getting the Office of the President involved, they won't fix it. I even identified the system that failed for them and the senior tech proved it again, when he went to the head end and tested there. Yet they still cancelled the ticket, without making any attempt to fix the problem. Someone is due for some serious disciplinary action.

Derelict

@JKnott Start sending your payments to whatever amounts to your public utilities commission. At least that's how it works here.

Though cable/internet is a little nebulous as to exactly where they fall legislatively and it seems to change depending on wind direction here.

JKnott

@bimmerdriver said in ipv6 disable on Pfsense:

Microsoft, as much as everyone likes to bash them, has embraced IPv6 since the Windows 7

Actually, XP SP3 almost fully supported it. There was some minor thing that didn't work, but it didn't have much effect overall. I know it worked fine for me. My first Android phone, a Google Nexus 1 also supported IPv6 and my current Pixel 2 even has IPv6 tethering, with a full /64 prefix.

sorenstoutner

The option to disable AAAA DNS requests would be nice due to the amount of junk AAAA traffic that is generated otherwise. For example, I have an Icinga service running on a Debian system that looks up clients by DNS name. It issues AAAA lookups for the main domain (which fail because no AAAA record exists) and then appends the default search domain (which also fails). These generate multiple info: query response was NXDOMAIN ANSWER and info: query response was THROWAWAY log entries. Neither my ISP nor the ISPs at many of the locations being monitored provide IPv6. I could save the DNS servers the wasted bandwidth and my log files the wasted entries if I could just turn off AAAA record resolution.

Along those lines, it is considerate not to hammer DNS providers with queries for things that don't exist.

https://www.theregister.com/2021/02/04/chromium_dns_traffic_drop/

johnpoz

@sorenstoutner said in ipv6 disable on Pfsense:

I could just turn off AAAA record resolution.

That should be done on the client.. Which is pretty much impossible even when they don't have ipv6 enabled.. They will still do query for AAAA, pretty stupid if you ask me..

You can stop unbound fro resolving them - but where you should be able to turn it off is the client.

https://forum.netgate.com/topic/151745/bind-filter-aaaa

I thought there was even a newer thread - but that is the first one that came up searching..

There is a no-aaaa.py you can load right in the gui for specific domains, maybe the script could be edited for any AAAA, and I know pfblocker is doing something with AAAA as of recent updates.

If you run bind you can run the no AAAA

edit: Took me a minute to remember it.. But you can use this in the options box in unbound
server:
private-address: ::/0

unbound still will try to resolve AAAA, but client will not get an answer. So not really the best solution.. Best solution is to get your client to stop asking for AAAA when they can not use them ;) Which if you know of way - happy to hear about it.. Not a fan of that at all - its just noise..

People think - oh its just a simple query, what could it hurt... Well your link to the chrome nonsense they finally fixed is perfect example of what it can hurt..

Related to noise - I am hoping I finally got my phone from constantly asking for stupid lb._dns-sd._udp.blahblah queries.. 100's of them, multiple different iterations.. Was like 2000 some queries a day... I knew it was some app on my phone - but sure which one.. Turned off all the background refresh on everything that I don't specific want.. And they stopped ;)

2000 in 24, not big deal.. But it would forward those to unbound.. I never looked but unbound prob trying to resolve them.. Just stupid noise - no need for it... If you want to look for something - sure ask, but if you don't get the answer you want.. Don't keep asking every 30 freaking seconds ;)

sorenstoutner

@johnpoz

That should be done on the client.. Which is pretty much impossible even when they don't have ipv6 enabled.. They will still do query for AAAA, pretty stupid if you ask me..

I completely agree. However, it appears that there is no way to do this system-wide on modern Linux.

https://serverfault.com/questions/632665/how-to-disable-aaaa-lookups

The only way to accomplish this is to replace all instances of gethostbyname() with getaddrinfo() in the source code of every single program and then specify the ai_family is AF_INET.

Thanks for the link to the python script. it just seems like this is a lot of work for something where there should be a simple option at the client OS level, and, failing that, there should be a checkbox on the DNS Resolver page to turn it off. For example, if I don't have an IPv6 address on my client, it shouldn't make AAAA queries. And, if I have disabled IPv6 on pfSense, it should also not forward AAAA queries.

johnpoz

Preaching to the choir my brother - sing it ;)

Maybe you missed my edit ;) I hate freaking NOISE!! AAAA queries when you have no IPv6 are NOISE.. Just like freaking windows and their hunger to flood your network with SSDP, and LLMNR.. If I want that shit - let me turn it on ;)

The no-aaaa.py will stop unbound from doing the query.. But I have not looked into an edit to do it for all AAAA.. Might be simple - maybe take a look later. The simple way to just stop your client from getting an answer is with the private-address. But that prob won't stop him from asking and asking and asking.. Like freaking energizer bunnies - dude what about the 10k no answer you got, how about backing of your asking for it...

Dude now you got me started ;) hehehehe

edit: Yeah what they should work, since they got rid of 80Billion queries that were NOISE.. Now how about stopping asking for AAAA when you have no IPv6... I concur unbound shouldn't process them if it has no IPv6 address. Or a simple flag to just turn them off - the filter AAAA in bind does that I believe.

But still doesn't stop all the local noise to local NS when clients keep asking for shit they can not ever use..

Gertjan

@johnpoz said in ipv6 disable on Pfsense:

Might be simple - maybe take a look later.

I'll check this weekend. It's probably an easy fix.

https://unix.stackexchange.com/questions/444282/how-to-disable-ip6-lookups-in-unbound

@johnpoz said in ipv6 disable on Pfsense:

about stopping asking for AAAA

If a process on some LAN based client asks the local resolver, unbound, to look up a A, unbound will look up the A. Same thing for MX, or AAAA.
All this over IPv4.
It might be wise (but probably impossible) to instruct the software we use on our devices to stop asking for AAAA. After all, why asking for a AAAA if IPv6isn't enabled on the device ? or the network doesn't offer IPv6 capabilities ?
Unbound is just doing what it's asked to do, amplifying the noise.

edit : what the heck : this might be easy :

I wrote a new no-aaaa-v2.py version, by only pressing on the delete key.

This is it :

def init(id, cfg):
    return True

def deinit(id):
    return True

def inform_super(id, qstate, superqstate, qdata):
    return True

def operate(id, event, qstate, qdata):
    if event == MODULE_EVENT_NEW or event == MODULE_EVENT_PASS:
        if qstate.qinfo.qtype != RR_TYPE_AAAA:
            qstate.ext_state[id] = MODULE_WAIT_MODULE
            return True

        msg = DNSMessage(qstate.qinfo.qname_str, RR_TYPE_A, RR_CLASS_IN, PKT_QR | PKT_RA | PKT_AA)
        if not msg.set_return_msg(qstate):
            qstate.ext_state[id] = MODULE_ERROR
            return True

        qstate.return_msg.rep.security = 2
        qstate.return_rcode = RCODE_NOERROR
        qstate.ext_state[id] = MODULE_FINISHED
        log_info("no-aaaa: blocking AAAA request for %s" % qstate.qinfo.qname_str)
        return True

    if event == MODULE_EVENT_MODDONE:
        qstate.ext_state[id] = MODULE_FINISHED
        return True

    qstate.ext_state[id] = MODULE_ERROR
    return True

log_info("pythonmod: no-aaaa-v2.py script loaded")

World's smallest py module for unbound.

Copy it here : /var/unbound/no-aaaa-v2.py

Select it under the resolver settings :

And apply the new settings.
Check that your resolver logs are filled with

My network is IPv6 capable, so hundreds of logs lines per minute were shown.
New noise ^^ - to remove all these log lines, remove :

        log_info("no-aaaa: blocking AAAA request for %s" % qstate.qinfo.qname_str)

from the script.

Take note :

When you use no-aaaa-v2.py, you can't use the pfBlockerng-devel py module .
I tested this for 5 minutes or so, and fully confined that there are no bugs, as I only removed lines. I didn't add something. ;)