Disable IPV6 completely
-
Oh just;
- Unceck the Allow IPV6 (it was by me allready unchecked)
- And then using the Command shell run:
block in log quick inet6 all tracker 1000000003 label "Block all IPv6 - Go to the Rule 1000000003 and uncheck Log packets
Is that correct?
-
Your not suppose to run anything in the shell.
Your block all IPv6 rule is evaluated before your no log rule.. So stop blocking all IPv6.. and your logs will clear up..
With your no log rule..
Blocking all IPv6 is pointless if your not allowing it in the first place.. all interfaces have default deny. Unchecking that box is just going to spam your log with all IPv6 traffic that is blocked.
Also ZERO point in hiding link-local address space.. But stops us from seeing if that is 1 device or multiple devices. Again the best advice I can give you is turn IPv6 off at the devices themselves if you don't want noise on your network... Your not using IPv6.. So every packet put on the wire is just noise, be you log it or not..
-
also check this: https://redmine.pfsense.org/issues/9837
-
@erbalo said in Disable IPV6 completely:
Is that correct?
For one third.
Uncheck - see my image above.
Doing so, this will place a firewall rule '100000003' that block all IPV6 traffioc on all interface. This is what Unchecking "Allow IPV6" does, not more, not less.
To see the firewall rule : Take a look at /tmp/rules.debugI do not understand what you mean with 2. There is nothing to execute by you.
- Even less.
Again.
Uncheck this one :
and hit the bleu Save button at the bottom.
Problem solved.
edit : solved .... is relative.
IPv4 is still fading out - IPV6 is the future.
Accepting it, learning it is not some kind of luxury.
If you are selling hair dryer all your live, you might need any IPv6 knowledge.
If you maintain and administer Firewalls ... there is no choice. -
If you have IPv6 service, why would you want to block it? What sort of log entries are you getting? Where are they from?
-
Problem solved,
- I have disabled all of the IP6 devices only one that i can't because it is from the thermostat device, i have no access there.
- I have also created the IPV6 logs with rules as you gives advice but it did'nt works.
-
@erbalo said in Disable IPV6 completely:
I have also created the IPV6 logs with rules as you gives advice but it did'nt works.
As gone over already if you have pfsense to block all IPv6... This setting unchecked.
It creates a block rule that logs, and no rules you put in place would not log it... because the auto rule that creates is evaluated before any of your rules.
So you either need have that checked and create your own rules that do not log... Or you have to edit the system files so the rule that creates doesn't log.. Which would be horrible idea if you ask me, since now any time you update pfsense that will get put back and your ipv6 traffic would be logged.
I think prob the best thing that could happen is that like you have option to not log default deny rule, you should be able to not log the block IPv6 rule.. You could put in a feature request for that.
-
@johnpoz Allow IPv6 checked and not receiving any logs as long as now.
I have also another question about autorrule because i have also problem with that pfsense blocking IP adresses for Google Home services.
What i did:
- Whitelisted these IP addresses as Alias and placed on the top of the IOT Vlan.
- Whitelisted www.google.com and google.com on PFblocker.
- PFblockerNG-devel is installed and working also fine, blocking ads etc.
Do i maybe change the ruleorder?
My ruler order is:
-
Rules are evaluated top down, first rule to trigger wins - no other rules are evaluated.
https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-processing-order.html
