Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    "kernel: cannot forward..." errors in system log

    Scheduled Pinned Locked Moved IPv6
    5 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • MikeV7896M
      MikeV7896
      last edited by MikeV7896

      I run a RIPE Atlas probe on one of my networks, which is used to perform ping, traceroute, DNS lookups, and a variety of other diagnostic tests to a variety of hosts around the internet.

      I checked my pfSense logs today and came across this...

      The 2600:4040:... host is my RIPE Atlas Probe system.

      Sep 8 09:16:13	kernel		cannot forward src fe80:1::2a0:aaaa:bbbb:e1a0, dst 2600:4040:aaaa:bbbb:ccc:dddd:fe32:204c, nxt 58, rcvif ix0, outif ix3
Sep 8 09:16:21	kernel		cannot forward src fe80:1::2a0:aaaa:bbbb:e1a0, dst 2600:4040:aaaa:bbbb:ccc:dddd:fe32:204c, nxt 58, rcvif ix0, outif ix3
Sep 8 09:21:12	kernel		cannot forward src fe80:1::2a0:aaaa:bbbb:e1a0, dst 2600:4040:aaaa:bbbb:ccc:dddd:fe32:204c, nxt 58, rcvif ix0, outif ix3
Sep 8 09:21:20	kernel		cannot forward src fe80:1::2a0:aaaa:bbbb:e1a0, dst 2600:4040:aaaa:bbbb:ccc:dddd:fe32:204c, nxt 58, rcvif ix0, outif ix3

      Doing a packet capture on WAN, I see this...

      09:21:12.091199 IP6 fe80::2a0:aaaa:bbbb:e1a0 > 2600:4040:aaaa:bbbb:ccc:dddd:fe32:204c: ICMP6, time exceeded in-transit for 2a00:74c0:a:b::20, length 104
09:21:16.092752 IP6 fe80::2a0:aaaa:bbbb:e1a0 > 2600:4040:aaaa:bbbb:ccc:dddd:fe32:204c: ICMP6, time exceeded in-transit for 2a00:74c0:a:b::20, length 104
09:21:20.093609 IP6 fe80::2a0:aaaa:bbbb:e1a0 > 2600:4040:aaaa:bbbb:ccc:dddd:fe32:204c: ICMP6, time exceeded in-transit for 2a00:74c0:a:b::20, length 104

      Any thoughts on why these Time Exceeded packets wouldn't be able to be routed back to the host? Or how to get this stuff out of my system log?

      The S in IOT stands for Security

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by kiokoman

        client attempting to send traffic from a link-local address to a remote destination. it gets dropped and logged because you can't do that

        for example

        Scheda LAN wireless Wi-Fi:

   Suffisso DNS specifico per connessione: kiokoman.home
   Indirizzo IPv6 . . . . . . . . . . . . . . . . . : 2001:470:26:5dc:xxxx:xxxx:xxxx:xxxx
   Indirizzo IPv6 locale rispetto al collegamento . : fe80::64ee:8085:95b:32fc%9
   Indirizzo IPv4. . . . . . . . . . . . : 192.168.10.22
   Subnet mask . . . . . . . . . . . . . : 255.255.255.0
   Gateway predefinito . . . . . . . . . : fe80::20c:29ff:fef6:cf61%9
                                           192.168.10.254

C:\Users\Amministratore>ping -6 -S fe80::64ee:8085:95b:32fc www.google.com

Esecuzione di Ping www.google.com [2a00:1450:4001:81d::2004] da fe80::64ee:8085:95b:32fc con 32 byte di dati:
Errore generale.
Errore generale.
Errore generale.
Errore generale.

Statistiche Ping per 2a00:1450:4001:81d::2004:
    Pacchetti: Trasmessi = 4, Ricevuti = 0,
    Persi = 4 (100% persi),

C:\Users\Amministratore>ping -6 -S 2001:470:26:5dc:xxxx:xxxx:xxxx:xxxx www.google.com

Esecuzione di Ping www.google.com [2a00:1450:4001:81d::2004] da 2001:470:26:5dc:xxxx:xxxx:xxxx:xxxx con 32 byte di dati:
Risposta da 2a00:1450:4001:81d::2004: durata=38ms
Risposta da 2a00:1450:4001:81d::2004: durata=38ms
Risposta da 2a00:1450:4001:81d::2004: durata=39ms
Risposta da 2a00:1450:4001:81d::2004: durata=37ms

Statistiche Ping per 2a00:1450:4001:81d::2004:
    Pacchetti: Trasmessi = 4, Ricevuti = 4,
    Persi = 0 (0% persi),
Tempo approssimativo percorsi andata/ritorno in millisecondi:
    Minimo = 37ms, Massimo =  39ms, Medio =  38ms

C:\Users\Amministratore>ping -6 -S fe80::64ee:8085:95b:32fc fe80::20c:29ff:fef6:cf61

Esecuzione di Ping fe80::20c:29ff:fef6:cf61 da fe80::64ee:8085:95b:32fc con 32 byte di dati:
Risposta da fe80::20c:29ff:fef6:cf61: durata=1ms
Risposta da fe80::20c:29ff:fef6:cf61: durata=1ms
Risposta da fe80::20c:29ff:fef6:cf61: durata=1ms
Risposta da fe80::20c:29ff:fef6:cf61: durata=1ms

Statistiche Ping per fe80::20c:29ff:fef6:cf61:
    Pacchetti: Trasmessi = 4, Ricevuti = 4,
    Persi = 0 (0% persi),
Tempo approssimativo percorsi andata/ritorno in millisecondi:
    Minimo = 1ms, Massimo =  1ms, Medio =  1ms

        as you can see:
        i can't ping from link-local to google,
        I can ping from my ipv6 address to google,
        i can ping from link local to another link local inside my network

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • MikeV7896M
          MikeV7896
          last edited by

          Right... so that's coming to my pfSense box from the internet... and the link-local address in those packets isn't my ISP's router (at least not the default gateway). So how is it getting from wherever it's originating from to me, if it has a link-local address as the source?

          The S in IOT stands for Security

          1 Reply Last reply Reply Quote 0
          • kiokomanK
            kiokoman LAYER 8
            last edited by kiokoman

            it comes from your network
            check the MAC address to find out,
            if you check my example from before,

            http://www.sput.nl/internet/ipv6/ll-mac.html

            Link-local: fe80::20c:29ff:fef6:cf61
            Mac: 00:0C:29:F6:CF:61
            Manufacturer: VMware, Inc. ( https://macvendorlookup.com/ )

            vmx1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN
        options=8500b8.......
->      ether 00:0c:29:f6:cf:61

            In IPv6, it is not allowed to route link local addresses (and no router will forward packets with such addresses as source or destination address).

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            1 Reply Last reply Reply Quote 0
            • MikeV7896M
              MikeV7896
              last edited by

              Well... in the packet capture, the MAC address of the Ethernet frame matches the MAC address of the default gateway from my ISP (which is not unusual when dealing with packets being routed to you). But the IPv6 address is definitely not the same, and it doesn't appear to be an EUI64 address, so I can't match it to a MAC address. I do realize that I masked part of the address that would have identified that fact.

              It's likely a misconfiguration on my ISP's part... they only just got IPv6 up and running about a week ago, and it may not even be completed yet (But I've figured out how to make it work with pfSense, not knowing whether their own routers even work with it).

              It's kind-of annoying that this is logged in the general system log though...it'd be nice if it were in the routing log... but I assume since it's the kernel generating these messages, that's why it's in the system log.

              The S in IOT stands for Security

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.