• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

"kernel: cannot forward..." errors in system log

Scheduled Pinned Locked Moved IPv6
5 Posts 2 Posters 1.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    MikeV7896
    last edited by MikeV7896 Sep 8, 2020, 1:43 PM Sep 8, 2020, 1:41 PM

    I run a RIPE Atlas probe on one of my networks, which is used to perform ping, traceroute, DNS lookups, and a variety of other diagnostic tests to a variety of hosts around the internet.

    I checked my pfSense logs today and came across this...

    The 2600:4040:... host is my RIPE Atlas Probe system.

    Sep 8 09:16:13	kernel		cannot forward src fe80:1::2a0:aaaa:bbbb:e1a0, dst 2600:4040:aaaa:bbbb:ccc:dddd:fe32:204c, nxt 58, rcvif ix0, outif ix3
    Sep 8 09:16:21	kernel		cannot forward src fe80:1::2a0:aaaa:bbbb:e1a0, dst 2600:4040:aaaa:bbbb:ccc:dddd:fe32:204c, nxt 58, rcvif ix0, outif ix3
    Sep 8 09:21:12	kernel		cannot forward src fe80:1::2a0:aaaa:bbbb:e1a0, dst 2600:4040:aaaa:bbbb:ccc:dddd:fe32:204c, nxt 58, rcvif ix0, outif ix3
    Sep 8 09:21:20	kernel		cannot forward src fe80:1::2a0:aaaa:bbbb:e1a0, dst 2600:4040:aaaa:bbbb:ccc:dddd:fe32:204c, nxt 58, rcvif ix0, outif ix3
    

    Doing a packet capture on WAN, I see this...

    09:21:12.091199 IP6 fe80::2a0:aaaa:bbbb:e1a0 > 2600:4040:aaaa:bbbb:ccc:dddd:fe32:204c: ICMP6, time exceeded in-transit for 2a00:74c0:a:b::20, length 104
    09:21:16.092752 IP6 fe80::2a0:aaaa:bbbb:e1a0 > 2600:4040:aaaa:bbbb:ccc:dddd:fe32:204c: ICMP6, time exceeded in-transit for 2a00:74c0:a:b::20, length 104
    09:21:20.093609 IP6 fe80::2a0:aaaa:bbbb:e1a0 > 2600:4040:aaaa:bbbb:ccc:dddd:fe32:204c: ICMP6, time exceeded in-transit for 2a00:74c0:a:b::20, length 104
    

    Any thoughts on why these Time Exceeded packets wouldn't be able to be routed back to the host? Or how to get this stuff out of my system log?

    The S in IOT stands for Security

    1 Reply Last reply Reply Quote 0
    • K
      kiokoman LAYER 8
      last edited by kiokoman Sep 8, 2020, 6:59 PM Sep 8, 2020, 6:41 PM

      client attempting to send traffic from a link-local address to a remote destination. it gets dropped and logged because you can't do that

      for example

      Scheda LAN wireless Wi-Fi:
      
         Suffisso DNS specifico per connessione: kiokoman.home
         Indirizzo IPv6 . . . . . . . . . . . . . . . . . : 2001:470:26:5dc:xxxx:xxxx:xxxx:xxxx
         Indirizzo IPv6 locale rispetto al collegamento . : fe80::64ee:8085:95b:32fc%9
         Indirizzo IPv4. . . . . . . . . . . . : 192.168.10.22
         Subnet mask . . . . . . . . . . . . . : 255.255.255.0
         Gateway predefinito . . . . . . . . . : fe80::20c:29ff:fef6:cf61%9
                                                 192.168.10.254
      
      C:\Users\Amministratore>ping -6 -S fe80::64ee:8085:95b:32fc www.google.com
      
      Esecuzione di Ping www.google.com [2a00:1450:4001:81d::2004] da fe80::64ee:8085:95b:32fc con 32 byte di dati:
      Errore generale.
      Errore generale.
      Errore generale.
      Errore generale.
      
      Statistiche Ping per 2a00:1450:4001:81d::2004:
          Pacchetti: Trasmessi = 4, Ricevuti = 0,
          Persi = 4 (100% persi),
      
      C:\Users\Amministratore>ping -6 -S 2001:470:26:5dc:xxxx:xxxx:xxxx:xxxx www.google.com
      
      Esecuzione di Ping www.google.com [2a00:1450:4001:81d::2004] da 2001:470:26:5dc:xxxx:xxxx:xxxx:xxxx con 32 byte di dati:
      Risposta da 2a00:1450:4001:81d::2004: durata=38ms
      Risposta da 2a00:1450:4001:81d::2004: durata=38ms
      Risposta da 2a00:1450:4001:81d::2004: durata=39ms
      Risposta da 2a00:1450:4001:81d::2004: durata=37ms
      
      Statistiche Ping per 2a00:1450:4001:81d::2004:
          Pacchetti: Trasmessi = 4, Ricevuti = 4,
          Persi = 0 (0% persi),
      Tempo approssimativo percorsi andata/ritorno in millisecondi:
          Minimo = 37ms, Massimo =  39ms, Medio =  38ms
      
      C:\Users\Amministratore>ping -6 -S fe80::64ee:8085:95b:32fc fe80::20c:29ff:fef6:cf61
      
      Esecuzione di Ping fe80::20c:29ff:fef6:cf61 da fe80::64ee:8085:95b:32fc con 32 byte di dati:
      Risposta da fe80::20c:29ff:fef6:cf61: durata=1ms
      Risposta da fe80::20c:29ff:fef6:cf61: durata=1ms
      Risposta da fe80::20c:29ff:fef6:cf61: durata=1ms
      Risposta da fe80::20c:29ff:fef6:cf61: durata=1ms
      
      Statistiche Ping per fe80::20c:29ff:fef6:cf61:
          Pacchetti: Trasmessi = 4, Ricevuti = 4,
          Persi = 0 (0% persi),
      Tempo approssimativo percorsi andata/ritorno in millisecondi:
          Minimo = 1ms, Massimo =  1ms, Medio =  1ms
      

      as you can see:
      i can't ping from link-local to google,
      I can ping from my ipv6 address to google,
      i can ping from link local to another link local inside my network

      ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
      Please do not use chat/PM to ask for help
      we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
      Don't forget to Upvote with the 👍 button for any post you find to be helpful.

      1 Reply Last reply Reply Quote 0
      • M
        MikeV7896
        last edited by Sep 8, 2020, 7:33 PM

        Right... so that's coming to my pfSense box from the internet... and the link-local address in those packets isn't my ISP's router (at least not the default gateway). So how is it getting from wherever it's originating from to me, if it has a link-local address as the source?

        The S in IOT stands for Security

        1 Reply Last reply Reply Quote 0
        • K
          kiokoman LAYER 8
          last edited by kiokoman Sep 8, 2020, 9:21 PM Sep 8, 2020, 9:15 PM

          it comes from your network
          check the MAC address to find out,
          if you check my example from before,

          http://www.sput.nl/internet/ipv6/ll-mac.html

          Link-local: fe80::20c:29ff:fef6:cf61
          Mac: 00:0C:29:F6:CF:61
          Manufacturer: VMware, Inc. ( https://macvendorlookup.com/ )

          vmx1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
                  description: LAN
                  options=8500b8.......
          ->      ether 00:0c:29:f6:cf:61
          

          In IPv6, it is not allowed to route link local addresses (and no router will forward packets with such addresses as source or destination address).

          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
          Please do not use chat/PM to ask for help
          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

          1 Reply Last reply Reply Quote 0
          • M
            MikeV7896
            last edited by Sep 8, 2020, 11:20 PM

            Well... in the packet capture, the MAC address of the Ethernet frame matches the MAC address of the default gateway from my ISP (which is not unusual when dealing with packets being routed to you). But the IPv6 address is definitely not the same, and it doesn't appear to be an EUI64 address, so I can't match it to a MAC address. I do realize that I masked part of the address that would have identified that fact.

            It's likely a misconfiguration on my ISP's part... they only just got IPv6 up and running about a week ago, and it may not even be completed yet (But I've figured out how to make it work with pfSense, not knowing whether their own routers even work with it).

            It's kind-of annoying that this is logged in the general system log though...it'd be nice if it were in the routing log... but I assume since it's the kernel generating these messages, that's why it's in the system log.

            The S in IOT stands for Security

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received