fe80::/16 not included in interface networks?

bmeeks · Sep 1, 2021, 12:49 PM

@johnpoz said in fe80::/16 not included in interface networks?:

Oh - 24 is what your public is, they are natting you -- DUH!!! ;) heheeeh

Sucks dude - guess someone be shopping for new isp today... That's what I would be doing..

Yeah on the NAT.

Likely "no" on shopping for a new ISP for now. My only other choice is a local wireless ISP operator.

But it's a small town, so I will drop by the office and see if the tech will accomodate me. I knew the former tech (he grew up two houses down from me and was friends with my kids), and he moved me off CGNAT when I originally ordered the service. But he has moved on to something else at a bank.

JKnott · Sep 1, 2021, 1:14 PM

@bmeeks said in fe80::/16 not included in interface networks?:

My firewall WAN IP is now a 100.64.x.x address

Yep, that's definitely CGNAT.

Do they also provide IPv6? Some ISPs provide IPv4 over IPv6.

bmeeks · Sep 1, 2021, 1:21 PM

@jknott said in fe80::/16 not included in interface networks?:

@bmeeks said in fe80::/16 not included in interface networks?:

My firewall WAN IP is now a 100.64.x.x address

Yep, that's definitely CGNAT.

Do they also provide IPv6? Some ISPs provide IPv4 over IPv6.

Nope, no IPv6 here yet. I have a Hurricane Electric setup, but I've had that tunnel out of service for the last year and a half. I have not gone to the trouble of working around the Netflix IPv6 issues caused by HE tunnels, so I just disabled the tunnel for a while during visits by my grandkids. Their iOS devices were trying to use IPv6 when I had it set up on my LAN and on the WAN via the HE tunnel. Took the expedient way out of that and just turned off IPv6. Really don't need it for now.

jimp · Sep 1, 2021, 1:27 PM

Back to the original question here:

fe80:: link-local addresses are NOT a part of "<interface> Net" because they shouldn't need to hit the firewall except for services on the firewall which must respond to requests from those addresses. pfSense also doesn't allow IPv4 link-local addresses for similar reasons, though IPv6 uses them more effectively.

Link-local traffic doesn't get routed so it shouldn't get a free pass through the firewall rules.

Services on the firewall which use IPv6 link-local traffic add their own rules to pass it internally.

Avahi is an add-on package, not a part of the base system, and does not create its own rules. This is partly for security reasons, and partly because nobody has submitted code to do so.

So there are a few ways around it:

Add your own rules narrow enough to only allow Avahi traffic on the interfaces you want (most secure)
Add your own rules to pass link-local traffic willy-nilly (not secure but maybe also not too harmful, but not a best practice)
Find someone who will add an optional feature to the Avahi package to add its own automatic firewall rules to pass in the traffic it wants to see.

bmeeks · Sep 1, 2021, 1:41 PM

@jimp said in fe80::/16 not included in interface networks?:

Back to the original question here:

fe80:: link-local addresses are NOT a part of "<interface> Net" because they shouldn't need to hit the firewall except for services on the firewall which must respond to requests from those addresses. pfSense also doesn't allow IPv4 link-local addresses for similar reasons, though IPv6 uses them more effectively.

Link-local traffic doesn't get routed so it shouldn't get a free pass through the firewall rules.

Services on the firewall which use IPv6 link-local traffic add their own rules to pass it internally.

Avahi is an add-on package, not a part of the base system, and does not create its own rules. This is partly for security reasons, and partly because nobody has submitted code to do so.

So there are a few ways around it:

Add your own rules narrow enough to only allow Avahi traffic on the interfaces you want (most secure)

Add your own rules to pass link-local traffic willy-nilly (not secure but maybe also not too harmful, but not a best practice)

Find someone who will add an optional feature to the Avahi package to add its own automatic firewall rules to pass in the traffic it wants to see.

The third option sounds best to me. Maybe as a checkbox in the package that defaults to "on". That way a really paranoid security admin can disable automatic rules and create their own.

And @jimp stated it best. It's not really a case of routing said traffic, but rather of allowing it into the interface so the avahi daemon, or any other service that wants it, can see it. Having the packages/services that need to see such traffic create their own rules sounds the most logical. The idea in my mind being to make it reasonably secure, but at the same time somewhat "works out of the box".

In the majority of consumer households, we would be talking about just a huge flat network with IoT and everything else on one Layer 2. More security conscious folks use pfSense and try to isolate IoT and similar things using VLANs or physically separate interfaces. But then you run into trouble trying to make some modern technology work because it expects a flat L2 network. Enter tools such as Avahi to help out. But depending on the skill level of the admin, there's a little under-the-hood magic required to get it working.

OffstageRoller · Sep 1, 2021, 6:26 PM

@bmeeks

The third option sounds good to me as well. That would work similar to the pfBlockerNG package where you select the interfaces, and it creates floating roles for those.

This is no longer a problem for me, since I saw the traffic blocked and created these rules. But I imagine for most users that enable avahi on pfSense, and don't disable support for IPv6, assume it "just works." Avahi will probably work fine for them since it will use/revert to IPv4, but they'll assume both IPv4 and IPv6 are both working, where IPv6 is getting rejected.

I think a little more hand holding for this package would be helpful. Might even be worth creating default rules for IPv4 as well to allow the "* net" to communicate to 224.0.0.0/3 over port 5353.

I can create a feature ticket in Redmine for the Avahi package and reference this thread if we think that would be best?

bmeeks · Sep 1, 2021, 6:29 PM

@offstageroller said in fe80::/16 not included in interface networks?:

@bmeeks
I think a little more hand holding for this package would be helpful. Might even be worth creating default rules for IPv4 as well to allow the "* net" to communicate to 224.0.0.0/3 over port 5353.

I can create a feature ticket in Redmine for the Avahi package and reference this thread if we think that would be best?

I think a Redmine Feature Request is a good idea. Perhaps someone will pick it up and submit the necessary change.

OffstageRoller · Sep 1, 2021, 7:52 PM

A ticket has been created!

https://redmine.pfsense.org/issues/12329

johnpoz · Sep 1, 2021, 8:14 PM

@offstageroller Your networks and destinations listed in that redmine are way off..

Source: fe80::/64 not going to work.. that would be only this network

fe80:0000:0000:0000:0000:0000:0000:0000/64

fe80:0000:0000:0000:0000:0000:0000:0000 - fe80:0000:0000:0000:ffff:ffff:ffff:ffff

What link local would fall into that? If goal is to allow any link-local the range would be fe80::/10

And your destination of 224.0.0.0/3 is not very good idea.. Why would you allow all of that space when mdns ipv4 is only ever going to go to 224.0.0.251.

No offense meant but is it possible your issues just stem from a lack of understanding of address space both in the ipv4 and ipv6 area? Where did you come up with 224.0.0.0/3? That includes a shit ton of actual unicast space..

OffstageRoller · Sep 1, 2021, 9:27 PM

@johnpoz

I originally used fe80::/16, which you told me was incorrect (which is true... it should be fe80::/10 like you mentioned). But then you said this:

An alias for any specific "net" using the space of /16 wouldn't be a specific net, it would be a huge chuck of the whole space FE80::/10, where did you come up with using /16 anyway?

The way I interpreted that, was that using /10 also wasn't ideal, and using a /64 would use less space (and would be closer to a * net). Both /64 and /10 both work, so I can update the Redmine ticket if you think /10 should be the correct default.

224.0.0.0/3 is the multicast address space. Originally I created individual rules for each specific address, but decided to "simplify" doing that and instead creating an alias that included the entire multicast address space. My alias is called MULTICAST_SUBNET, and includes the network of 224.0.0.0/3 which is technically correct right? I use more then just mDNS requests fall into that subnet. But you are 100% correct that I should update that ticket and make it 224.0.0.251, since that is unique to mDNS and is the only destination required for Avahi.

Something else related to this thread... some of my devices on some VLANS make requests for SSDP. They have an IPv4 destination of 239.255.255.250. However, IPv6 traffic is blocked by default unless this rule is created:

source: fe80::/10
destination: ff02::c
Port: 1900

Another example would be the same source and destination above, but for port 3702 which is WSDD (used by a Windows 10 device).

These are examples of traffic where I would assume (incorrectly based on your feedback) the * net source rule to cover when IPv6 is enabled on on a network.

And no offense taken. I'm far from an expert here. I've already solved this myself, although you may see the way I've done it is less then ideal. I created this post to hopefully help others.