WAN block bogon IPv6 networks

gambit100

I have "WAN block bogon IPv6 networks" entries in my pfsense firewall about 1/second. The bogon rule is selected only on the WAN interface and not on the LAN interface. I can suppress the log entries but I'm wondering why I'm getting them. I've seen similar discussions regarding DHCP but they seemed to indicate it was because the LAN bogon rule was enabled.

So my question is: is a log entry like this 1/second normal and could it be related to DHCP, possibly something I don't have configured correctly.

Last 200 Firewall Log Entries. (Maximum 200)
Mar 14 12:08:29 WAN block bogon IPv6 networks from WAN (11002) [fe80::2bc:60ff:fe92:4419] [ff02::1:2] Options
Mar 14 12:08:29 WAN block bogon IPv6 networks from WAN (11002) [fe80::2bc:60ff:fe92:4419] [ff02::2] Options
Mar 14 12:08:31 WAN block bogon IPv6 networks from WAN (11002) [fe80::2bc:60ff:fe92:4419] [ff02::1:ff92:4419] Options
Mar 14 12:08:31 WAN block bogon IPv6 networks from WAN (11002) [fe80::2bc:60ff:fe92:4419] [ff02::2] Options
Mar 14 12:08:31 WAN block bogon IPv6 networks from WAN (11002) [fe80::2bc:60ff:fe92:4419] [ff02::1:2] Options
Mar 14 12:08:32 WAN block bogon IPv6 networks from WAN (11002) [fe80::2bc:60ff:fe92:4419] [ff02::1:ff92:4419] Options
Mar 14 12:08:32 WAN block bogon IPv6 networks from WAN (11002) [fe80::2bc:60ff:fe92:4419] [ff02::2] Options
Mar 14 12:08:33 WAN block bogon IPv6 networks from WAN (11002) [fe80::2bc:60ff:fe92:4419] [ff02::1:2] Options
Mar 14 12:08:33 WAN block bogon IPv6 networks from WAN (11002) [fe80::2bc:60ff:fe92:4419] [ff02::1:ff92:4419] Options
Mar 14 12:08:37 WAN block bogon IPv6 networks from WAN (11002) [fe80::2bc:60ff:fe92:4419] [ff02::2] Options
Mar 14 12:08:37 WAN block bogon IPv6 networks from WAN (11002) [fe80::2bc:60ff:fe92:4419] [ff02::1:2] Options
Mar 14 12:08:40 WAN block bogon IPv6 networks from WAN (11002) [fe80::2bc:60ff:fe92:4419] [ff02::1:2] Options

Thanks

Gertjan

@gambit100

Your upstream router, ISP, of fellow ISP clients 'can' send traffic that arrive at your gate == WAN interface. This happens (all the time). It's the so called "Internet back ground noise". Its traffic coming into your WAN so its very likely that 'you' are not the origin of this traffic. Al always, "it's the others".

Solutions :
Remove the bogons list ...
Make the bogon rule not to log ....

( No, I'm not proposing you to to go check your upstream router - or ISP clients or your ISP why they are doing this, but feel free ^^ )

The traffic itself is pretty inoffensive : what is ff02::o2

gambit100

@Gertjan Thanks for the. I suppressed the log entries so I can see other events if the come in. It's odd it's always from the same source but not odd enough I was to ask my ISP>

Gertjan

@gambit100 said in WAN block bogon IPv6 networks:

I was to ask my ISP

Don't.
Chances are great it will go like this :
You (asking ISP) : I use this router now that permits me to see 'things' ...
They : Use our equipment [ don't use unsupported equipment ! ]. You won't see a thing anymore ...

NightlyShark

@Gertjan See here. Its IPv6 multicast. Do you by any chance have an ISP TV package?

Gertjan

@NightlyShark said in WAN block bogon IPv6 networks:

See here.

Yeah; nice example.

@NightlyShark said in WAN block bogon IPv6 networks:

Do you by any chance have an ISP TV package?

@work : no - way. The ISP router has TV (probably ?) capabilities but not using it. Anyway, it's behind the pfSense WAN, so "I don't care".

@home : yes - but same thing : I don't look or log pfSense firewall's default 'block' mode packets. I've seen the "internet background noice" since the .... a very long time ;)
I get dossed ? Oh boy .. problem. I'll go work in the garden then. I have a good firewall - that's why we are here - so I can do other thinks.

Strange packets 'toking' on my front door = WAN, that's like the doorbell of my front door of the house : it's annoying, so I shut down the bell, and friends drop by using the back door anyway.

NightlyShark

@Gertjan It is not unheard of to have an ISP sub-node (net cabin on the side-walk) get hacked and/or infected, and start to work as an attack node for a botnet or something. If you are not using explicitly IPv6 multicasting, it is best to disable it globally by a floating rule, for both the in and out directions. Same thing applies for outgoing multicast (and service broadcast) packets.

Gertjan

@NightlyShark

Not saying the contrary.
But when a list with stop rules is better as the default non logging "STOP here" WAN rule ?
Are some of your floating WAN rules logging ? That itself is already a risk : incoming, not wanted traffic generates CPU cycles. Throw a boatload of unwanted traffic (DOS) at your WAN, and the system starts to so some serious logging which means means disk activity (disk fills up : a major issue !!), serious processor activity ....

Bad traffic from a guy at the other side of the planet, or bad traffic coming from the cabinet in front of my house : it's all bad traffic and blocked.
Multi what ?

No part of the out of the box experience, as I had to change some pfSense files, but my pfSense GUI is not listening on the WAN interface ( ! ). Neither the SSH demon. Nor unbound. No NTP .... did I forget one ?
So, even if the firewall takes a break : no processes are listing on some port on the WAN interface ...
Easy to test drive : shut down pf and see what happens [ disclaimer here : don't do this at home if you have something to lose ]. So, if "they" still manage to get in now : they have earned it.

NightlyShark

@Gertjan This is an outgoing rule (the one that logs), not incoming. The other rules have to do with CoDel Limiter and PfBlocker-ng, none create logs.

NightlyShark

@Gertjan Also, PfSense, unless configured otherwise, internally listens to all interfaces and all VIPs. It's the firewall that stops all incoming connections at WAN. PfSense even listens to 127.0.0.1 and ::1. If you manage to install stunnel and create one between an extra IP on the LAN interface and 127.0.0.1, you will be able to see it. You can also see it if you choose the option "Disable all packet filtering".

Gertjan

@NightlyShark
I know ^^
That's why I test with pf shut down, and "do things" with my system so nothing 'listens' anymore on the interface calls "WAN".
Call it an extra safety net.

Maybe I'm parano after all ^^

NightlyShark

@Gertjan said in WAN block bogon IPv6 networks:

@work : no - way. The ISP router has TV (probably ?) capabilities but not using it. Anyway, it's behind the pfSense WAN, so "I don't care".

@home : yes - but same thing : I don't look or log pfSense firewall's default 'block' mode packets. I've seen the "internet background noice" since the .... a very long time ;)
I get dossed ? Oh boy .. problem. I'll go work in the garden then. I have a good firewall - that's why we are here - so I can do other thinks.

Strange packets 'toking' on my front door = WAN, that's like the doorbell of my front door of the house : it's annoying, so I shut down the bell, and friends drop by using the back door anyway.

Make no misunderstanding, in order to be reasonably secure with any setup (no matter how good the software) it all boils down to configuration. (I don't mean this in an insulting way, just a piece of advice) you need to drop the "I have PfSense, b***h, so I don't care" attitude and closely examine your setup. The biggest mistakes in all fields and of all magnitudes in life are almost always made when someone overestimates a choice they made and gets complacent and when someone underestimates the dangers of a situation. PfSense is not an intelligent being that has studied human computer networking and is your slave and will do anything for you, kinda like that Black Mirror episode with the cookies. It's a machine that YOU have the responsibility to know how to control and monitor.

Anyway, the ISP CPE is not "behind PfSense WAN", it's "in front". Behind would mean you connected one of the ISP routers' LAN ports to your PfSense LAN...

gambit100

@NightlyShark Thanks for the link to IPV6 multicast. So "ff02::1:2 all DHCP agents" is a multicast to DHCP agents which still seems to point to IPV6 DHCP from my ISP to my network. As far as I know, I have no need for IPV6 so I may look into turning if off on my network, assuming it's currently enabled. I don't have an ISP TV package. I stream using a Roku on my LAN.

NightlyShark

@gambit100 I am naturally suspicious of appliances... I would consider putting the Roku in a separate VLAN (unless bandwidth becomes a consideration, ie 4k 120Hz HDR streaming or something, in which case, you would need a Layer 3 switch for your VLANs). I have most of my network setup that way. It gives me the ability to have different rules for my LAN (where my physical servers and my PC are), my bridges (virtual interfaces that all my proxmox VMs use to talk to each other and spin up MACVLAN docker containers, each with it's own IP), my security equipment (NVR, doorbells, cameras), various WiFi subnets (guest with captive portal, trusted, admin), my living room TV subnet, my IOT devices... I can even use NordVPN for some subnets and my ISP for others that way. It also reduces inter-device noise a lot (imagine all those devices responding to each others' advertisements and broadcasts)... I don't know your whole network setup, but it is good practice to use separation of concerns whenever possible.

NightlyShark

@Gertjan Oh god... I replied to you before, while meaning to reply to the OP and never checked... facepalm