Unknown DHCP ping

deleted

Hi!

I use neither IPv6 nor DHCP.

However, every two minutes at intervals of 4-5 seconds I have two entries in the log that IPv6 actions are happening on ports 546 / 547.

Source: [fe80::3eec:efff:fe34:3623]:546
Target: [ff02::1:2]:547

How does this happen and how can I stop it?

patient0

@deleted said in Unknown DHCP ping:

How does this happen and how can I stop it?

What you are seeing is a client doing DHCPv6 client things (technical term :) ).

See Wikipedia: DHCPv6 under 'Example':

"Client sends a solicit from [fe80::aabb:ccff:fedd:eeff]:546 to multicast address [ff02::1:2]:547"

Check which of your clients got the link local address 'fe80::3eec:efff:fe34:3623' and disable DHCPv6 on that client.

To see a list IPv6 clients talking to your pfSense, check: pfSense docs: NDP Table

johnpoz

@patient0 said in Unknown DHCP ping:

disable DHCPv6 on that client.

Yup - if your not going to be using IPv6 - its best to stop it from sending noise if you ask me.

If you can not disable it on the noise maker itself, prob want to set pfsense not to log the noise. Noise in a log just makes it harder to see stuff that would be of interest in the log.

In windows - should be as easy as unchecking the ipv6 box on your nic

deleted

Thank you very much for your answer.

I always switch off Ipv6 by default.
Therefore, I also suspected a setting in the Sense or in the server bios.

I couldn't find anything in the bios, hence the question here.

Then I'll start searching.
Thanks again.

Best,

johnpoz

@deleted what is your client sending it - if you have that unchecked in windows, it is not windows.

Gertjan

@deleted said in Unknown DHCP ping:

I couldn't find anything in the bios

That's normal.
A BIOS doesn't deal at all with IP settings - exception : network booting, something quiet rare.
A BIOS that uses / supports IPv6 ... Afaik, doesn't exist yet - haven't seen one.

That said, every known OS out there uses IPv6 by default these days, and if that doesn't work, it will fall back "after some time" to IPv6. Ok of course to de-activate IPv6 all over the place.

If you have a bunch of Mircrosoft** devices on your LAN, you might as well leave IPv6 activated, as they will use IPv6 to talk to each-other. Just put an IPv6 block all, on your pfSense LAN interface, and don't make it log.

** maybe all devices these days except for the Ali-very-cheap stuff.

deleted

I have switched off all the clients as far as possible to be able to narrow it down.
That's why a NAS system and the associated servers were still partially off, but they all have BNC active.

And I thought something was transmitting there to show its existence.
But since I didn't find anything at that moment, I thought a setting on the Sense was doing this.

But ok, I can only say thank you and find out in the next few days.
Thanks again.

johnpoz

@deleted it really shouldn't be hard to track down.

You should be able to look in your NDP table and find that link-local address fe80::3eec:efff:fe34:3623

This will give you the mac address, you should then be able to look in your ARP table for that mac, and know what IPv4 address the device has.

Another option would be packet capture (diag menu) and sniff for IPv6 going to [ff02::1:2]:547, this will then give you the mac address of the device sending it.

deleted

I just wanted to take care of my log entry and assign the IPv6 address in the NDP table.
However, it is not listed. However, log entries are available.

Where does this IP come from?

stephenw10

The fe80 link-local address?

It's auto generated at the client based on the MAC address of the NIC.

patient0

@deleted said in Unknown DHCP ping:

However, it is not listed. However, log entries are available.

Does the log entry mention on what interface in source is on?

deleted

@patient0

Yes:
Source: [fe80::3eec:efff:fe34:3623]:546
Target: [ff02::1:2]:547

Always on the same NIC every 2 minutes.
It is also the only one of all where the entry is created.

patient0

@deleted said in Unknown DHCP ping:

Yes:

Is it on WAN or LAN? And did you check to make sure it's not an pfSense interface itself (Status / Interfaces)

deleted

@patient0

It is Lan.
Yes, I have checked it. The NICs are all present in the NDP table
and have different IPs. But not this one. I can't assign this IP anywhere.

In the meantime I have checked pretty much every point once to see if the IP can be found.

When I track this via diagnostics / packet recording, I get an info:

option-request DNS-server DNS-search-list

I have the DNS server active and don't use any other servers.
I checked it immediately but couldn't find anything either.

Patch

@deleted the pfsense package nmap may give you a hint on what it is.

johnpoz

@deleted said in Unknown DHCP ping:

option-request DNS-server DNS-search-list

Huh? I showed you how to find the actual mac address of the device. Not sure what your looking up, you can not lookup a link-local address to find the maker, like you can from a mac address.

See in my example where it says cisco on that a4:9b:cd address..

You can look them up on plenty of websites..

https://maclookup.app/search/result?mac=a4:9b:cd

If your not seeing this link-local address in your NDP table, then sniff, ie do a packet capture.. It will show you the mac address.

That traffic is a dhcpv6.. https://en.wikipedia.org/wiki/DHCPv6

Once you know the mac address, you should be able to get a clue to what device is asking for dhcpv6.

edit: here is a packet capture showing the mac, set your view options to full, set the port to 547

If I lookup the mac of the sender, that b8:27:eb I see that is my raspberry pi

https://maclookup.app/search/result?mac=b8:27:eb

Those dns-server dns-search-list are options the dhcpv6 client is asking for.. See on the last line of sniff above you see the options, mine is also asking for sntp and ntp servers..

edit2: Now to turn ipv6 off on my raspberry pi

I set
net.ipv6.conf.all.disable_ipv6 = 1

in
/etc/sysctl.conf

I also set
service procps reload

in
/etc/rc.local

Then did a
sysctl -p

now if I look on my pi you will notice it no longer has a link-local IPv6 address even

root@pihole:/home/pi# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.10  netmask 255.255.255.0  broadcast 192.168.3.255
        ether b8:27:eb:38:d8:4d  txqueuelen 1000  (Ethernet)
        RX packets 1910131  bytes 194224986 (185.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1909435  bytes 257026039 (245.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Which before it did, and notice in my sniff above that was the link-local sending the request for dhcpv6

root@pihole:/home/pi# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.10  netmask 255.255.255.0  broadcast 192.168.3.255
        inet6 fe80::257a:b357:6bd1:841c  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:38:d8:4d  txqueuelen 1000  (Ethernet)
        RX packets 1909789  bytes 194202989 (185.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1909069  bytes 256976581 (245.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

deleted

Hi @johnpoz, thanks for your detailed reply with all the info.

I understand so far.
I also looked there as you did on the screenshot.

However, just as you read, the “option-request DNS server ...” entry and thought it was an attack.

However, I have now been able to find out the MAC and as suspected it is the pfsense itself.

I double-checked everything directly in the bios of the server.
No DHCP is running. Everything is static or off.

I have also looked through every menu of the sense to see if I have overlooked anything.
However, no option was found.

However, you are right, I know the option "net.ipv6.conf.all.disable_ipv6" as well.
Would it be a solution if I put the option in the advanced settings / system fine-tuning?

Thanks again for the very detailed answer.
(Unfortunately I don't have enough points and a thumbs up to give).

johnpoz

@deleted I wouldn't try that with pfsense, it runs on freebsd - which is sim to linux, but not exactly.. So it might be a bit different.

Where exactly are you seeing that? I assumed it was in your firewall log? So its pfsense asking for IPv6 via dhcp on its wan?? if so just set pfsense wan to not do IPv6 on its wan..

Pfsense shouldn't log that it trying for dhcp - unless you unchecked the ipv6 box..

If you uncheck that box, then yeah it creates block rules for anything IPv6. But just setting none on your wan interface for ipv6 would stop it from asking for IPv6 via dhcpv6

deleted

This is the entry in the log:

I have configured my interface exactly as shown in your picture.
Except that it has a static IPv4.
The Allow IPv6 field is deactivated.

The settings were already set as they were, I didn't update anything.

Or is it in FreeBSD?

johnpoz

@deleted so its not pfsense sending it.. Why would the firewall log outgoing traffic from pfsense?

I have now been able to find out the MAC and as suspected it is the pfsense itself.

The lan side interfaces should not be requesting IPv6 unless you had them set for dhcp for IPv6, the IPv6 setting on your lan side interfaces should be NONE as well.

When you disable IPv6 it does create block rules - that could be blocking outbound? But an outbound block log normally shows direction arrow..

Please show us how you determined the mac address of this traffic and that it pfsense itself. If the interface for IPv6 is set to none - it wouldn't be sending dhcpv6 requests.

I do not disable IPv6 because I do use it for testing.. By default IPv6 is allowed - ie that check box is checked.. So I am not exactly sure the rules it creates when you uncheck it.. But it would seem odd that it would block outbound traffic and not log that it is outbound traffic like the above picture, where my outbound rule blocks rfc1918 going out my wan.

But if an interface is set to none for IPv6 - it sure wouldn't be sending dhcpv6 requests.. I doubt its pfsense mac address sending that to be honest.. Unless you have the lan01 interface set to dhcpv6.. And even if you did I would think the block all ipv6 if set for outbound blocking it would log the direction, which from what you posted that is an inbound block.. So into the lan01 interface, not traffic leaving the interface into the lan01 network.

edit: so I disabled IPv6 by unchecking the box, and it does create an outbound rule

You can view the full ruleset
https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html

Not all rules are shown in the gui, there are some hidden rules to see you have to use the above linked instructions.

# Block all IPv6
block in  quick inet6 all ridentifier 1000000003 label "Block all IPv6"
block out  quick inet6 all ridentifier 1000000004 label "Block all IPv6"

But as you see if the pfsense interface was sending it - it would show that it was in the outbound direction.

I enabled dhcp for ipv6 on my test interface - and you can see pfsense with default logging on, logs that in the outbound direction, since your log does not show this - then the traffic was inbound into your lan01 interface - and not from pfsense itself

And you can also tell that was inbound because of the rule ID, 1000000003 vs the 4 one which is the outbound rule.