Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    25.07: protocol "options" in default block all rule

    Scheduled Pinned Locked Moved IPv6
    7 Posts 4 Posters 89 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • beerguzzleB Offline
      beerguzzle
      last edited by

      I upgraded my 1100 from 24.11 to 25.07 yesterday. Since then I have seen a ton of blocks on my OPT (wireless) interface of IPv6 traffic, see attached screenshot, with protocol "options"

      Screenshot 2025-08-05 at 8.34.31 AM.png

      This seems to be ICMP broadcast traffic -- I cannot find the addresses ending in 4497 and 69fa in the NDP table or anywhere else so I don't know the source.

      I went into the advanced area of the rule and turned on "allow packets with IP options to pass". That did not quell the block msgs. Plus I don't want ICMP traffic to be tracking my devices anyway. I tried both "block" and "reject", no difference. The rule looks like:

      Screenshot 2025-08-05 at 9.08.20 AM.png

      What is going on here?

      Netgate 1100 and Netgate 2100, latest pfsense+ version

      GertjanG johnpozJ 2 Replies Last reply Reply Quote 0
      • GertjanG Online
        Gertjan @beerguzzle
        last edited by

        @beerguzzle

        Do you log the firewall rule ?

        ecc35cfc-92b9-4d5f-af7a-ae5b71a61781-image.png

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator @beerguzzle
          last edited by johnpoz

          @beerguzzle ff02::16 is not icmp it is multicast "All MLDv2-capable routers"

          If you want to create a rule to allow that doesn't log that you would need to set options in the rule, and then set it not to log.

          optionsrulle.jpg

          what is the order of rules on your opt interface? outbound is only available in the floating tab.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07 | Lab VMs 2.8, 25.07

          1 Reply Last reply Reply Quote 0
          • jimpJ Offline
            jimp Rebel Alliance Developer Netgate
            last edited by

            https://redmine.pfsense.org/issues/16194

            Hover your mouse over the action icon and look at the details it shows you there.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            beerguzzleB 1 Reply Last reply Reply Quote 0
            • beerguzzleB Offline
              beerguzzle @jimp
              last edited by

              @jimp @johnpoz

              This rule is the last (bottom) rule for my OPT interface, a default "block anything not allowed above" rule. I have a similar rule for LAN, that also fires this "options" blurb too in 25.07. Hovering over the action shows:

              Screenshot 2025-08-05 at 1.22.42 PM.png

              which looks similar to (but not identical) to redmine 16194.

              I went into advanced options for the rule and turned on "Allow IP options", but nothing changed after the rules reloaded.

              I also searched the pfsense docs for MLD, not much came up. In head scratch mode. Is this a redmine 16194 style "feature"?

              Netgate 1100 and Netgate 2100, latest pfsense+ version

              1 Reply Last reply Reply Quote 0
              • jimpJ Offline
                jimp Rebel Alliance Developer Netgate
                last edited by

                If you can find the line that corresponds to those log messages in /var/log/filter.log, copy/paste it here. It may be a similar packet to the redmine issue but maybe not identical.

                Since I was able to reproduce the one I was seeing I got a packet capture of it to see what it was, but depending on what you are seeing that may not be viable.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                beerguzzleB 1 Reply Last reply Reply Quote 0
                • beerguzzleB Offline
                  beerguzzle @jimp
                  last edited by

                  @jimp

                  Here it is:

                  Aug 5 13:49:59 cleo filterlog[66564]: 247,,,1649447902,mvneta0.4092,match,block,in,6,0x00,0x00000,1,Options,0,56,fe80::417:952d:77be:4497,ff02::16,HBH,PADN,RTALERT,0x0000,

                  which should match with this from the gui:

                  Screenshot 2025-08-05 at 1.52.20 PM.png

                  Netgate 1100 and Netgate 2100, latest pfsense+ version

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.