PfSense 2.0.1 - IPv6 disabled but passing IPv6 traffic on firewall



  • Hi,

    I am using pfsense 2.0.1. I did not enable IPv6. But since some days I got many IPv6 logs which pass my firewall.
    Can help me someone what traffic this is and why it can pass the firewall and how to block ?

    Thank you.





  • Those are probably LAN to LAN or LAN to LAN IP of the firewall. You just don't want to see WAN in the IF column.



  • But I did not enable IPv6 on pfsense - why should there be any IPv6 traffic initiated by pfsense !?
    I am unsure if this could be some kind of virus, trojan on a host on the LAN !?
    And on this pfsense there is only one LAN interface and three WAN interfaces - and on the LAN there is just another pfsense but no hosts.

    And I am not familar with IPv6 IP address reading and so I don't know where this traffic comes from. Which host initiates this traffic.

    This is my network:

    WNA1
    WAN2–-pfsense1---172.16.0.0/16-----pfsense2---172.17.0.0/16 (6 different VLANs)
    WAN3

    pfsense1 is doing LoadBalancing and NAT + freeradius2+openvpn
    pfsense2 is doing just routing with squid+squidguard+freeradius2

    Any suggestions ?


  • LAYER 8 Global Moderator

    "But I did not enable IPv6 on pfsense "

    You did not enable it on the firewall, but what did you enable on the lan interface?  Did you set an ipv6 address, does it have a ipv6 address?

    I would just look at ifconfig on your pfsense box, do you have ipv6 link local address there?

    em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:00:00:02
            inet 192.168.1.253 netmask 0xffffff00 broadcast 192.168.1.255
            inet6 fe80::250:56ff:fe00:2%em0 prefixlen 64 scopeid 0x1

    If so then sure you could see ipv6 traffic from other devices on the lan.</rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>



  • [2.0.1-RELEASE][admin@pfsense1.hpa]/root(1): ifconfig
    igb0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum>ether 00:26:2d:04:2f:36
            inet 192.168.2.2 netmask 0xffffff00 broadcast 192.168.2.255
            inet6 fe80::226:2dff:fe04:2f36%igb0 prefixlen 64 scopeid 0x1
            nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    igb1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum>ether 00:26:2d:04:2f:37
            inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
            inet6 fe80::226:2dff:fe04:2f37%igb1 prefixlen 64 scopeid 0x2
            nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    igb2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum>ether 00:1b:21:a1:c9:64
            inet6 fe80::21b:21ff:fea1:c964%igb2 prefixlen 64 scopeid 0x3
            inet 192.168.3.20 netmask 0xffffff00 broadcast 192.168.3.255
            nd6 options=3 <performnud,accept_rtadv>media: Ethernet 100baseTX <full-duplex>status: active
    igb3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum>ether 00:1b:21:a1:c9:65
            inet 172.16.0.1 netmask 0xffff0000 broadcast 172.16.255.255
            inet6 fe80::21b:21ff:fea1:c965%igb3 prefixlen 64 scopeid 0x4
            nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
            options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
            inet6 ::1 prefixlen 128
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
            nd6 options=3 <performnud,accept_rtadv>pfsync0: flags=0<> metric 0 mtu 1460
            syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
    pflog0: flags=100 <promisc>metric 0 mtu 33200
    enc0: flags=0<> metric 0 mtu 1536
    ovpns2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::226:2dff:fe04:2f36%ovpns2 prefixlen 64 scopeid 0x9
            inet 10.0.32.1 --> 10.0.32.2 netmask 0xffffffff
            nd6 options=3 <performnud,accept_rtadv>Opened by PID 16133</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum></up,broadcast,running,simplex,multicast> 
    

    igb0-igb2 is my WAN, igb3 is my LAN.
    At the moment I am connected via openvpn.

    I am using pfsense 2.0.1 - never added some IPv6 code from git or somewhere else. As far as I know this version of pfsense does not support IPv6 ?! Just tunneling IPv6 traffic through IPv4 - but this is disabled in GUI.

    PS: If you need more information from commandline, please let me know what and the syntax to get it.

    Thanks in advance!


  • LAYER 8 Global Moderator

    Well there you go

    inet6 fe80::21b:21ff:fea1:c965%igb3 prefixlen 64 scopeid 0x4

    So yeah your lan interface can see ipv6 traffic.

    Just because pfsense does not have their gui with ipv6 stuff, doesn't mean the freebsd underneath it doesn't support ipv6.

    Guess I could fire up a copy of 2.01 or 2.02, but doesn't your lan interface gui have a place to set ipv6 address?




  • Just so that you know, anything that starts with fe80 is a link local (hardware IPv6) address. It is not supposed to be routable. From the wiki:

    Local addresses
    ::1/128 — The loopback address is a unicast localhost address. If an application in a host sends packets to this address, the IPv6 stack will loop these packets back on the same virtual interface (corresponding to 127.0.0.0/8 in IPv4).
    fe80::/10 — Addresses in the link-local prefix are only valid and unique on a single link. Within this prefix only one subnet is allocated (54 zero bits), yielding an effective format of fe80::/64. The least significant 64 bits are usually chosen as the interface hardware address constructed in modified EUI-64 format. A link-local address is required on every IPv6-enabled interface—in other words, applications may rely on the existence of a link-local address even when there is no IPv6 routing. These addresses are comparable to the auto-configuration addresses 169.254.0.0/16 of IPv4.


  • LAYER 8 Global Moderator

    ^ exactly..  If you don't want to see that sort of traffic then you should fully disable IPv6 on your lan machines.

    I personally don't like it being enabled unless I am going to actually do something with it on that box.  So if not going to actually use ipv6 I disabled it completely so that there.  Why run a protocol your not using I say!  Windows its pretty easy.

    reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255

    Linux and bsd's depending on flavor you have to do a bit of research ;)



  • Thank you johnpoz and podilarius,

    that helped me much. First thing it is good to know that this is no virus or something else and I agree with you. Why should something be enabled if I do not need it. I do not need IPv6 on my LAN.

    Thank you for your help! :-)


Log in to reply