Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    8000::/1 from bogonsv6 blocks ipv6

    2.1 Snapshot Feedback and Problems - RETIRED
    2
    4
    3956
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q
      qubit
      last edited by

      Last month when I got IPv6 working there was a system bogon update, and I noticed that all IPv6 packets coming in from the WAN suddenly were being blocked and I eventually couldn't renew my IPv6 address. The firewall reported that the pf rule, drop from <bogonsv6>to any, was blocking everything from my Comcast IPv6 gateway, which is a link local address (fe80::/10).

      A quick search through the bogonsv6 list (fullbogons-ipv6.txt) didn't show any link local addresses but it turns out the last entry, 8000::/1 is the culprit. This network's range is 8000:0000:0000:0000:0000:0000:0000:0000 to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, which blocks any link local addresses. Removing this line from /etc/bogonsv6 and reloading pf allows IPv6 again. Excluding this network in rc.update_bogons.sh should fix this.</bogonsv6>

      1 Reply Last reply Reply Quote 0
      • Q
        qubit
        last edited by

        This seems to work for me:

        diff --git a/etc/rc.update_bogons.sh b/etc/rc.update_bogons.sh
        index ae85b0b..77daa00 100755
        --- a/etc/rc.update_bogons.sh
        +++ b/etc/rc.update_bogons.sh
        @@ -119,7 +119,7 @@ if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ] || [ "$BOGON_V6_CKSUM" = "$ON_DIS
         		if [ $BOGONS_V6_TABLE_COUNT -gt 0 ]; then
         			ENTRIES_V6=`pfctl -vvsTables | awk '/-\tbogonsv6$/ {getline; print $2}'`
         			if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT-${ENTRIES_V6:-0}+LINES_V6)) ]; then
        -				egrep -iv "^fc00::/7" /tmp/bogonsv6 > /etc/bogonsv6
        +				egrep -iv "^fc00::/7|^8000::/1" /tmp/bogonsv6 > /etc/bogonsv6
         				RESULT=`/sbin/pfctl -t bogonsv6 -T replace -f /etc/bogonsv6 2>&1`
         				echo "$RESULT" | awk '{ print "Bogons V6 file downloaded: " $0 }' | logger
         			else
        @@ -127,7 +127,7 @@ if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ] || [ "$BOGON_V6_CKSUM" = "$ON_DIS
         			fi
         		else
         			if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT+LINES_V6)) ]; then
        -				egrep -iv "^fc00::/7" /tmp/bogonsv6 > /etc/bogonsv6
        +				egrep -iv "^fc00::/7|^8000::/1" /tmp/bogonsv6 > /etc/bogonsv6
         				echo "Bogons V6 file downloaded but not updating IPv6 bogons table because IPv6 Allow is off" | logger
         			else
         				echo "Not saving IPv6 bogons table (IPv6 Allow is off and table-entries limit is potentially too low)" | logger
        
        
        1 Reply Last reply Reply Quote 0
        • Q
          qubit
          last edited by

          Actually that is a bad idea because that entire range contains reserved space and splitting it up to take out fe80::/10 would be sloppy.

          From rules.debug:

          block in log quick on $WAN from <bogons> to any label "block bogon IPv4 networks from WAN"
          block in log quick on $WAN from <bogonsv6> to any label "block bogon IPv6 networks from WAN"
          ...
          pass in quick on $WAN proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 label "allow dhcpv6 client in WAN"
          pass in quick on $WAN proto udp from any port = 547 to any port = 546 label "allow dhcpv6 client in WAN"
          pass out quick on $WAN proto udp from any port = 546 to any port = 547 label "allow dhcpv6 client out WAN"</bogonsv6></bogons>
          

          In filter.inc the drop bogon rules are generated above the rule to allow DHCPv6 in. Since fe80::/10 is in 8000::/1 the bogon rule is matched first, DHCPv6 traffic from fe80::/10 can never pass and IPv6 can't renew or bind if a user has updated the bogon rules.

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            This whole bogonsv6 idea seem to do more harm that good, starting from insane memory usage and ending with blocking legitimate traffic. How about dumping it altogether, huh?

            1 Reply Last reply Reply Quote 0
            • First post
              Last post