Disable IPv6



  • How would I go about completely disabling IPv6 on my network (LAN), as well as rejecting all IPv6 packets that are coming to the WAN?



  • I might be missing something but if you g to SYSTEM / ADVANCED / NETWORKING and disable IPv6 you should be OK. On the Lan/Wan interface you can also choose NONE for the IPv6 Configuration Type.



  • Yes, SYSTEM / ADVANCED / NETWORKING - Allow IPv6 - uncheck that and the firewall will have a rule that blocks all IPv6 on all interfaces before anything else.
    That stops pfSense seeing "random" Ipv6 stuff that clients on your network might be doing. Clients can still talk to each other directly on LAN using IPv6 (or whatever network stack they like - DecNET…) - pfSense does not and cannot stop layer2 traffic on your LAN switch.
    pfSense still internally has IPv6 "loaded" and the OS/network, pf... software is all ready and waiting to see, process and route IPv6 packets, it just that IPv6 never gets past that first block.


  • Rebel Alliance Global Moderator

    If you want to disable it on your lan, you would have to do it at the clients as mentioned.  What OSes are you running and can go over the different methods.  For windows its a simple reg key, you can create from a elevated prompt

    reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255

    Reboot, ipv6 disabled.  And your teredo, isatap, 6to4 interfaces should now be  gone as well.  To put it back how it was - just delete the key

    reg delete hklm\system\currentcontrolset\services\tcpip6\parameters\ /v DisabledComponents /f

    reboot.  This doesn't remove the ipv6 loopback - but it does keep from sending out any ipv6 on its interface.



  • Hi,
    I guess the true initial question asked by Heli0s was:
    "How completelly disable ipv6 on a pfsense box".

    In another post I found this answer:
    "You cannot.  It is built into the kernel that we build."

    Very well. Then the next step is:
    How do I add a kernel boot parameter ? Like "ipv6.disable=1" ?



  • bump Is there any way to completely disable ipv6 in pfsense? It's useless to me as my ISP won't let me route it and it's just another protocol I need to firewall off (ssh for example).

    Is there an equivalent to the Linux 'ipv6.disable' as mentioned above?


  • Rebel Alliance Global Moderator

    If you do not set wan to get a ipv6 address, and you don't setup ipv6 on any of your lan interfaces..  Why would you think you need to firewall off ssh for ipv6?

    Wan default is block any any.  Default rule on any interface you add it block, other than lan that is out of the box any any both ipv4 and ipv6 (remove that rule).. But since pfsense has no ipv6 address how would your client go anywhere?  If your worried about tunnel ipv6 over ipv4 a client might do then just make sure to uncheck the enable ipv6 tunnel option.  You can uncheck the ipv6 option in the same place which is in advanced, networking.



  • Maybe I'm wrong (first day with pfsense) but these look like both i4 and i6 services listening on the 'global' interface .  I'd really prefer to just turn them off but the i6 tics in System > Advanced > Networking don't really seem to do that. Is there another place to do this. What I have tic'd is in the attached pic

    PS: How can I verify the WAN rules at the CLI?  I can't get ipfw list to work : "ipfw: Context is mandatory: No such file or directory" I followed the link here: https://forum.pfsense.org/index.php?topic=65049.0  and ipfw_context -l just returns:
    "ipfw_context: Command not found."  Do I need to enable ipfw like this? https://www.freebsd.org/doc/handbook/firewalls-ipfw.html

    tcp4      0      0 127.0.0.1.953          .                    LISTEN
    tcp4      0      0 *.53                  .                    LISTEN
    tcp6      0      0 *.53                  .                    LISTEN
    tcp4      0      0 *.22                  .                    LISTEN
    tcp6      0      0 *.22                  .                    LISTEN
    tcp6      0      0 *.80                  .                    LISTEN
    tcp4      0      0 *.80                  .                    LISTEN
    tcp6      0      0 *.443                  .                    LISTEN
    tcp4      0      0 *.443                  .                    LISTEN
    udp6      0      0 fe80::1%lo0.123        .                   
    udp6      0      0 ::1.123                .                   
    udp4      0      0 127.0.0.1.123          .                   
    udp4      0      0 10.10.4.2.123      .                   
    udp6      0      0 fe80::230:48ff:f.123  .                   
    udp6      0      0 fe80::230:48ff:f.123  .                   
    udp4      0      0 *.123                  .                   
    udp6      0      0 *.123                  .                   
    udp4      0      0 *.53                  .                   
    udp6      0      0 *.53                  .                   
    udp4      0      0 *.514                  .                   
    udp6      0      0 *.514                  .                   
    udp6      0      0 .                    .                   
    udp4      0      0 .                    .                   
    ip 4      0      0 .                    .                   
    ip64      0      0 .                    .



  • Rebel Alliance Global Moderator

    I really think you need to look up how ipv6 works with every OS.. It is compiled in the kernel, many things these days will not even work if you compile without it.  Just because something is listed as listening doesn't mean the firewall allows it even if possible.

    You might even see stuff being listed with something like netstat only show listening UDP6 or TCP6 even though it answers to IPv4..  Depending on the OS and how an application binds.  If you do not create any rules for allow ipv6 then pfsense is not going to do anything with pfsense that is for sure!!

    Also lookup what your link local address can actually do.  Those fe80 addresses.

    To view the full rule set
    https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset

    If you really have your heart set on removing even the link local you would have to recompile without ipv6 support - pretty much sure that would be a bad idea.. BTW just because your isp doesn't support it yet doesn't mean you can not use it.  Grab a free tunnel from Hurricane Electric, you can get a /48 even..



  • Nah, I don't want to recompile the kernel. Disabling ipv6 is a simple boot parameter on Linux, just wondering if there was  an equivalent. Thanks for the help!



  • @Dave:

    Nah, I don't want to recompile the kernel. Disabling ipv6 is a simple boot parameter on Linux, just wondering if there was  an equivalent. Thanks for the help!

    I took it the other way :

    Grab a free tunnel from Hurricane Electric, you can get a /48 even..

    My ISP - the biggest in Europe - is still 'experimenting' with IPv6 so it doesn't exists for them.

    Thanks to pfSense and he.net I'm using IPv6 for years now, in parallel with IPv4.
    I guess it's a good thing, IPv4 will fade away in the future.


  • Rebel Alliance Global Moderator

    The ability to disable it in freebsd with such parameters removed back a few versions. Only way AFAIK to completely disable it it recompile..  Or you could go back to old version of freebsd pretty sure past 9 is when they started removing all the disable functionality without a recompile.

    Here is the thing ipv6 is coming, nothing you can do about that.. Its still a ways off to be sure before we start killing off ipv4.. Its better to embrace it to be honest.. Change is hard ;)  I disable it best you can on most of my windows machines, and even linux… Its still there in the kernel, just not really active.  I agree from a security point of view - if your not using it, it shouldn't be running.

    But I do use it on a few machines.. And even host up ntp to the pool on it. But moving forward you are going to find it harder and harder to rip out the compatibility with it completely..  See attached window machine with the disabledcomp set to 255 as per my reg key above.  not suppose to be bound to the interface..  And you can see it doesn't list link local.. But look at netstat - still showing ipv6 for tcp and udp bound ports..  Ipv6 is still there underneath..

    What I normally do on my windows machines is set to 32 vs 255 this turns off all the transition bs teredo, isatap, 6to4 and then I just unbind it from my interface.  This allows for quick click and can play with ipv6 when I want too.

    Its not just freebsd removing the ability to completely disable ipv6, all the other oses going this way too.




  • I'm curious to know the reason why you want to disable ipv6. It's not something for the future, it's here now. A lot of services on windows, android and ios are designed to use ipv6. Many websites prefer ipv6 and if your network supports ipv6, you will find a large amount of traffic is carried over it. A couple of years ago I was using sophos UTM (before I switched to pfsense) and in the weekly traffic reports, often well over 50% of the traffic was carried over ipv6.



  • @Gertjan:

    @Dave:

    Nah, I don't want to recompile the kernel. Disabling ipv6 is a simple boot parameter on Linux, just wondering if there was  an equivalent. Thanks for the help!

    I took it the other way :

    Grab a free tunnel from Hurricane Electric, you can get a /48 even..

    My ISP - the biggest in Europe - is still 'experimenting' with IPv6 so it doesn't exists for them.

    Thanks to pfSense and he.net I'm using IPv6 for years now, in parallel with IPv4.
    I guess it's a good thing, IPv4 will fade away in the future.

    I used an HE tunnel for several years before I was finally able to switch over to native ipv6 from my isp. It worked very well even when I originally installed it and it only improved over time as they added more access locations. HE is a great company.



  • Be default FreeBSD and pfSense do not enable IPv6 other than on the localhost (the lo0 interface) and they leave other network interfaces on IFDISABLED state effectively turning IPv6 off.

    So yes, if you don't enable IPv6 on any of the interfaces no IPv6 traffic will pass anywhere, it will be simply blocked as unwanted traffic by the default deny rules.



  • @bimmerdriver:

    I used an HE tunnel for several years before I was finally able to switch over to native ipv6 from my isp. It worked very well even when I originally installed it and it only improved over time as they added more access locations. HE is a great company.

    The issue I have with IPv6 and HE is that many content providers are now blocking the HE tunnels and there are devices that you just cannot disable IPv6 without jail-breaking.  Netflix and YouTube are two that are blocking IPv6 from HE.


  • Rebel Alliance Global Moderator

    "Netflix and YouTube are two that are blocking IPv6 from HE."

    There are also blocking a shitton of vpn providers netblocks as well.  And blocking non regional IPs from accessing their regional content.  What that has to do with the price of tea in china I don't have a clue.  ie no idea where you trying to go with such a statement..

    They see HE as just another way of circumvention of geographical restrictions - which is why they block them.  If HE would promise to only allow geographic same ipv5 to create a tunnel to their different pops in those regions.. They would remove the band I am sure.  But currently there is nothing stopping someone from say the EU or Asiapac regions from creating their tunnels to the HE pops in the US, etc.