Issues with the Ping tool



    On the "diag_ping.php" page, it lets you type an IP address to ping, including IPv6 addresses.  However, the textbox is too short for me to see the whole IPv6 address I am typing.  It would be nice if the textbox were wider.

    When I try to ping an IPv6 address from that page, the "Ping Output" textbox stays completely empty.  When I ping an IPv4 address, it works as expected.  I noticed that my LAN interface had no IPv6 address so I added one, but the output textbox still remained blank.  I think the traceroute tool had the same behavior.

    Likely related error in System Log:
    rtsold[99634]: <sendpacket>sendmsg on hn1: Operation not permitted</sendpacket>


  • LAYER 8 Global Moderator

    So while I see your point about the length of the host window, if you put in the fqdn works fine ;)

    what IPv6 do you have - you need to pick source interface that has IPv6 on it, etc.  You say you put an IPv6 on your lan - you can't just pull one out of thin air to expect it to work, etc.

    While I think the host text window could be longer – not having any issue with the output for ipv6 pings - see attached.




  • Our network doesn't use IPv6 but I am seeing an IPv6 address in my firewall log on the LAN interface.  So I'd like to find that device by pinging it while I unplug cables from our switch until I find it.

    The address in the log is fe80::2c73:4a96:cdea:5303
    I added a static IPv6 address to the LAN interface of fe80::2c73:4a96:cdea:5304.

    On the Ping page, I tried selecting Default, LAN, and LAN IPv6 Link-Local, but they all give no output.  Localhost gives output and says it has no replies, but I'm not sure which interface it's going out on.

    Am I doing something wrong?  Screenshots attached.

    Thanks for your help.



    ![firewall log.JPG](/public/imported_attachments/1/firewall log.JPG)
    ![firewall log.JPG_thumb](/public/imported_attachments/1/firewall log.JPG_thumb)


  • Banned

    @piz0t:

    Our network doesn't use IPv6

    Said who? Every decent OS today has IPv6 enabled and prefers it to IPv4. All that the "Disable IPv6" checkbox on pfSense does is blocking IPv6 traffic.

    @piz0t:

    So I'd like to find that device by pinging it while I unplug cables from our switch until I find it.

    Diagnostics - NDP table would a whole lot better tool to find out a device on LAN. Beyond that, you should stop pretending IPv6 does not exist.



  • I pushed a GPO to every computer to disable IPv6 using the registry entry described here:
    http://support.microsoft.com/kb/929852

    I want to leave IPv6 disabled until our ISP supports it, and then I'll set it up correctly.


  • LAYER 8 Global Moderator

    In line with dok here - out of the box pretty much every os will try and do something with ipv6.. It may not be good stuff, like windows for example out of the box has 3 different methods of getting ipv6 to work over ipv4 (teredo, isatap, 6to4). To me this is just nonsense, and causes issues if you ask me when people don't follow through or understand ipv6.  while sure linux has ipv6 out of the box it doesn't try and tunnel ipv6 over ipv4 out of the box that I have ever seen.

    So windows can cause lots of noise and traffic that can be confusing to someone that is not up to speed with ipv6, etc.

    To be honest I personally suggest if your not ready for ipv6 yet, disable it - atleast on your windows machine.  It has no real requirement as of yet - while homegroups uses it for some stuff.. Who and the F is using that that would be actually looking at logs or attempting to actually setup their network ;)  It doesn't actually use it for file transfers..  So might as well just turn that nonsense off as well.

    To disable ipv6 on windows is quite simple, from elevated prompt
    reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255
    reboot

    To put it back the way it came
    reg delete hklm\system\currentcontrolset\services\tcpip6\parameters\ /v DisabledComponents /f
    reboot

    So your trying to track down the source of noise - to disable the ipv6 on?  What your seeing in firewall log is broadcast for dhcpv6, as to what your pfsense has for its link local address those that start with fe80.. just look on interface page, or ifconfig.  As dok stated I think just disable ipv6 blocks on firewall, I don't think it turns off ipv6 support or link local addresses in the os (freebsd)

    How are you going to track it down if you can ping it?  Going to start unplugging stuff until it doesn't ping?  The suggestion for ndp table is much better idea..  On pfsense what do you see for ndp -a for that address your looking for?



  • LAYER 8 Global Moderator

    @piz0t:

    I pushed a GPO to every computer to disable IPv6 using the registry entry described here:
    http://support.microsoft.com/kb/929852

    I want to leave IPv6 disabled until our ISP supports it, and then I'll set it up correctly.

    So are you still seeing the hits in your pfsense log - if so then something didn't take the GPO I would guess.

    Even when your isp supports it, doesn't mean you have to jump on it right away.  I don't see it becoming a real requirement for quite some time, to be honest many of the isps that have it deployed like comcast I have find it not quite ready for prime time.  I like to play with it, the HE tunnel has been nothing but rock solid stable.



  • @johnpoz:

    To be honest I personally suggest if your not ready for ipv6 yet, disable it - atleast on your windows machine.

    I agree, so that's why I want to disable IPv6 completely until I'm ready to set it up right.

    @johnpoz:

    To disable ipv6 on windows is quite simple, from elevated prompt
    reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255
    reboot

    Yeah, that's the registry value in my GPO.  I'm sure it's working fine for all the Windows computers.  It works so well, that's why I'm using the firewall to identify the host because I can't ping from my workstation with IPv6 :)

    @johnpoz:

    How are you going to track it down if you can ping it?  Going to start unplugging stuff until it doesn't ping?

    Actually, that's exactly what I was planning to do :)

    @johnpoz:

    The suggestion for ndp table is much better idea..  On pfsense what do you see for ndp -a for that address your looking for?

    Thanks, I'll look into the NDP stuff.

    @johnpoz:

    So are you still seeing the hits in your pfsense log - if so then something didn't take the GPO I would guess.

    Yes, but I think the GPO is effective and this unknown host must not be on the Windows domain.  It's probably an iPhone, MacBook, or something unauthorized.

    @johnpoz:

    Even when your isp supports it, doesn't mean you have to jump on it right away.

    It's good to hear this from someone else.  I assumed people on this forum would laugh at me for disabling IPv6.



  • The NDP Table only has entries for the interfaces on the pfSense box.  The unknown IPv6 addresses aren't on that list.


  • LAYER 8 Global Moderator

    When you say phone - so you have your wlan and lan on same segment?  Why would you being seeing wireless phones on your lan?  So only known devices are suppose to be on your wifi?  if you have any sort of open or guest connection you can not control that they will ask for ipv6 from dhcpv6

    Security 101 states if your not using a protocol, don't run the protocol - if your not actually using iPv6 why would you have it enabled ;)



  • @johnpoz:

    When you say phone - so you have your wlan and lan on same segment?  Why would you being seeing wireless phones on your lan?  So only known devices are suppose to be on your wifi?  if you have any sort of open or guest connection you can not control that they will ask for ipv6 from dhcpv6

    Security 101 states if your not using a protocol, don't run the protocol - if your not actually using iPv6 why would you have it enabled ;)

    Yes, we have company-issued iPhones on the same subnet as our workstations and servers.  Yes, only known devices should be connecting to our wifi.  The wifi is secured with RADIUS and WPA2.

    I appreciate your help.  I think I can figure it out from here.  I mostly wanted to open this thread to suggest that the Ping tool be improved to give helpful error messages instead of no text at all, and to widen the textbox.


  • LAYER 8 Global Moderator

    Agreed they could do some tweaking on the tool, but that is going to be very low priority for sure ;)

    To be honest I don't think you can even turn off ipv6 on iphone for example - best thing would be prob just not log the requests so your log doesn't get filled up with noise ;)



  • http://en.wikipedia.org/wiki/Link-local_address

    fe80:::: shouldn't even be forwarded anywhere


  • LAYER 8 Global Moderator

    Who said it was being forwarded anywhere?


Log in to reply