Router Solicitation on WAN



  • Greetings,

    I am being told by an ISP that has multiple gateways for redundancy that my pfSense devices should be able to get the gateway IP from Router Advertisements after sending a Router Solicitation. I realize that this will work if I use SLAAC, but they are telling me it should work even if I set a static IP on my WAN interface. I have read through RFC 4861 and don't come away with a clear understanding that this should work router to router. I need to be able to set static IPs so I can setup high availability.

    I have allowed all ICMP from the subnet on the WAN for both IPv4 and IPv6 and the rules are below with IPs and subnets removed.

    pass in quick on ix0 reply-to (ix0 <<removed gateway="" ip="">) inet proto icmp from <removed subnet="" prefix="">/29 to <removed subnet="" prefix="">/29 keep state label "USER_RULE: Allow any ICMP from Gateways"

    pass in quick on ix0 inet6 proto ipv6-icmp from <removed subnet="" prefix="">/124 to <removed subnet="" prefix="">/124 keep state label "USER_RULE: Allow any ICMP from Gateways"

    I understand that this requires multicast. However, I do not see any rules to allow multicast. Do I need to add rules?

    Looking at a tcpdump of the wan interface I am not seeing any multicast packets nor do I see router advertisement/solicitation packets being blocked when I run a tcpdump of pflog0.

    Is my ISP correct?

    If so, is my setup just not working like it should or is this simply not implemented in pfSense yet?

    pfctl -sr

    scrub on ix0 all fragment reassemble
    scrub on bce3 all fragment reassemble
    anchor "relayd/" all
    anchor "openvpn/
    " all
    anchor "ipsec/" all
    block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
    block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
    block drop in log inet all label "Default deny rule IPv4"
    block drop out log inet all label "Default deny rule IPv4"
    block drop in log inet6 all label "Default deny rule IPv6"
    block drop out log inet6 all label "Default deny rule IPv6"
    pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
    block drop log quick inet proto tcp from any port = 0 to any
    block drop log quick inet proto udp from any port = 0 to any
    block drop log quick inet proto tcp from any to any port = 0
    block drop log quick inet proto udp from any to any port = 0
    block drop log quick inet6 proto tcp from any port = 0 to any
    block drop log quick inet6 proto udp from any port = 0 to any
    block drop log quick inet6 proto tcp from any to any port = 0
    block drop log quick inet6 proto udp from any to any port = 0
    block drop log quick from <snort2c>to any label "Block snort2c hosts"
    block drop log quick from any to <snort2c>label "Block snort2c hosts"
    block drop in log quick proto tcp from <sshlockout>to (self) port = ssh label "sshlockout"
    block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = https label "webConfiguratorlockout"
    block drop in log quick from <virusprot>to any label "virusprot overload table"
    block drop in log quick on ix0 from <bogons>to any label "block bogon IPv4 networks from WAN"
    block drop in log quick on ix0 from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
    block drop in log on ! ix0 inet6 from <removed interface="" subnet="" prefix="">/124 to any
    block drop in log on ix0 inet6 from fe80::92e2:baff:fe82:9178 to any
    block drop in log inet6 from <removed interface="" ip="">to any
    block drop in log on ! ix0 inet from <removed interface="" subnet="" prefix="">/29 to any
    block drop in log inet from <removed interface="" ip="">to any
    block drop in log quick on ix0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
    block drop in log quick on ix0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
    block drop in log quick on ix0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
    block drop in log quick on ix0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
    block drop in log quick on ix0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
    block drop in log on ! bce3 inet from 192.168.1.0/24 to any
    block drop in log inet from 192.168.1.1 to any
    block drop in log on bce3 inet6 from fe80::1:1 to any
    pass in quick on bce3 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on bce3 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server"
    pass out quick on bce3 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    pass quick on bce3 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
    pass quick on bce3 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
    pass quick on bce3 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
    pass quick on bce3 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
    pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to (ix0 <removed gateway="" ip="">) inet from <removed interface="" ip="">to ! <removed interface="" subnet="" prefix="">/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass in quick on bce3 proto tcp from any to (bce3) port = https flags S/SA keep state label "anti-lockout rule"
    pass in quick on bce3 proto tcp from any to (bce3) port = http flags S/SA keep state label "anti-lockout rule"
    pass in quick on bce3 proto tcp from any to (bce3) port = ssh flags S/SA keep state label "anti-lockout rule"
    anchor "userrules/
    " all
    pass in quick on ix0 reply-to (ix0 <removed gateway="" ip="">) inet from <removed source="" ip="">to any flags S/SA keep state label "USER_RULE: Allow access from Office network"
    pass in quick on ix0 reply-to (ix0 <removed gateway="" ip="">) inet proto icmp from <removed interface="" subnet="" prefix="">/29 to <removed interface="" subnet="" prefix="">/29 keep state label "USER_RULE: Allow any ICMP from Gateways"
    pass in quick on ix0 inet6 proto ipv6-icmp from <removed interface="" subnet="" prefix="">/124 to <removed interface="" subnet="" prefix="">/124 keep state label "USER_RULE: Allow any ICMP from Gateways"
    pass in quick on ix0 reply-to (ix0 <removed gateway="" ip="">) inet proto icmp all icmp-type echoreq keep state label "USER_RULE: Allow any ICMP Echo Requests from any"
    pass in quick on ix0 inet6 proto ipv6-icmp all icmp6-type echoreq keep state label "USER_RULE: Allow any ICMP Echo Requests from any"
    pass in quick on bce3 inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
    anchor "tftp-proxy/*" all</removed></removed></removed></removed></removed></removed></removed></removed></removed></removed></removed></removed></removed></removed></removed></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></removed></removed></removed></removed></removed>



  • @Rhongomiant:

    I am being told by an ISP that has multiple gateways for redundancy that my pfSense devices should be able to get the gateway IP from Router Advertisements after sending a Router Solicitation. I realize that this will work if I use SLAAC

    No, you use RA in combination with SLAAC, DHCPv6-server or Static IPv6 assignment. And your pfSense devices are on the LAN.
    Configure your LAN IPv6 as static first with another unique subnet value than WAN,  mask /64, not some other value there.


Log in to reply