IPV6 LAN Firewall Rules

  • New guy here.  Trying to understand how things should work.

    I've been seeing a lot of IPV6 blocks in my logs for the LAN.  I have allow IPV6 turned on and I have a firewall rule to allow IPV6 LAN Net to any allowed.  I'm guessing that the LAN doesn't know where the IPV6 messages are coming from since there is not IPV6 DHCP server?  I changed my LAN run for IPV6 to any to any, figuring my WAN should be blocking external IPV6.  This has stopped the the IPV6 LAN errors in the logs.  Is this correct reasoning.

    Also, my LAN mostly consist of Windows machines and Apple devices, which appear to be making the IPV6 calls.  Should I turn on IPV6 DHCP for the LAN?


  • LAYER 8 Global Moderator

    Can you post some of these blocks most likely multicast or broadcast traffic..

    Here is question for you do you want to run ipv6 or not?  Do you have ipv6 connectivity? If your not ready to run it.. I would just freaking disable it on clients..  Windows send out a bunch of noise anyway, why have them send out this noise both on ipv4 and ipv6 if your not using ipv6 anyway?

    Apple is a bit more difficult to to disable it on - but I don't really see much noise from iphones and ipads in my logs.

  • I checked they were either multicast or messages link-local.  I'm not ready to go to IPV6 yet.    Just trying to make sure I got pfSense setup right.  I'm definately a newby to this level of networking.  Trying to keep it simple for now and just work through how the firewall is configured and all the blocked messages.  Interesting I've had over 500 IP4 messages blocked since this morning and to everyone things seem to be ok.

    Thanks for the advice I'll try turning off all the IPV6.

  • LAYER 8 Global Moderator

    blocked on your lan?  Yeah those are most likely out of state.. Do you have phones and mobile devices via wifi.. Those tend to create lots of out of state packets..

    Yeah source from link local is not going to match up to anything..  If you ever see things you have questions about - please post it up, sure someone have the answer.. Which then makes it easier for the next guy seeing examples with what it is, etc.

    if me - if your not ready for ipv6 for prime time yet.. Just disable it on all the windows clients.. Simple reg add  you would be amazed at how much noise it removes..
    From elevated prompt
    reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255

    to put it back at how it was remove the reg key and reboot
    reg delete hklm\system\currentcontrolset\services\tcpip6\parameters\ /v DisabledComponents /f

    This will also remove all that junk from ipconfig /all on windows - do you really need 3 different transition methods to get to ipv6 over ipv4?? Teredo, isatap and 6to4..  Then when your ready you can set it up correctly - nice clean ipconfig all without a bunch of noise.  Can get to ipv6 just fine and if wanted on pfsense can allow any inbound ipv6 I want.  I do this for ntp, I run a ntp server in pool.ntp that is both ipv6 and ipv4..

    Windows work just fine with it disabled - there is NOTHING that requires ipv6 as of yet.. Your not using that crap homegrops are you.. Got to love how it uses ipv6 but actuall access the shares over ipv4.. Such nonsense..

Log in to reply