Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPV6 LAN Firewall Rules

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      redpine
      last edited by

      New guy here.  Trying to understand how things should work.

      I've been seeing a lot of IPV6 blocks in my logs for the LAN.  I have allow IPV6 turned on and I have a firewall rule to allow IPV6 LAN Net to any allowed.  I'm guessing that the LAN doesn't know where the IPV6 messages are coming from since there is not IPV6 DHCP server?  I changed my LAN run for IPV6 to any to any, figuring my WAN should be blocking external IPV6.  This has stopped the the IPV6 LAN errors in the logs.  Is this correct reasoning.

      Also, my LAN mostly consist of Windows machines and Apple devices, which appear to be making the IPV6 calls.  Should I turn on IPV6 DHCP for the LAN?

      Thanks

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Can you post some of these blocks most likely multicast or broadcast traffic..

        Here is question for you do you want to run ipv6 or not?  Do you have ipv6 connectivity? If your not ready to run it.. I would just freaking disable it on clients..  Windows send out a bunch of noise anyway, why have them send out this noise both on ipv4 and ipv6 if your not using ipv6 anyway?

        Apple is a bit more difficult to to disable it on - but I don't really see much noise from iphones and ipads in my logs.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • R
          redpine
          last edited by

          I checked they were either multicast or messages link-local.  I'm not ready to go to IPV6 yet.    Just trying to make sure I got pfSense setup right.  I'm definately a newby to this level of networking.  Trying to keep it simple for now and just work through how the firewall is configured and all the blocked messages.  Interesting I've had over 500 IP4 messages blocked since this morning and to everyone things seem to be ok.

          Thanks for the advice I'll try turning off all the IPV6.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            blocked on your lan?  Yeah those are most likely out of state.. Do you have phones and mobile devices via wifi.. Those tend to create lots of out of state packets..

            Yeah source from link local is not going to match up to anything..  If you ever see things you have questions about - please post it up, sure someone have the answer.. Which then makes it easier for the next guy seeing examples with what it is, etc.

            if me - if your not ready for ipv6 for prime time yet.. Just disable it on all the windows clients.. Simple reg add  you would be amazed at how much noise it removes..
            From elevated prompt
            reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255
            reboot

            to put it back at how it was remove the reg key and reboot
            reg delete hklm\system\currentcontrolset\services\tcpip6\parameters\ /v DisabledComponents /f

            This will also remove all that junk from ipconfig /all on windows - do you really need 3 different transition methods to get to ipv6 over ipv4?? Teredo, isatap and 6to4..  Then when your ready you can set it up correctly - nice clean ipconfig all without a bunch of noise.  Can get to ipv6 just fine and if wanted on pfsense can allow any inbound ipv6 I want.  I do this for ntp, I run a ntp server in pool.ntp that is both ipv6 and ipv4..

            Windows work just fine with it disabled - there is NOTHING that requires ipv6 as of yet.. Your not using that crap homegrops are you.. Got to love how it uses ipv6 but actuall access the shares over ipv4.. Such nonsense..

            ipv6whenready.png
            ipv6whenready.png_thumb

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.