IPv6 incoming on WAN wont log (6to4)

  • all snaps last week or so. Not sure before as I didn't test.

    I have a 6to4 tunnel (provided by my ISP) on my WAN. I have rules to allow ICMP and set them to log.  If I log into a remote box and have it ping my WAN using IPv6 the remote box reports the pings as successful. But the traffic never shows up in my firewall logs. Did the same and pinged my server behind this box and those do not show up either.

    Traffic is also visible in the states.


  • Check which rule it's matching, 'pfctl -vvss' output with rule number matched to 'pfctl -vvsr'. The one you expect?

  • I can confirm this with my he.net tunnel. Packets from my ICMPv6 pass rule are not logged if I ping my local tunnel endpoint from external.
    Another thing I noticed, even if there are no rules at all and you enable "Log packets matched from the default block rules in the ruleset" the ping gets dropped and does not show up in the logs.

  • Rule looks OK and also gets hit if I ping:

    pass in log quick on gif0 reply-to (gif0 2001:*::1) inet6 proto ipv6-icmp all icmp6-type echoreq keep state label "USER_RULE: Log ICMPv6"
      [ Evaluations: 153       Packets: 142       Bytes: 7952        States: 1     ]
      [ Inserted: pid 68896 State Creations: 3     ]

    But nothing shows up in tcpdump -nvvvettti pflog0

    Seems to be related to ICMP only.
    When I try to telnet my v6 IP, that gets blocked and logged correctly.

    Edit: does not seem to be limited to 6to4 though. Just tested with another machine, the ICMPv6 log rule on a normal dual stack host does not work either.

  • It logs, just doesn't end up showing in the GUI.

  • Thanks cmb and NYOB, it works now.

  • You're welcome.  I'm surprised this had never been reported before now.  It's the same code as in 2.2.x.  Been the same for quite some time.

Log in to reply