Default allow LAN IPv6 to any rule question

Tantamount · Mar 24, 2016, 9:25 PM

After the anti-lockout rule, I have two "Default allow" rules, one for ipv4 and one for ipv6 on the LAN interface.

According to /tmp/rules.debug, the default allow for IPv6 only has one entry – for the /48 I have assigned to the LAN interface.

However the LAN interface on the pfsense router also has another inet6 address, the one that's auto-assigned based on mac address. These addresses start with fe80:: and have a /64 prefix. I believe these are called link-local addresses.

The Neighbor Discovery Protocol uses these link-local addresses, and I'm seeing that the pfsense firewall is blocking this traffic.

Shouldn't there also be an entry for this subnet as part of "Lan net"?

cmb · Mar 24, 2016, 10:02 PM

LAN net does not include link local by design. That's not a network that gets passed off-subnet. NDP is allowed via ICMPv6 types 135 and 136 separately.

Unlikely what you're seeing is blocked NDP traffic, what exactly are you seeing?

Tantamount · Mar 25, 2016, 5:23 AM

Interface: LAN
Source: [fe80::xxxxxxxxxxxx]:57164
Dest: [ff02::c]:3702 UDP

Blocked

port 3702 relates to discovery, no? WS-Discovery?

Then there these:
Interface: LAN
Source: [fe80::xxxxxxxxxxx]:62338
Dest: [ff02::1:3]5355 UDP

Blocked

Port 5355 is link-local multicast name resolution.

What is the danger in allowing link-local traffic, especially when "lan net" is already allowed?

Is there a way to specify "all traffic on interface" instead when creating firewall rules?

cmb · Mar 27, 2016, 3:04 AM

None of that is NDP traffic. WS-Discovery is Windows trying to find printers. Port 5355 is LMNRR. The firewall has nothing to do with either of those, it'd just ignore it if you were passing it.

@Tantamount:

What is the danger in allowing link-local traffic, especially when "lan net" is already allowed?

No real danger, but no point in doing so either. You're not going to help anything by passing the traffic, so why do it.

@Tantamount:

Is there a way to specify "all traffic on interface" instead when creating firewall rules?

That's what source "any" is for.

Tantamount · Apr 2, 2016, 2:35 AM

@cmb:

No real danger, but no point in doing so either. You're not going to help anything by passing the traffic, so why do it.

But that's exactly what "LAN net" is already doing. It allows all kind of traffic in that pfsense doesn't need to see. Broadcast traffic is hitting the system right now.

Is it unreasonable to see "Lan net" as synonymous with "local traffic?" LAN = Local Area Network. Why is link-local traffic not "local" enough?

(lol, I just realized that every time we say "Lan Net", we're like those people who say "ATM Machine")

If that argument isn't compelling enough, one reason to add link local addresses to "Lan net", would be to stop the unnecessary flooding of the firewall logs. Everyone who uses ip6 has to create additional rules to filter out this harmless broadcast traffic. Until we do, the Firewall Logs widget under the Status -> Dashboard is worthless.

@cmb:

@Tantamount:

Is there a way to specify "all traffic on interface" instead when creating firewall rules?

@cmb:

That's what source "any" is for.

I think what I'm looking for is "all traffic on an interface where the interface is configured to listen for." I think "any" goes beyond this.