Project

General

Profile

Actions
Copy link

Bug #13392

closed

Ipv6 firewall exposing all global addresses on lan.

Added by João Oliveira almost 3 years ago. Updated almost 3 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
DHCP Server (IPv6)
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Default
Affected Plus Version:
Affected Architecture:

Description

Hello.

I’ve just configured ipv6 provided by my isp with following settings\

Interfaces --> WAN --> DHCP6 Client Configuration --> DHCPv6 Prefix Delegation size="56"

Request only an IPv6 prefix - selected
Do not wait for a RA - slected-

Interfaces --> LAN --> General Configuration --> IPv6 Configuration Type="Track Interface"
Interfaces --> LAN --> Track IPv6 Interface --> IPv6 Interface="WAN"
Interfaces --> LAN --> Track IPv6 Interface --> IPv6 Prefix ID="0" --> Save
Services --> DHCPv6 Server & RA --> Router Advertisements --> Router mode="Unmanaged"
(Note: i don’t get any ipv6 global address in my wan interface only link local .. this is how my ISP works apparently)

Everything works fine and I get global addresses for all my machines on lan interface. The problem is all ports on those machines are wide open to the internet and i can, for exemplo ssh into some of the VMs I have running on my homelab without even setting any firewall rules on the wan interface.
I was told on the netgate forum this is not a normal behaviors and that even global address should only be accessible if firewall rules are set on wan interface. The same is confirmed by netgate docs.

Can someone replicate the problem.

Actions
Copy link
 #1

Updated by Jim Pingle almost 3 years ago

  • Status changed from New to Not a Bug

That can only be true if your WAN rules are passing in the traffic or pf is disabled. That does not happen automatically.

It's highly unlikely to be a bug but some other problem with your configuration -- you may have floating rules or some package at play or something else is wrong (e.g. firewall ruleset is not loading/reloading).

This site is not for support or diagnostic discussion.

For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .

See Reporting Issues with pfSense Software for more information.

Actions
Copy link
 #2

Updated by João Oliveira almost 3 years ago

Ii know this is not a help forum. pretty sure it’s a big since i have no ipv6 rules set on wan and the only floating rules I have are from pfblocker ng

Actions
Copy link
 #3

Updated by João Oliveira almost 3 years ago

You're right. It qA pfblockerNG. Uninstalled and it's solved. Sorry for any inconvinience

Actions
Copy link

Also available in: Atom PDF