Project

General

Profile

Actions

Bug #3494

closed

default deny/block bogons blocks some ipv6 multicast traffic

Added by qubit nano over 10 years ago. Updated over 9 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
02/27/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1-IPv6
Affected Architecture:

Description

With IPv6 enabled, my ISP's default gateway (Comcast) sends an ICMP6 packet (Multicast Listener Report) destined for ff02::1:ff00:1 every few seconds. Without bogons enabled the default deny ipv6 rule blocks and logs this, but this traffic can either be allowed or still dropped but not logged by a firewall rule. With bogons enabled, this traffic falls into the block ipv6 bogons rule as the source, fe80::/10, is in the bogon list. Because the bogonv6 rule is set to quick

block in log quick on $WAN from <bogonsv6> to any label "block bogon IPv6 networks from WAN" 

this traffic cannot be allowed or be set to not be logged by a user firewall rule. As a result the firewall log gets spammed a dozen times every minute. I should note that DHCP6 renewal works with bogons enabled since a recent snapshot.

Removing the quick flag should fix this, but I guess the real question is how to handle this type of traffic. From what I understand Comcast really wants pfsense to join this multicast group or is responding to something that pfsense requested. According to ifmcstat, pfsense generated the multicast address for the /128 received on the WAN, the WAN's link local address, and joined those groups as well as ff02::1. Would allowing the icmp6-types 130, 131 and 132 to the rules help? Is this breaking NDP on Comcast's side?

Actions #1

Updated by Chris Buechler over 10 years ago

  • Status changed from New to Rejected

that's working as it should, you can disable logging for the bogon blocking if you want to silence the logs. There is a feature request open elsewhere already to allow re-ordering the bogon and private networks rules, which would allow you to block and not log specific traffic before the bogons or block private rule.

Actions #2

Updated by Chris Buechler over 9 years ago

  • Target version deleted (2.1.1)
Actions

Also available in: Atom PDF