Bug #3494
closeddefault deny/block bogons blocks some ipv6 multicast traffic
0%
Description
With IPv6 enabled, my ISP's default gateway (Comcast) sends an ICMP6 packet (Multicast Listener Report) destined for ff02::1:ff00:1 every few seconds. Without bogons enabled the default deny ipv6 rule blocks and logs this, but this traffic can either be allowed or still dropped but not logged by a firewall rule. With bogons enabled, this traffic falls into the block ipv6 bogons rule as the source, fe80::/10, is in the bogon list. Because the bogonv6 rule is set to quick
block in log quick on $WAN from <bogonsv6> to any label "block bogon IPv6 networks from WAN"
this traffic cannot be allowed or be set to not be logged by a user firewall rule. As a result the firewall log gets spammed a dozen times every minute. I should note that DHCP6 renewal works with bogons enabled since a recent snapshot.
Removing the quick flag should fix this, but I guess the real question is how to handle this type of traffic. From what I understand Comcast really wants pfsense to join this multicast group or is responding to something that pfsense requested. According to ifmcstat, pfsense generated the multicast address for the /128 received on the WAN, the WAN's link local address, and joined those groups as well as ff02::1. Would allowing the icmp6-types 130, 131 and 132 to the rules help? Is this breaking NDP on Comcast's side?