Project

General

Profile

Bug #8791

Default IPv6 rules do not allow some devices to perform router or neighbor discovery

Added by Jim Pingle 9 months ago. Updated 7 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules/NAT
Target version:
Start date:
08/16/2018
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

RFC 4861 states in section 4.1 that during neighbor discovery a device may use the "unspecified" address if it does not yet have an IPv6 address. pfSense does not currently include that source in the list of sources allowed in the default ICMPv6 internal rules.

      Source Address
                     An IP address assigned to the sending interface, or
                     the unspecified address if no address is assigned
                     to the sending interface.

Section 2.3 states that the "unspecified" address is all zeroes, which compresses to ::

   unspecified address
               - a reserved address value that indicates the lack of an
                 address (e.g., the address is unknown).  It is never
                 used as a destination address, but may be used as a
                 source address if the sender does not (yet) know its
                 own address (e.g., while verifying an address is unused
                 during stateless address autoconfiguration [ADDRCONF]).
                 The unspecified address has a value of 0:0:0:0:0:0:0:0.

So rather than an address on the interface subnet, or link-local, such devices may send from a source of :: to the multicast all-routers destination.

Should be easy to correct by adding one more rule to the list near source:src/etc/inc/filter.inc#L3309 with :: as the source instead of fe80::/10.

Associated revisions

Revision 75cf92ff (diff)
Added by Jim Pingle 9 months ago

Add default ICMPv6 rule for unspecified src per RFC4861. Fixes #8791

History

#1 Updated by Jim Pingle 9 months ago

  • Status changed from Assigned to New

#2 Updated by Jim Pingle 9 months ago

  • Status changed from New to In Progress

#3 Updated by Jim Pingle 9 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100

#4 Updated by Constantine Kormashev 9 months ago

Can see rules:

pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state

#5 Updated by Jim Pingle 9 months ago

  • Status changed from Feedback to Resolved

#6 Updated by Corey Boyle 7 months ago

This fixed IPv6 on my Android phone (Moto G4). Previously the Internet connection test would always fail after about 1 min, which would make it disconnect from the WiFi. After upgrading to 2.4.4, IPv6 works great.

Also available in: Atom PDF