Project

General

Profile

Actions

Bug #8791

closed

Default IPv6 rules do not allow some devices to perform router or neighbor discovery

Added by Jim Pingle almost 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
08/16/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

RFC 4861 states in section 4.1 that during neighbor discovery a device may use the "unspecified" address if it does not yet have an IPv6 address. pfSense does not currently include that source in the list of sources allowed in the default ICMPv6 internal rules.

      Source Address
                     An IP address assigned to the sending interface, or
                     the unspecified address if no address is assigned
                     to the sending interface.

Section 2.3 states that the "unspecified" address is all zeroes, which compresses to ::

   unspecified address
               - a reserved address value that indicates the lack of an
                 address (e.g., the address is unknown).  It is never
                 used as a destination address, but may be used as a
                 source address if the sender does not (yet) know its
                 own address (e.g., while verifying an address is unused
                 during stateless address autoconfiguration [ADDRCONF]).
                 The unspecified address has a value of 0:0:0:0:0:0:0:0.

So rather than an address on the interface subnet, or link-local, such devices may send from a source of :: to the multicast all-routers destination.

Should be easy to correct by adding one more rule to the list near source:src/etc/inc/filter.inc#L3309 with :: as the source instead of fe80::/10.

Actions #1

Updated by Jim Pingle almost 4 years ago

  • Status changed from Assigned to New
Actions #2

Updated by Jim Pingle almost 4 years ago

  • Status changed from New to In Progress
Actions #3

Updated by Jim Pingle almost 4 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Constantine Kormashev almost 4 years ago

Can see rules:

pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state

Actions #5

Updated by Jim Pingle almost 4 years ago

  • Status changed from Feedback to Resolved
Actions #6

Updated by Corey Boyle over 3 years ago

This fixed IPv6 on my Android phone (Moto G4). Previously the Internet connection test would always fail after about 1 min, which would make it disconnect from the WiFi. After upgrading to 2.4.4, IPv6 works great.

Actions

Also available in: Atom PDF