Bogon Rule (partly) blocking IPV6
When defining rules for Simple Service Discovery Protocol (SSDP), I discovered a serious bug. Luckily with “some form of” workaround possible.
I have a network divided in multiple subnets using a vlan per subnet. For each subnet there is a interface witch corresponding rules.
Since I am using firewall rules as strict as possible, I normally have the Bogon-rule active for each interface (WAN and LAN).
I observed following issue and expect the problem to be wider than that:
- SSDP owns the following address ranges
o IPV4: 188.8.131.52 (IPv4 site-local address)
o IPV6: [FF02::C] (IPv6 link-local)
o IPV6: [FF05::C] (IPv6 site-local)
o IPV6: [FF08::C] (IPv6 organization-local)
o IPV6: [FF0E::C] (IPv6 global)
- I defined a rule to block IPv6 global (Block UPnP discovery outside my network), with the intention to pass the rest.
- So IMHO IPV6: [FF05::C] (IPv6 site-local) should pass
- However I observed that the “block bogon IPV6-rule” blocks the other IPV6-local traffic, and that is IMHO not OK.
In attached document two pieces of firewall logs, the upper one with bogon-rule activated. And below that a piece where the bogon-rule is not active.
This problem relates at least to the actual pfSense version p2.4.4 release 3
#2 Updated by Louis van Breda about 1 year ago
At best I only partly agree with you. We can argue about if it is yes or no useful to check for bogon networks on a lan interface, but the fact that the firewall engine is:
- Is not handling IPV6-traffic as it should and / or
- Generates a message that it has stopped bogons
Is definitively not ok. What makes it very serious is, that I do not have any idea what the engine is doing wrong ! and what the consequences are ! But one thing is for sure that is that the core engine is doing something wrong ☹
#3 Updated by Jim Pingle about 1 year ago
Feel free to discuss the issue more in depth on the forum if you think there might be something else going on. We don't make a habit of opening unsolicited word document attachments, so we won't be looking at the text submitted that way.
Bogon lists are not for private interfaces, there is no room for debate there.