Text only | Text with Images

OPNsense Forum

English Forums => 25.1, 25.4 Production Series => Topic started by: waldenj on February 20, 2025, 09:44:43 PM

Title: [SOLVED] OPNsense Blocking RFC4890 ICMPv6 Traffic on LAN
Post by: waldenj on February 20, 2025, 09:44:43 PM
All,

I'm seeing tons of log spam in my firewall triggered by the IPv6 RFC4890 requirements (ICMP) rule. IPv6 is up and working on my LAN, and I receive a /56 delegation from my ISP.

This happens regardless of whether DHCPv6 & Router Advertisements are set manually or left on auto. IPv6 connectivity remains functional, but the log spam persists.

Not sure what's causing this. Anyone have any ideas? Thanks in advance!

Title: Re: OPNsense Blocking RFC4890 ICMPv6 Traffic on LAN
Post by: Patrick M. Hausen on February 20, 2025, 10:20:35 PM
Uncheck Firewall > Settings > Advanced > Logging > Default pass.
Title: Re: OPNsense Blocking RFC4890 ICMPv6 Traffic on LAN
Post by: waldenj on February 20, 2025, 10:28:46 PM
Quote from: Patrick M. Hausen on February 20, 2025, 10:20:35 PMUncheck Firewall > Settings > Advanced > Logging > Default pass.

First place I checked. Everything under logging there is unchecked.

Title: Re: OPNsense Blocking RFC4890 ICMPv6 Traffic on LAN
Post by: franco on February 24, 2025, 08:29:22 PM
Try https://github.com/opnsense/src/issues/242#issuecomment-2679069936
Title: Re: OPNsense Blocking RFC4890 ICMPv6 Traffic on LAN
Post by: waldenj on February 28, 2025, 08:31:20 AM
Trying that now. I am also seeing below in the log for the firewall. I don't have bogons blocked in the GUI set either. Could this be part of my issues?

Code Select
Error firewall /usr/local/etc/rc.filter_configure: The command '/sbin/pfctl -t bogonsv6 -T flush' returned exit code '255', the output was 'pfctl: Table does not exist.'
Title: Re: OPNsense Blocking RFC4890 ICMPv6 Traffic on LAN
Post by: waldenj on February 28, 2025, 08:38:01 AM
So far it seems to no longer be blocking on the LAN and triggering those entries. I wonder if this will help my android devices losing IPv6 connectivity after a while? I am still seeing the errors below though.

Code Select
Error firewall /usr/local/etc/rc.filter_configure: The command '/sbin/pfctl -t bogonsv6 -T flush' returned exit code '255', the output was 'pfctl: Table does not exist.'
Title: Re: OPNsense Blocking RFC4890 ICMPv6 Traffic on LAN
Post by: franco on February 28, 2025, 08:43:04 AM
I think that may be this one https://github.com/opnsense/core/commit/d1b427704770591da38c309242fa4e3523ef1ae8
Title: Re: OPNsense Blocking RFC4890 ICMPv6 Traffic on LAN
Post by: waldenj on February 28, 2025, 02:17:45 PM
Is it safe for me to upgrade to 25.1.2 in order to get the bogons fix or will that cause me to lose the kernel fix? Thank you for all the help!
Title: Re: OPNsense Blocking RFC4890 ICMPv6 Traffic on LAN
Post by: franco on February 28, 2025, 02:53:48 PM
Lock kernel from packages tab, then update (it will reboot but the kernel will stay), then unlock to make sure you get the next one. I expect this fix to land in 25.1.3.


Cheers,
Franco
Title: Re: OPNsense Blocking RFC4890 ICMPv6 Traffic on LAN
Post by: waldenj on February 28, 2025, 03:03:25 PM
Thank you! Looks like we are good to go! Issues resolved!
Title: Re: [SOLVED] OPNsense Blocking RFC4890 ICMPv6 Traffic on LAN
Post by: franco on February 28, 2025, 03:12:24 PM
Thanks for testing, BTW. The plan is to ship this in the next and prepare a FreeBSD submission for it. Eventually someone will find this interesting for IPv6 deployments over there.  ;)


Cheers,
Franco
Text only | Text with Images