OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: Antaris on April 10, 2019, 04:16:01 pm

Title: How to disable IPv6
Post by: Antaris on April 10, 2019, 04:16:01 pm
Hi,

I need just to disable IPv6 in OPNsense. Totally and everywhere.
I disabled it in every place i find, but still see IPv6 logs in firewall and IPv6 address in interfaces.
Is there a guide to eradicate the IPv6 for good if it can't be disabled?
May be on lower level in the BSD base?
May be in System>>Settings>>Tunables set "net.inet6.ip6.redirect - Enable sending IPv6 redirects" to 0 ?
All other ideas are welcomed...

other idea: is there a way to prevent IPv6 events from showing up in firewall logs?
Title: Re: How to disable IPv6
Post by: schnipp on April 10, 2019, 10:02:02 pm
It is not possible to prevent reception of IPv6 packets. The only solution is to filter and ignore such packets sent by your ISP.

- set IPv6 configuration to none on WAN interfaces
- filter IPv6 traffic in the firewall (Firewall -> Settings -> Advanced -> Allow IPv6)
Title: Re: How to disable IPv6
Post by: Antaris on April 10, 2019, 10:40:42 pm
I allready do this, but it's all in firewall live logs and distracting me from observe important things. May be two swithes will solve the problem "IPv4" and "IPv6"...
Title: Re: How to disable IPv6
Post by: TeKK on April 11, 2019, 03:50:01 am
Try this:

Go to Floating Rules and create a rule with the following paremeters

Action: Block
Quick: Check "Apply the action immediately on match."
Interface: Select all interfaces to block all IPv6 traffic on the firewall.
Direction: any
TCP/IP Version: IPv6
Protocol: any
Source: any
Destination: any
Log: Uncheck "Log packets that are handled by this rule"
Description: BLOCK ALL IPv6

Save and apply. Move rule to top of the floating rules.

At this point you should have two Block IPv6 rules. The system rule "Block all IPv6 traffic" and the rule you just created which should be directly below the system rule.

Now go to Firewall -> Settings -> Advanced and enable "Allow IPv6". This will disable the system rule. Even though you are enabling IPv6 here, the rule you just created will block the traffic and not log it.

Now go back to the Floating Rules to verify that the rule you just created is now directly above every other rule. Now check your firewall logs to see if you still see IPv6 traffic in your logs. There shouldn't be any.

Test and let me know.

P.S: To check that the rule is working before setting it and leaving it, you can enable "Log packets that are handled by this rule" to verify the IPv6 traffic is falling on that rule.
Title: Re: How to disable IPv6
Post by: packet loss on April 11, 2019, 03:52:55 am
I also disabled IPv6 from the webui but from the shell this is what it shows using the ifconfig command:

Code: [Select]
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=2098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
        ether xx:xx:xx:xx:xx:xx
        hwaddr xx:xx:xx:xx:xx:xx
        inet6 fe80::64a3:27ff:fe0a:f59%em0 prefixlen 64 scopeid 0x1
        inet 71.205.237.101 netmask 0xffffff00 broadcast 71.205.237.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=2098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
        ether xx:xx:xx:xx:xx:xx
        hwaddr xx:xx:xx:xx:xx:xx
        inet 10.200.200.1 netmask 0xffffff00 broadcast 10.200.200.255
        inet6 fe80::230:18ff:fec4:45c6%em1 prefixlen 64 scopeid 0x2
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
enc0: flags=0<> metric 0 mtu 1536
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: enc
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
pfsync0: flags=0<> metric 0 mtu 1500
        groups: pfsync
        syncpeer: 0.0.0.0 maxupd: 128 defer: off
pflog0: flags=100<PROMISC> metric 0 mtu 33160
        groups: pflog

Is this normal? I've never used IPv6 before so I don't know much about it.
Title: Re: How to disable IPv6
Post by: chemlud on April 11, 2019, 08:35:07 am
@TeKK

I have this rule for years, but I'm not really sure it is enough. Imagine a client contacts a service on the sense (let's say: Unbound) via IPv6. The two computers are on the same network, I know, sometimes the firewall rules also interfere with the contact to the sense (e.g. when blocking the GUI from some networks). But you can never know. There are deeply hidden rules port openings inside which I never understood.

If Unbound (or whatever) can make deliberate contacts to the www (IPv4, IPv6 over IPv4, whatever) you have a channel uncontrolled by your firewall rules. If I turn off IPv6, it should be OFF. No /64 on the interfaces, no nothing. OFF OFF. End of story. There is simply no reason to have features like IPv6 (which are not widely tested for security and apparently hard to control) enabled on a firewall, even when they are DISABLED.
Title: Re: How to disable IPv6
Post by: 3kj2w on April 11, 2019, 08:46:54 am
The first start is to have a look at Sockets and see who/what service open IPv6 port to listen;
then to find that service config and disable IPv6.
For this you need:
1) to tamper with sources and disable / comment running services opening IPv6 port.
2) have a script that delete IPv6 address from interfaces at filter/interface reload/restart.

A very basic script for your interfaces will look like this:
Code: [Select]
first find your IPv6 interfaces addresses with:
/sbin/ifconfig | grep inet6
then delete the IPv6 address from interfaces with
ifconfig lo0 inet6 ::1 delete

#!/bin/sh
# delete IPV6 from interfaces
ifconfig lo0 inet6 ::1 delete
ifconfig lo0 inet6 fe80::1 delete
# here you add your IPv6 interfaces address...
ifconfig em0 inet6 fe80::64a3:27ff:fe0a:f59 delete
ifconfig em1 inet6 fe80::230:18ff:fec4:45c6 delete
Title: Re: How to disable IPv6
Post by: chemlud on April 11, 2019, 09:58:55 am
According to the sockets listed in the GUI, the ntpd and syslogd have IPv6...

Why would ntpd need something like this?
Title: Re: How to disable IPv6
Post by: 3kj2w on April 11, 2019, 10:11:38 am
you have to change ntp config generated to listen only for IPv4
here it is how to do it:

edit:
/urs/local/etc/inc/plugins.inc.d/ntpd.inc
change lines:
Code: [Select]
$ntpcfg .= 'restrict default';         in ->   $ntpcfg .= 'restrict -4 default';
...
$ntpcfg .= "interface ignore all\n"; in ->   $ntpcfg .= "interface ignore wildcard\n";

disable / comment lines with IPv6 reference, add # in front of lines:
Code: [Select]
# $ntpcfg .= "\nrestrict -6 default";
# if (empty($config['ntpd']['kod'])) { /*note: this one works backwards */
# $ntpcfg .= ' kod limited';
# }
# if (empty($config['ntpd']['nomodify'])) { /*note: this one works backwards */
# $ntpcfg .= ' nomodify';
# }
# if (!empty($config['ntpd']['noquery'])) {
# $ntpcfg .= ' noquery';
# }
# if (empty($config['ntpd']['nopeer'])) { /*note: this one works backwards */
# $ntpcfg .= ' nopeer';
# }
# if (!empty($config['ntpd']['noserve'])) {
# $ntpcfg .= ' noserve';
# }
# if (empty($config['ntpd']['notrap'])) { /*note: this one works backwards */
# $ntpcfg .= ' notrap';
# }

save and restart, now NTP will not open port on IPv6 any more.

to disable IPv6 from system
edit in :
/urs/local/etc/inc/

system.inc
and other files .inc

there you will find a lot of reference to :: / IP6 / IPv6 default settings that you can toggle off/disable 1 -> 0

disable / comment lines that refer to IPv6 with #
so your system will not generate IPv6 address for interfaces and route IPv6

good luck and have fun...  ;)
Title: Re: How to disable IPv6
Post by: TeKK on April 11, 2019, 12:16:31 pm
While I understand that disabling IPv6 should mean no IPv6 whatsoever on any interface, I was under the impression that OP's main goal was to not see the IPv6 traffic in his logs so he could better visualize his IPv4 traffic.

Also, if we don't start to utilize IPv6 and understand it then, we will always fall back to not wanting to use it. I have signed up with HE.net for a 6in4 tunnel and got a /64 and a /48 subnet of IPv6 addresses to play around with in my home lab. To me, it is a bit easier to manage IPv6 as you don't have to deal with matching FW rules to NAT rules and no port forwards. Everything is just straightforward. But some may say the opposite of this.
Title: Re: How to disable IPv6
Post by: packet loss on April 11, 2019, 06:24:30 pm
Quote
I need just to disable IPv6 in OPNsense. Totally and everywhere.
I think Antaris is very clear on what he wants.

Quote
Also, if we don't start to utilize IPv6 and understand it then, we will always fall back to not wanting to use it.
I honestly don't like this thought process relating to a firewall I need to maintain complete control over.

I also noticed ntpd was using IPv6 as well and don't see a means to disable this in the webui. I think it would be a little more appropriate to add a disable all related IPv6 functionality toggle button somewhere in the webui. This setting should then toggle off all other related IPv6 settings in the webui and actually disable IPv6 functionality.

Title: Re: How to disable IPv6
Post by: chemlud on April 11, 2019, 08:04:38 pm
In principle there should be a switch for IPv6

https://www.thomas-krenn.com/de/wiki/OPNsense_IPv6_deaktivieren

but... as we see...

NTP has a not-so-good reputation. At least for me. IPv6 neither:

https://forum.opnsense.org/index.php?topic=6269.msg27242#msg27242

(found by chance) ;-)

Title: Re: How to disable IPv6
Post by: Antaris on April 11, 2019, 10:23:09 pm
The solution from TeKK is works good enough.
Thanks a lot.

P.S. My eradication intensions to IPv6 was because live logs flooding.

This may be good to be pinned as a guide.
Title: Re: How to disable IPv6
Post by: Charles2019 on April 12, 2019, 12:15:25 am
Quote
I need just to disable IPv6 in OPNsense. Totally and everywhere.
I think Antaris is very clear on what he wants.

Quote
Also, if we don't start to utilize IPv6 and understand it then, we will always fall back to not wanting to use it.
I honestly don't like this thought process relating to a firewall I need to maintain complete control over.

I also noticed ntpd was using IPv6 as well and don't see a means to disable this in the webui. I think it would be a little more appropriate to add a disable all related IPv6 functionality toggle button somewhere in the webui. This setting should then toggle off all other related IPv6 settings in the webui and actually disable IPv6 functionality.

I agree that there should be one setting to turning off IPv6 completely.

When I go to Firewall -> Rules -> Floating and click to edit the IPv6 rule not allowing IPv6, it takes me to Firewall -> Settings -> Advanced where there is an option to Allow IPv6(or disallow)  Don't know how to control the logging as I see IPv6 blocked traffic and it would be nice not to see it too without having to modify core files.
Title: Re: How to disable IPv6
Post by: TeKK on April 12, 2019, 12:18:06 am
@Charles2019 see the fourth post above on how to accomplish this. You have to create a new floating rule.
Title: Re: How to disable IPv6
Post by: Charles2019 on April 13, 2019, 12:55:28 am
@Charles2019 see the fourth post above on how to accomplish this. You have to create a new floating rule.

Actually that doesn't work as it should either. 
When I added the rule myself as noted above, I got this: ipv6_01.png
But when I unchecked the box to allow IPv6 I got this: ipv6_02.png


Title: Re: How to disable IPv6
Post by: TeKK on April 13, 2019, 02:21:50 am

Actually that doesn't work as it should either. 
When I added the rule myself as noted above, I got this: ipv6_01.png
But when I unchecked the box to allow IPv6 I got this: ipv6_02.png

I don't think you did it correctly.

You need to enable "Allow IPv6". If you uncheck it then the system will place a firewall rule at the top that will log blocked traffic.

Once you enabled that make sure your floating rule looks like the following and make sure you choose all interfaces you want to block and hide traffic from the log.

(https://i.ibb.co/yFckVKB/Screenshot-from-2019-04-12-20-08-55.png) (https://ibb.co/tpT23nP)
Title: Re: How to disable IPv6
Post by: chemlud on May 15, 2019, 09:19:22 am
...another reason why I don't want IPv6 at all:

https://nvd.nist.gov/vuln/detail/CVE-2019-1804

Could we please have a kill switch for IPv6, totally and completely? Or an image without any IPv6?

Please, please?
Title: Re: How to disable IPv6
Post by: franco on May 15, 2019, 12:32:21 pm
There is only one real way to disable IPv6 which is not compiling it into the kernel, which breaks several ports.

Blocking it completely should suffice.


Cheers,
Franco