Messages

1

24.7 Production Series / Re: I'm a doofus and I broke my firewall...

« on: November 24, 2024, 02:37:08 am »

I had spotted the other thread, but when I checked the file I found:

Code: [Select]

# grep offloading /conf/config.xml
    <disablechecksumoffloading>1</disablechecksumoffloading>
    <disablesegmentationoffloading>1</disablesegmentationoffloading>
    <disablelargereceiveoffloading>1</disablelargereceiveoffloading>
The natives were getting restless in the household, so I girded my loins and moved the `eastpect` file out of `/usr/local/etc/rc.d`.

That worked and the WebUI came up on reboot.

Oddly, when I checked the system config I noticed that all the "offload" boxes were UNchecked.

Moving the `eastpect` file back where it started and rebooting worked as I would have expected before this evolution.  WebUI, SSH, etc. working.

Checking those boxes didn't change anything in the `/conf/config.xml` file, so maybe that's controlled /set somewhere else these days?

At any rate, I'm back up and running and managed to remove Zenarmor (it didn't work since it's missing the database).

Thanks for the pointers, it got me moving (even if I had a flop-sweat moment moving files around).

2

24.7 Production Series / I'm a doofus and I broke my firewall...

« on: November 23, 2024, 11:48:35 pm »

Not sure if anyone can help, but I screwed up and thought I'd try Zenarmor.

Unfortunately, I didn't read far enough into the "gotchas" to discover that turning on checksum offloading is a "Bad Idea (tm)" with Zenarmor.

Now my firewall is stuck with no WebUI, no SSH and no Serial/TTY console (spamming the "drop mbuf that needs checksum offload" message).

I built a NomadBSD USB and can mount up the correct partition - but can't find where the config files live to either:

1) Turn checksum offload "Off"
-or-
2) Disable Zenarmor so the WebUI starts and I can change the checksum offload there

Can anyone point me in the right direction?

Or have I just blown up my firewall and need to re-image from bare metal?

3

24.7 Production Series / Re: Dashboard not showing correct WAN public IP address using PPPOE

« on: August 01, 2024, 06:37:51 pm »

Here's my config.

4

24.7 Production Series / Re: Dashboard not showing correct WAN public IP address using PPPOE

« on: August 01, 2024, 05:42:41 pm »

For me the widget is titled "Interfaces" and is one of the default widgets on the Lobby/Dashboard page.

I'm on 24.7_9 and can confirm that the widget only displays the link-local IPv6 addresses, though via command line I can see that public IPv6 addresses are assigned to devices, which is confirmed by https://ip6only.me.

5

24.1 Legacy Series / Custom rules via command line /editor?

« on: March 07, 2024, 05:29:16 pm »

This is a follow-on to a prior post:
https://forum.opnsense.org/index.php?topic=39145.0

It looks like in order to fully meet https://www.rfc-editor.org/rfc/rfc4890, I need to create specific rules for some ICMPv6 types versus the "wide open everything" rule I have at the moment.

Digging into the available OPNSense and FreeBSD IPFW /PF documentation, this should be possible if I create rules from the command line by editing pf.conf?  ipfw.conf?  ipfw?  pfctl?  Something else?

But where, what syntax (since OPN seems to mix IPFW and PF), how to ensure that it's accepted by the system, etc. is still pretty darn foggy to me.

If my current understanding is correct, somewhere in the file structure I should be able to create a new file /rule something like:

pass in log quick inet6 proto ipv6-icmp all icmp6-type 4 code 2 keep state
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type 4 code 0

along with the other types /codes as listed in RFC4890

But how? And where?

Can anyone point me in the right direction so I don't self-inflict a breakage?

6

24.1 Legacy Series / Re: Weirdness with IPv6 and DHCPv6...

« on: March 06, 2024, 08:27:45 pm »

Oddly, I just ran across a forum topic from 2019 that looked like it was going to help /maybe resolve the issue - but then the author got distracted and never tested /implemented the update code..

https://forum.opnsense.org/index.php?topic=14891.0

7

24.1 Legacy Series / Re: Weirdness with IPv6 and DHCPv6...

« on: March 06, 2024, 06:28:50 pm »

Wow - yup.

Hadn't tried the "hover" reveal, but the list of ICMPv6 types is not at all complete per RFC 4890.

I've been searching and can't find where OPNSense defines ICMP /ICMPv6 Types or how to build PF rules where a type is not named (the "Undefined" numerics).

The only ICMPv6 types that I can see in-use are:

• Type 1 Destination Unreachable (unreach)
• Type 2 Packet Too Big (toobig)
• Type 128 Echo Request (echoreq)
• Type 129 Echo Reply (echorep)
• Type 133 Router Solicitation (routersol)
• Type 134 Router Advertisement (routeradv)
• Type 135 Neighbor Solicitation (neighborsol)
• Type 136 Neighbor Advertisement (neighboradv)

With a few more pre-defined in the "drop-down" but those look more like they are comingled with ICMPv4 from a strict "Human readable name" perspective.

I see an array in /usr/local/www/firewall_rules.php, but I'm not willing to edit that and I don't see any of the icmp6types showing up in the WebUI.

Anyone have a good link /doc where I can use the WebUI or command line (pfctl) to define types /codes, add them by number to a table, or otherwise build correct rules?

It feels like the WebUI is not robust /flexible enough (unless I've missed something) so I am likely stuck adding rules via command line...

If my read is correct, then the "Automatic" rules for ICMPv6 should encompass:

Transit through the Firewall:
Must Not Drop (§4.3.1):
  Type 1, Type 2, Type 3 Code 0, Type 4 Code 1, Type 4 Code 2, Type 128-129
Should Not Drop (§4.3.2):
  Type 3 Code 1, Type 4 Code 0, Type 144-147
Needs a rule (§4.3.4):
  Must Allow:
   Seamoby
    Type 150
   Undefined Error Messages:
    Type 5-99, 102-126
   Unallocated Informational Messages:
    Type 154-199
    Type 202-254

Not sure about these - maybe a "checkbox" somewhere to turn them on?
Should Drop barring defined need (§4.3.5):
Type 100-101, Type 127, Type 138-140, Type 200-201, Type 255

Local Traffic (LAN, WAN, Link Local, etc.):
Must Not Drop (§4.4.1):
Type 1, Type 2, Type 3 Code 0, Type 4 Code 1, Type 4 Code 2, Type 128-136, Type 141-143, Type 148, Type 149, Type 151-153
Should Not Drop (§4.4.2):
Type 3 Code 1, Type 4 Code 0
Needs a Rule (4.4.4):
  Must Allow:
   Type 137
  If Experimental:
   Type 139-140
  Undefined Error Messages:
   Type 5-99
   Type 102-126

Not sure about these - maybe a "checkbox" somewhere to turn them on?
Should Drop barring defined need (§4.4.5):
Type 100-101, 127
Type 154-199
Type 200-255

8

24.1 Legacy Series / Re: Weirdness with IPv6 and DHCPv6...

« on: March 06, 2024, 01:54:43 pm »

The Automatically Generated Rules for ICMPv6 are present in my 24.1.2 system:


But for whatever reason, IPv6 does not work without the custom /manual ICMPv6 rule.

I've reverted to 24.1.1 and re-upgraded to 24.1.2 twice, with a "Factory Default" reset each time and on 24.1.2 IPv6 does not work until I put the ICMPv6 rule in place.

If there's further debug /troubleshooting data that would help isolate the issue, I'm game to track /search and post...

9

24.1 Legacy Series / Re: Weirdness with IPv6 and DHCPv6...

« on: March 05, 2024, 11:58:42 pm »

It's the most basic and simple of rules:

Code: [Select]

pass in quick on igb1 inet6 proto ipv6-icmp all keep state (LAN)

Code: [Select]

pass in quick on igb0 inet6 proto ipv6-icmp all keep state (WAN)

or



I thought about trying to build out a duplicate of the RFC4890 "Automatic" rules, but once I read a bit more and realized that since, by design, ICMPv6 doesn't pose the same sort of Command and Control /data leakage risk that ICMPv4 does, I used a "blanket" rule.

If you know of any reason why that might be "bad", let me know and I'll build the duplicates...

10

24.1 Legacy Series / Re: Weirdness with IPv6 and DHCPv6...

« on: March 05, 2024, 08:03:42 pm »

In order:

1 - At least for my deployment, I think I've solved the problem.
2 - Yes, it was happening across all platforms (Windows, Linux, MacOS, Android, Network /Switch gear, etc.)
3 - Yes, I restarted radvd and dhcpdv6 after each "Save /Apply".

I got frustrated last night and rolled back to v24.1.1.

As expected, IPv6 worked "normally".

I did find that (from the web console):
1 - The ISC DHCPv6 configuration did not need to have the range configured to function
2 - Router Advertisements was not enabled
3 - There was a set of "Automatically generated rules" that allowed ICMPv6 for LAN and WAN

So I went back to v24.1.2 (still no IPv6 connectivity) and made one change.

I created a rule for both LAN and WAN that allowed all ICMPv6.

Even though there are "Automatically generated rule"(s) that look identical to the ICMPv6 rules in place in v24.1.1 on both interfaces, once I created the Custom rule, IPv6 started working.

Disable the Custom ICMPv6 rule - IPv6 "breaks" again...

Maybe it's my hardware - maybe I'm just unlucky, but with all the great help and ideas /guidance /troubleshooting here at least it's now working...

11

24.1 Legacy Series / Re: Weirdness with IPv6 and DHCPv6...

« on: March 04, 2024, 09:09:07 pm »

It's a pretty simplistic network:



I say the "Provided" gateway as in the LAN 2009:... which is from the Cox allocation.

The two fe80: IP's on the WAN side are "Unreachable".

Code: [Select]

C:\Windows\System32>ping 2001:579:4c:3700:2e0:67ff:fe1f:2529

Pinging 2001:579:4c:3700:2e0:67ff:fe1f:2529 with 32 bytes of data:
Reply from 2001:579:4c:3700:2e0:67ff:fe1f:2529: time<1ms
Reply from 2001:579:4c:3700:2e0:67ff:fe1f:2529: time<1ms
Reply from 2001:579:4c:3700:2e0:67ff:fe1f:2529: time<1ms
Reply from 2001:579:4c:3700:2e0:67ff:fe1f:2529: time<1ms

Ping statistics for 2001:579:4c:3700:2e0:67ff:fe1f:2529:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Windows\System32>ping fe80::2e0:67ff:fe1f:2528

Pinging fe80::2e0:67ff:fe1f:2528 with 32 bytes of data:
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.

Ping statistics for fe80::2e0:67ff:fe1f:2528:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Windows\System32>ping fe80::2ef8:9bff:fe9d:b419

Pinging fe80::2ef8:9bff:fe9d:b419 with 32 bytes of data:
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.

Ping statistics for fe80::2ef8:9bff:fe9d:b419:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Windows\System32>

12

24.1 Legacy Series / Re: Weirdness with IPv6 and DHCPv6...

« on: March 04, 2024, 04:52:42 pm »

Here is the DHCPDv6 stanza.

I did "turn on" Default Gateway during the troubleshooting (checkbox selected and the "ranodefault" no longer appears in conf/config.xml), but it did not make a difference.

Troubleshooting over the weekend:
1 - Set up an additional Microsoft Windows 11 system from scratch (same IPv6 problem)
2 - Completely reset the Network Interfaces and the Network Stack on the original Microsoft system (no change)
3 - Tested a MacOS system (same IPv6 problem) borrowed from a friend

All LAN systems can see /ping the "IPv6 Default Gateway" provided by my ISP (fe80::2ef8:9bff:fe9d:b419) and other LAN systems using both the Private and Public IPv6 addresses, but cannot reach any system on the Public Internet.

DHCPDv6

Code: [Select]

<dhcpdv6>
  <lan>
    <ddnsdomainalgorithm>hmac-md5</ddnsdomainalgorithm>
    <enable>1</enable>
    <range>
      <from>2001:579:4c:3700::</from>
      <to>2001:579:4c:3700:ffff:ffff:ffff:ffff</to>
    </range>
    <prefixrange>
      <from/>
      <to/>
      <prefixlength>64</prefixlength>
    </prefixrange>
    <dnsserver>fde4:b3e2:db9e:1000::11</dnsserver>
    <ntpserver>fde4:b3e2:db9e:1000::11</ntpserver>
    <numberoptions>
      <item/>
    </numberoptions>
    <ramode>assist</ramode>
    <rapriority>medium</rapriority>
    <ramininterval>200</ramininterval>
    <ramaxinterval>600</ramaxinterval>
    <radomainsearchlist/>
    <radnsserver/>
    <rasamednsasdhcp6>1</rasamednsasdhcp6>
  </lan>
</dhcpdv6>
Microsoft Windows IPv6 Route

Code: [Select]

C:\>route print -6
===========================================================================
Interface List
 22...f0 2f 74 d3 b8 d0 ......Realtek PCIe 2.5GbE Family Controller #2
 29...00 15 5d 58 33 d0 ......Hyper-V Virtual Ethernet Adapter #5
 15...f0 2f 74 d3 b8 52 ......Intel(R) I211 Gigabit Network Connection #2
 19...0a 00 27 00 00 13 ......VirtualBox Host-Only Ethernet Adapter
  5...00 ff 15 55 9b 77 ......TAP-Windows Adapter V9 for OpenVPN Connect
 25...........................OpenVPN Data Channel Offload
 30...b4 0e de f7 4d 41 ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
 36...00 15 5d 8f c9 29 ......Hyper-V Virtual Ethernet Adapter
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
 15    281 2001:579:4c:3700::/64    On-link
 15    281 2001:579:4c:3700:5be9:bf0:9b9f:3923/128
                                    On-link
 15    281 2001:579:4c:3700:cc03:b286:53d8:a7fb/128
                                    On-link
 15    281 fde4:b3e2:db9e:1000::/64 On-link
 15    281 fde4:b3e2:db9e:1000:5555::6b1e/128
                                    On-link
 15    281 fde4:b3e2:db9e:1000:c08d:7634:5276:2feb/128
                                    On-link
 15    281 fde4:b3e2:db9e:1000:cc03:b286:53d8:a7fb/128
                                    On-link
 19    281 fe80::/64                On-link
 15    281 fe80::/64                On-link
 36   5256 fe80::/64                On-link
 19    281 fe80::6b4e:bc42:6225:64b2/128
                                    On-link
 36   5256 fe80::7ce3:8317:eb17:da67/128
                                    On-link
 15    281 fe80::e0be:a038:5030:f7f2/128
                                    On-link
  1    331 ff00::/8                 On-link
 19    281 ff00::/8                 On-link
 15    281 ff00::/8                 On-link
 36   5256 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

C:\>netsh interface ipv6 show route

Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
-------  --------  ---  ------------------------  ---  ------------------------
No       System    256  ::1/128                     1  Loopback Pseudo-Interface 1
No       Manual    256  2001:579:4c:3700::/64      15  Ethernet 4
No       System    256  2001:579:4c:3700:5be9:bf0:9b9f:3923/128   15  Ethernet 4
No       System    256  2001:579:4c:3700:cc03:b286:53d8:a7fb/128   15  Ethernet 4
No       Manual    256  fde4:b3e2:db9e:1000::/64   15  Ethernet 4
No       System    256  fde4:b3e2:db9e:1000:5555::6b1e/128   15  Ethernet 4
No       System    256  fde4:b3e2:db9e:1000:c08d:7634:5276:2feb/128   15  Ethernet 4
No       System    256  fde4:b3e2:db9e:1000:cc03:b286:53d8:a7fb/128   15  Ethernet 4
No       System    256  fe80::/64                  29  vEthernet (Default Switch (Wi-Fi))
No       System    256  fe80::/64                  19  Ethernet 3
No       System    256  fe80::/64                  25  OpenVPN Connect DCO Adapter
No       System    256  fe80::/64                   5  Local Area Connection
No       System    256  fe80::/64                  22  Ethernet 5
No       System    256  fe80::/64                  15  Ethernet 4
No       System    256  fe80::/64                  30  Bluetooth Network Connection
No       System    256  fe80::/64                  36  vEthernet (Default Switch)
No       System    256  fe80::42cc:5baf:e39e:6a0f/128   30  Bluetooth Network Connection
No       System    256  fe80::493c:96ef:b3b1:1fae/128   29  vEthernet (Default Switch (Wi-Fi))
No       System    256  fe80::6b4e:bc42:6225:64b2/128   19  Ethernet 3
No       System    256  fe80::7ce3:8317:eb17:da67/128   36  vEthernet (Default Switch)
No       System    256  fe80::b847:d5ca:dbb3:ee08/128   22  Ethernet 5
No       System    256  fe80::d18b:9f01:61a2:2f2e/128    5  Local Area Connection
No       System    256  fe80::e0be:a038:5030:f7f2/128   15  Ethernet 4
No       System    256  fe80::ff59:d680:5693:b9e4/128   25  OpenVPN Connect DCO Adapter
No       System    256  ff00::/8                    1  Loopback Pseudo-Interface 1
No       System    256  ff00::/8                   29  vEthernet (Default Switch (Wi-Fi))
No       System    256  ff00::/8                   19  Ethernet 3
No       System    256  ff00::/8                   25  OpenVPN Connect DCO Adapter
No       System    256  ff00::/8                    5  Local Area Connection
No       System    256  ff00::/8                   22  Ethernet 5
No       System    256  ff00::/8                   15  Ethernet 4
No       System    256  ff00::/8                   30  Bluetooth Network Connection
No       System    256  ff00::/8                   36  vEthernet (Default Switch)


C:\>C:\>ping 2001:4860:4860::8888

Pinging 2001:4860:4860::8888 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 2001:4860:4860::8888:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>

13

24.1 Legacy Series / Re: Weirdness with IPv6 and DHCPv6...

« on: March 02, 2024, 07:52:18 pm »

Very relevant to the thread (in my opinion anyhow).

Something changed about how OPNsense is handling IPv6 between the 24.1.1 and the 24.1.2 releases and it's causing me issues.

I did check my IPv6 neighbors on Windows 11 and have the same "Unreachable" results that you have (different ranges of course).

I read through the most recent doc page on "Router Advertising" - nothing stands out as being "different", though just having to enable it is new in the 24.1.2 release (either it was "automagickal" in 24.1.1 or DHCPv6 was handling the RA part as well).

Hopefully wiser and more experienced folks here can help us provide enough data to troubleshoot and resolve...

14

24.1 Legacy Series / Re: Weirdness with IPv6 and DHCPv6...

« on: March 01, 2024, 06:21:17 pm »

Just for grins - here's what a Microsoft Windows system sees.

Interface

Code: [Select]

Ethernet adapter Ethernet 4:

   Connection-specific DNS Suffix  . : lan.local.us
   Description . . . . . . . . . . . : Intel(R) I211 Gigabit Network Connection #2
   Physical Address. . . . . . . . . : F0-2F-74-D3-B8-52
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:579:4c:120:8bf1:529:2289:3504(Preferred)
   IPv6 Address. . . . . . . . . . . : fde4:b3e2:db9e:1a29::eb1e(Preferred)
   Lease Obtained. . . . . . . . . . : Friday, March 1, 2024 09:38:41
   Lease Expires . . . . . . . . . . : Saturday, March 2, 2024 09:38:40
   IPv6 Address. . . . . . . . . . . : fde4:b3e2:db9e:1a29:bfcb:42c0:7157:544b(Preferred)
   Temporary IPv6 Address. . . . . . : 2001:579:4c:120:7c17:d9fb:7c25:26cf(Preferred)
   Temporary IPv6 Address. . . . . . : fde4:b3e2:db9e:1a29:7c17:d9fb:7c25:26cf(Preferred)
   Link-local IPv6 Address . . . . . : fe80::e0be:a038:5030:f7f2%16(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.144.21(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, March 1, 2024 09:37:55
   Lease Expires . . . . . . . . . . : Saturday, March 2, 2024 09:37:55
   Default Gateway . . . . . . . . . : fe80::2e0:67ff:fe1f:2529%16
                                       192.168.144.1
   DHCP Server . . . . . . . . . . . : 192.168.144.11
   DHCPv6 IAID . . . . . . . . . . . : 703606644
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2A-D5-E4-3E-B4-0E-DE-F7-4D-3D
   DNS Servers . . . . . . . . . . . : fde4:b3e2:db9e:1a29::11
                                       192.168.144.11
   NetBIOS over Tcpip. . . . . . . . : Enabled
Routes

Code: [Select]

C:\>route print -6
===========================================================================
Interface List
 22...f0 2f 74 d3 b8 d0 ......Realtek PCIe 2.5GbE Family Controller #2
 30...00 15 5d 58 33 d0 ......Hyper-V Virtual Ethernet Adapter #5
 16...f0 2f 74 d3 b8 52 ......Intel(R) I211 Gigabit Network Connection #2
 19...0a 00 27 00 00 13 ......VirtualBox Host-Only Ethernet Adapter
  7...00 ff 15 55 9b 77 ......TAP-Windows Adapter V9 for OpenVPN Connect
 26...........................OpenVPN Data Channel Offload
 32...b4 0e de f7 4d 41 ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
 24...00 15 5d 8f c9 29 ......Hyper-V Virtual Ethernet Adapter
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
 16    281 2001:579:4c:120::/64     On-link
 16    281 2001:579:4c:120:7c17:d9fb:7c25:26cf/128
                                    On-link
 16    281 2001:579:4c:120:8bf1:529:2289:3504/128
                                    On-link
 16    281 fde4:b3e2:db9e:1a29::/64 On-link
 16    281 fde4:b3e2:db9e:1a29::eb1e/128
                                    On-link
 16    281 fde4:b3e2:db9e:1a29:7c17:d9fb:7c25:26cf/128
                                    On-link
 16    281 fde4:b3e2:db9e:1a29:bfcb:42c0:7157:544b/128
                                    On-link
 19    281 fe80::/64                On-link
 16    281 fe80::/64                On-link
 24   5256 fe80::/64                On-link
 19    281 fe80::6b4e:bc42:6225:64b2/128
                                    On-link
 24   5256 fe80::7061:9fd4:cd1f:fa4f/128
                                    On-link
 16    281 fe80::e0be:a038:5030:f7f2/128
                                    On-link
  1    331 ff00::/8                 On-link
 19    281 ff00::/8                 On-link
 16    281 ff00::/8                 On-link
 24   5256 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

C:\>netsh interface ipv6 show route

Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
-------  --------  ---  ------------------------  ---  ------------------------
No       System    256  ::1/128                     1  Loopback Pseudo-Interface 1
No       Manual    256  2001:579:4c:120::/64       16  Ethernet 4
No       System    256  2001:579:4c:120:7c17:d9fb:7c25:26cf/128   16  Ethernet 4
No       System    256  2001:579:4c:120:8bf1:529:2289:3504/128   16  Ethernet 4
No       Manual    256  fde4:b3e2:db9e:1a29::/64   16  Ethernet 4
No       System    256  fde4:b3e2:db9e:1a29::eb1e/128   16  Ethernet 4
No       System    256  fde4:b3e2:db9e:1a29:7c17:d9fb:7c25:26cf/128   16  Ethernet 4
No       System    256  fde4:b3e2:db9e:1a29:bfcb:42c0:7157:544b/128   16  Ethernet 4
No       System    256  fe80::/64                  30  vEthernet (Default Switch (Wi-Fi))
No       System    256  fe80::/64                  19  Ethernet 3
No       System    256  fe80::/64                  26  OpenVPN Connect DCO Adapter
No       System    256  fe80::/64                   7  Local Area Connection
No       System    256  fe80::/64                  22  Ethernet 5
No       System    256  fe80::/64                  16  Ethernet 4
No       System    256  fe80::/64                  32  Bluetooth Network Connection
No       System    256  fe80::/64                  24  vEthernet (Default Switch)
No       System    256  fe80::42cc:5baf:e39e:6a0f/128   32  Bluetooth Network Connection
No       System    256  fe80::493c:96ef:b3b1:1fae/128   30  vEthernet (Default Switch (Wi-Fi))
No       System    256  fe80::6b4e:bc42:6225:64b2/128   19  Ethernet 3
No       System    256  fe80::7061:9fd4:cd1f:fa4f/128   24  vEthernet (Default Switch)
No       System    256  fe80::b847:d5ca:dbb3:ee08/128   22  Ethernet 5
No       System    256  fe80::d18b:9f01:61a2:2f2e/128    7  Local Area Connection
No       System    256  fe80::e0be:a038:5030:f7f2/128   16  Ethernet 4
No       System    256  fe80::ff59:d680:5693:b9e4/128   26  OpenVPN Connect DCO Adapter
No       System    256  ff00::/8                    1  Loopback Pseudo-Interface 1
No       System    256  ff00::/8                   30  vEthernet (Default Switch (Wi-Fi))
No       System    256  ff00::/8                   19  Ethernet 3
No       System    256  ff00::/8                   26  OpenVPN Connect DCO Adapter
No       System    256  ff00::/8                    7  Local Area Connection
No       System    256  ff00::/8                   22  Ethernet 5
No       System    256  ff00::/8                   16  Ethernet 4
No       System    256  ff00::/8                   32  Bluetooth Network Connection
No       System    256  ff00::/8                   24  vEthernet (Default Switch)
ICMP Ping test to OPN RA Gateway

Code: [Select]

C:\>ping -6 fe80::2e0:67ff:fe1f:2529

Pinging fe80::2e0:67ff:fe1f:2529 with 32 bytes of data:
Reply from fe80::2e0:67ff:fe1f:2529: time<1ms
Reply from fe80::2e0:67ff:fe1f:2529: time<1ms
Reply from fe80::2e0:67ff:fe1f:2529: time<1ms
Reply from fe80::2e0:67ff:fe1f:2529: time<1ms

Ping statistics for fe80::2e0:67ff:fe1f:2529:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
ICMP Ping to Public IPv6

Code: [Select]

C:\>ping -6 2001:4860:4860::8888

Pinging 2001:4860:4860::8888 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 2001:4860:4860::8888:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

15

24.1 Legacy Series / Re: Weirdness with IPv6 and DHCPv6...

« on: March 01, 2024, 04:00:46 pm »

With "Router Advertisements" for "[LAN]" set to Assisted with "Advertise Default Gateway" selected, here is the data: (There is no change if RA is set to "Unmanaged" or "Stateless".)

OPN

Interfaces

Code: [Select]

# ifconfig igb1
igb1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN (lan)
        options=4e0072b<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
        ether 00:e0:67:1f:25:29
        inet6 fe80::2e0:67ff:fe1f:2529%igb1 prefixlen 64 scopeid 0x2
        inet6 fde4:b3e2:db9e:1a29::1 prefixlen 64
        inet6 2001:579:4c:120:2e0:67ff:fe1f:2529 prefixlen 64
        inet 192.168.144.1 netmask 0xffffff00 broadcast 192.168.144.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

# ifconfig igb0
igb0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN (wan)
        options=4e0072b<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
        ether 00:e0:67:1f:25:28
        inet6 fe80::2e0:67ff:fe1f:2528%igb0 prefixlen 64 scopeid 0x1
        inet 98.187.162.137 netmask 0xffffffe0 broadcast 98.187.162.159
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
Routes

Code: [Select]

# route -n6v show default
RTA_DST: inet6 ::; RTA_NETMASK: inet6 ::; RTA_IFP: link ; RTM_GET: Report Metrics: len 272, pid: 0, seq 1, errno 0, flags:<UP,GATEWAY,STATIC>
locks:  inits:
sockaddrs: <DST,NETMASK,IFP>
 :: :: link#0
   route to: ::
destination: ::
       mask: ::
    gateway: fe80::2ef8:9bff:fe9d:b419%igb0
        fib: 0
  interface: igb0
      flags: <UP,GATEWAY,DONE>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0

locks:  inits:
sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA>
 :: fe80::2ef8:9bff:fe9d:b419%igb0 :: igb0:0.e0.67.1f.25.28 fe80::2e0:67ff:fe1f:2528%igb0
ICMP Ping test

Code: [Select]

# ping6 -c 6 2001:4860:4860::8888
PING6(56=40+8+8 bytes) 2001:579:4c:120:2e0:67ff:fe1f:2529 --> 2001:4860:4860::8888
16 bytes from 2001:4860:4860::8888, icmp_seq=0 hlim=59 time=21.475 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=1 hlim=59 time=21.968 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=2 hlim=59 time=22.530 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=3 hlim=59 time=22.799 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=4 hlim=59 time=21.856 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=5 hlim=59 time=21.361 ms

--- 2001:4860:4860::8888 ping6 statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 21.361/21.998/22.799/0.520 ms
DNS test

Code: [Select]

# dig -6 aaaa www.google.com @2001:4860:4860::8888

; <<>> DiG 9.18.24 <<>> -6 aaaa www.google.com @2001:4860:4860::8888
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13950
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.com.                        IN      AAAA

;; ANSWER SECTION:
www.google.com.         300     IN      AAAA    2607:f8b0:4023:1006::63
www.google.com.         300     IN      AAAA    2607:f8b0:4023:1006::67
www.google.com.         300     IN      AAAA    2607:f8b0:4023:1006::68
www.google.com.         300     IN      AAAA    2607:f8b0:4023:1006::6a

;; Query time: 30 msec
;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888) (UDP)
;; WHEN: Fri Mar 01 08:12:56 CST 2024
;; MSG SIZE  rcvd: 155
LAN Host

Interface

Code: [Select]

$ ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.144.11  netmask 255.255.255.0  broadcast 192.168.144.255
        inet6 2001:579:4c:120:5555:9a73:b10d:e091  prefixlen 128  scopeid 0x0<global>
        inet6 fe80::53bb:1ff4:f59c:40b3  prefixlen 64  scopeid 0x20<link>
        inet6 2001:579:4c:120:5da5:38c7:9eda:8988  prefixlen 64  scopeid 0x0<global>
        inet6 fde4:b3e2:db9e:1a29::11  prefixlen 64  scopeid 0x0<global>
        inet6 fde4:b3e2:db9e:1a29:bd3f:cf4f:9cfb:1838  prefixlen 64  scopeid 0x0<global>
        ether dc:a6:32:06:df:1a  txqueuelen 1000  (Ethernet)
        RX packets 710197  bytes 377753836 (360.2 MiB)
        RX errors 0  dropped 6  overruns 0  frame 0
        TX packets 472106  bytes 53403899 (50.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
Routes

Code: [Select]

$ ip -6 route show
::1 dev lo proto kernel metric 30 pref medium
2001:579:4c:120:5555:9a73:b10d:e091 dev eth0 proto kernel metric 100 pref medium
2001:579:4c:120::/64 dev eth0 proto ra metric 100 pref medium
fde4:b3e2:db9e:1a29::/64 dev eth0 proto ra metric 100 pref medium
fde4:b3e2:db9e:5b10::1 dev lo proto static metric 30 pref medium
fde4:b3e2:db9e:5b10::1 dev lo proto kernel metric 256 pref medium
fde4:b3e2:db9e:5b10::2 dev lo proto kernel metric 30 pref medium
fde4:b3e2:db9e:5b10::2 dev lo proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 1024 pref medium
default via fe80::2e0:67ff:fe1f:2529 dev eth0 proto ra metric 100 pref medium
ICMP Ping test to OPN [LAN] Interface

Code: [Select]

$ ping6 -c 6 fde4:b3e2:db9e:1a29::1
PING fde4:b3e2:db9e:1a29::1(fde4:b3e2:db9e:1a29::1) 56 data bytes
64 bytes from fde4:b3e2:db9e:1a29::1: icmp_seq=1 ttl=64 time=0.560 ms
64 bytes from fde4:b3e2:db9e:1a29::1: icmp_seq=2 ttl=64 time=0.237 ms
64 bytes from fde4:b3e2:db9e:1a29::1: icmp_seq=3 ttl=64 time=0.271 ms
64 bytes from fde4:b3e2:db9e:1a29::1: icmp_seq=4 ttl=64 time=0.248 ms
64 bytes from fde4:b3e2:db9e:1a29::1: icmp_seq=5 ttl=64 time=0.298 ms
64 bytes from fde4:b3e2:db9e:1a29::1: icmp_seq=6 ttl=64 time=0.180 ms

--- fde4:b3e2:db9e:1a29::1 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5112ms
rtt min/avg/max/mdev = 0.180/0.299/0.560/0.122 ms

$ ping6 -c 6 2001:579:4c:120:2e0:67ff:fe1f:2529
PING 2001:579:4c:120:2e0:67ff:fe1f:2529(2001:579:4c:120:2e0:67ff:fe1f:2529) 56 data bytes
64 bytes from 2001:579:4c:120:2e0:67ff:fe1f:2529: icmp_seq=1 ttl=64 time=0.610 ms
64 bytes from 2001:579:4c:120:2e0:67ff:fe1f:2529: icmp_seq=2 ttl=64 time=0.267 ms
64 bytes from 2001:579:4c:120:2e0:67ff:fe1f:2529: icmp_seq=3 ttl=64 time=0.255 ms
64 bytes from 2001:579:4c:120:2e0:67ff:fe1f:2529: icmp_seq=4 ttl=64 time=0.271 ms
64 bytes from 2001:579:4c:120:2e0:67ff:fe1f:2529: icmp_seq=5 ttl=64 time=0.253 ms
64 bytes from 2001:579:4c:120:2e0:67ff:fe1f:2529: icmp_seq=6 ttl=64 time=0.178 ms



--- 2001:579:4c:120:2e0:67ff:fe1f:2529 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5098ms
rtt min/avg/max/mdev = 0.178/0.305/0.610/0.139 ms
ICMP Ping test to ISP Gateway

Code: [Select]

$ ping6 -c 6 fe80::2ef8:9bff:fe9d:b419
ping6: Warning: IPv6 link-local address on ICMP datagram socket may require ifname or scope-id => use: address%<ifname|scope-id>
PING fe80::2ef8:9bff:fe9d:b419(fe80::2ef8:9bff:fe9d:b419) 56 data bytes

--- fe80::2ef8:9bff:fe9d:b419 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5116ms
ICMP Ping test to Advertised Gateway

Code: [Select]

$ ping6 -c 6 fe80::2e0:67ff:fe1f:2529
ping6: Warning: IPv6 link-local address on ICMP datagram socket may require ifname or scope-id => use: address%<ifname|scope-id>
PING fe80::2e0:67ff:fe1f:2529(fe80::2e0:67ff:fe1f:2529) 56 data bytes

--- fe80::2e0:67ff:fe1f:2529 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5106ms
ICMP Ping test to Public IPv6

Code: [Select]

$ ping6 -c 6 2001:4860:4860::8888
ping6: connect: Network is unreachable
DNS test

Code: [Select]

$ dig -6 aaaa www.google.com @2001:4860:4860::8888
;; UDP setup with 2001:4860:4860::8888#53(2001:4860:4860::8888) for www.google.com failed: network unreachable.
;; no servers could be reached

;; UDP setup with 2001:4860:4860::8888#53(2001:4860:4860::8888) for www.google.com failed: network unreachable.
;; no servers could be reached

;; UDP setup with 2001:4860:4860::8888#53(2001:4860:4860::8888) for www.google.com failed: network unreachable.
;; no servers could be reached
NAT Rules from OPN

Code: [Select]

# pfctl -s nat
no nat proto carp all
nat on igb0 inet from (igb1:network) to any port = isakmp -> (igb0:0) static-port
nat on igb0 inet from (lo0:network) to any port = isakmp -> (igb0:0) static-port
nat on igb0 inet from 127.0.0.0/8 to any port = isakmp -> (igb0:0) static-port
nat on igb0 inet from (igb1:network) to any -> (igb0:0) port 1024:65535
nat on igb0 inet from (lo0:network) to any -> (igb0:0) port 1024:65535
nat on igb0 inet from 127.0.0.0/8 to any -> (igb0:0) port 1024:65535
no rdr proto carp all
no rdr on igb1 proto tcp from any to (igb1) port = ssh
no rdr on igb1 proto tcp from any to (igb1) port = http
no rdr on igb1 proto tcp from any to (igb1) port = https
rdr on igb1 inet proto tcp from ! <PiHole_MAC> to any port = domain -> <PiHole_DNS4> round-robin
rdr on igb1 inet proto tcp from ! <PiHole_MAC> to any port = domain-s -> <PiHole_DNS4> round-robin
rdr on igb1 inet proto udp from ! <PiHole_MAC> to any port = domain -> <PiHole_DNS4> round-robin
rdr on igb1 inet proto udp from ! <PiHole_MAC> to any port = domain-s -> <PiHole_DNS4> round-robin
rdr on igb1 inet6 proto tcp from ! <PiHole_MAC> to any port = domain -> <PiHole_DNS6> round-robin
rdr on igb1 inet6 proto tcp from ! <PiHole_MAC> to any port = domain-s -> <PiHole_DNS6> round-robin
rdr on igb1 inet6 proto udp from ! <PiHole_MAC> to any port = domain -> <PiHole_DNS6> round-robin
rdr on igb1 inet6 proto udp from ! <PiHole_MAC> to any port = domain-s -> <PiHole_DNS6> round-robin
Firewall Rules from OPN

Code: [Select]

# pfctl -s rules
scrub in all fragment reassemble
block drop in log on ! igb1 inet6 from fde4:b3e2:db9e:1a29::/64 to any
block drop in log on ! igb1 inet6 from 2001:579:4c:120::/64 to any
block drop in log on igb1 inet6 from fe80::2e0:67ff:fe1f:2529 to any
block drop in log inet6 from fde4:b3e2:db9e:1a29::1 to any
block drop in log inet6 from 2001:579:4c:120:2e0:67ff:fe1f:2529 to any
block drop in log on igb0 inet6 from fe80::2e0:67ff:fe1f:2528 to any
block drop in log on ! igb1 inet from 192.168.144.0/24 to any
block drop in log inet from 192.168.144.1 to any
block drop in log on ! igb0 inet from 98.187.162.128/27 to any
block drop in log inet from 98.187.162.137 to any
block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131"
block drop in log inet6 all label "02f4bab031b57d1e30553ce08e0ec131"
pass in log quick inet6 proto ipv6-icmp all icmp6-type unreach keep state label "1d245529367b2e34eeaff16086aeafe9"
pass in log quick inet6 proto ipv6-icmp all icmp6-type toobig keep state label "1d245529367b2e34eeaff16086aeafe9"
pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state label "1d245529367b2e34eeaff16086aeafe9"
pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state label "1d245529367b2e34eeaff16086aeafe9"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echoreq keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echoreq keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echorep keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echorep keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routersol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routersol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routeradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routeradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbrsol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbrsol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state label "71dd196398b3f1da265dbd9dcad00e70"
block drop in log quick inet proto tcp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet proto udp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet6 proto tcp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet6 proto udp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet proto tcp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet proto udp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet6 proto tcp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet6 proto udp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
pass log quick inet6 proto carp from any to ff02::12 keep state label "cf439d72ef4d245e8ad4a1405df1f665"
pass log quick inet proto carp from any to 224.0.0.18 keep state label "2ffa978d51f7b3fbc9000c2895106ee7"
block drop in log quick proto tcp from <sshlockout> to (self) port = ssh label "669143f420c3ab4118bcb0bf4b5fd823"
block drop in log quick proto tcp from <sshlockout> to (self) port = https label "6baefc2a9cf2536834c092a51134a45c"
block drop in log quick from <virusprot> to any label "8e367e2f9944d93137ae56d788c5d5e1"
pass in log quick on igb1 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "fef3d333d96a8d3558956de1fffc61cc"
pass in log quick on igb1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "fef3d333d96a8d3558956de1fffc61cc"
pass in log quick on igb1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "d2bd536587a9f5680c1f850b2d346839"
pass in log quick on igb1 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "3420206ced96c01ef73fbc4ac9deb745"
pass in log quick on igb1 inet6 proto udp from fe80::/10 to (self) port = dhcpv6-client keep state label "0fd202708c326aebbe44ab710b6d3652"
pass out log quick on igb1 inet6 proto udp from (self) port = dhcpv6-server to fe80::/10 keep state label "83f6c28de8efae9b444094e4a5bf898c"
pass in log quick on igb0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "a6cd2cce1bc1d912f6258ef1f3fb07e1"
pass in log quick on igb0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "f7e4334c3e7dc4ba900c5780b828d4a3"
pass out log quick on igb0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "5ba1258fcaf073eff4060b40ff63044d"
block drop in log quick on igb0 inet from <bogons> to any label "b7cd97a164650b538506fb551a0369e7"
block drop in log quick on igb0 inet6 from <bogonsv6> to any label "f140a48ddade668b9d6f5259669a1d5c"
block drop in log quick on igb0 inet from 10.0.0.0/8 to any label "1eb94a38e58994641aff378c21d5984f"
block drop in log quick on igb0 inet from 127.0.0.0/8 to any label "1eb94a38e58994641aff378c21d5984f"
block drop in log quick on igb0 inet from 100.64.0.0/10 to any label "1eb94a38e58994641aff378c21d5984f"
block drop in log quick on igb0 inet from 172.16.0.0/12 to any label "1eb94a38e58994641aff378c21d5984f"
block drop in log quick on igb0 inet from 192.168.0.0/16 to any label "1eb94a38e58994641aff378c21d5984f"
block drop in log quick on igb0 inet6 from fc00::/7 to any label "45afd72424c84d011c07957569151480"
pass in quick on lo0 all no state label "7535c94082e72e2207679aadb26afd92"
pass out log all flags S/SA keep state allow-opts label "fae559338f65e11c53669fc3642c93c2"
pass in log quick on igb1 proto tcp from any to (self) port = ssh flags S/SA keep state label "bb72618316fdf630cdf15f33ae3d699f"
pass in log quick on igb1 proto tcp from any to (self) port = http flags S/SA keep state label "bb72618316fdf630cdf15f33ae3d699f"
pass in log quick on igb1 proto tcp from any to (self) port = https flags S/SA keep state label "bb72618316fdf630cdf15f33ae3d699f"
pass out log route-to (igb0 98.187.162.129) inet from (igb0) to ! (igb0:network) flags S/SA keep state allow-opts label "25317b606bbeb8522d3dc66b350595a1"
pass out log route-to (igb0 fe80::2ef8:9bff:fe9d:b419) inet6 from (igb0) to ! (igb0:network) flags S/SA keep state allow-opts label "91af02f708c71d296f2293a00f2ec1cc"
pass in quick on igb1 inet6 proto tcp from <PiHole_MAC> to any port = domain flags S/SA keep state label "457120e994cd0bc8ece2f03bef41ce56"
pass in quick on igb1 inet6 proto tcp from <PiHole_MAC> to any port = domain-s flags S/SA keep state label "457120e994cd0bc8ece2f03bef41ce56"
pass in quick on igb1 inet6 proto udp from <PiHole_MAC> to any port = domain keep state label "457120e994cd0bc8ece2f03bef41ce56"
pass in quick on igb1 inet6 proto udp from <PiHole_MAC> to any port = domain-s keep state label "457120e994cd0bc8ece2f03bef41ce56"
pass in quick on igb1 inet proto tcp from <PiHole_MAC> to any port = domain flags S/SA keep state label "da04446f4f456e601986ba812cf5fb9d"
pass in quick on igb1 inet proto tcp from <PiHole_MAC> to any port = domain-s flags S/SA keep state label "da04446f4f456e601986ba812cf5fb9d"
pass in quick on igb1 inet proto udp from <PiHole_MAC> to any port = domain keep state label "da04446f4f456e601986ba812cf5fb9d"
pass in quick on igb1 inet proto udp from <PiHole_MAC> to any port = domain-s keep state label "da04446f4f456e601986ba812cf5fb9d"
pass in quick on igb1 inet6 proto tcp from ! <PiHole_MAC> to <PiHole_DNS6> port = domain flags S/SA keep state label "59adab1e255c74a28ba408bf44d657b1"
pass in quick on igb1 inet6 proto tcp from ! <PiHole_MAC> to <PiHole_DNS6> port = domain-s flags S/SA keep state label "59adab1e255c74a28ba408bf44d657b1"
pass in quick on igb1 inet6 proto udp from ! <PiHole_MAC> to <PiHole_DNS6> port = domain keep state label "59adab1e255c74a28ba408bf44d657b1"
pass in quick on igb1 inet6 proto udp from ! <PiHole_MAC> to <PiHole_DNS6> port = domain-s keep state label "59adab1e255c74a28ba408bf44d657b1"
pass in quick on igb1 inet proto tcp from ! <PiHole_MAC> to <PiHole_DNS4> port = domain flags S/SA keep state label "6dad948e502d0194a27c640890dff3d6"
pass in quick on igb1 inet proto tcp from ! <PiHole_MAC> to <PiHole_DNS4> port = domain-s flags S/SA keep state label "6dad948e502d0194a27c640890dff3d6"
pass in quick on igb1 inet proto udp from ! <PiHole_MAC> to <PiHole_DNS4> port = domain keep state label "6dad948e502d0194a27c640890dff3d6"
pass in quick on igb1 inet proto udp from ! <PiHole_MAC> to <PiHole_DNS4> port = domain-s keep state label "6dad948e502d0194a27c640890dff3d6"
block drop in quick on igb1 inet6 proto tcp from ! <PiHole_MAC> to any port = domain label "d6c370a1fc10e5ce2e50b1e4f723de00"
block drop in quick on igb1 inet6 proto tcp from ! <PiHole_MAC> to any port = domain-s label "d6c370a1fc10e5ce2e50b1e4f723de00"
block drop in quick on igb1 inet6 proto udp from ! <PiHole_MAC> to any port = domain label "d6c370a1fc10e5ce2e50b1e4f723de00"
block drop in quick on igb1 inet6 proto udp from ! <PiHole_MAC> to any port = domain-s label "d6c370a1fc10e5ce2e50b1e4f723de00"
block drop in quick on igb1 inet proto tcp from ! <PiHole_MAC> to any port = domain label "4a346edff76c061eec2c613d413af50b"
block drop in quick on igb1 inet proto tcp from ! <PiHole_MAC> to any port = domain-s label "4a346edff76c061eec2c613d413af50b"
block drop in quick on igb1 inet proto udp from ! <PiHole_MAC> to any port = domain label "4a346edff76c061eec2c613d413af50b"
block drop in quick on igb1 inet proto udp from ! <PiHole_MAC> to any port = domain-s label "4a346edff76c061eec2c613d413af50b"
pass in quick on igb1 inet6 from (igb1:network) to any flags S/SA keep state label "8ebd079ac5051cde9aa14391041e0025"
pass in quick on igb1 inet6 from fe80::/10 to any flags S/SA keep state label "8ebd079ac5051cde9aa14391041e0025"
pass in quick on igb1 inet from (igb1:network) to any flags S/SA keep state label "2e0fe9f0e69a777054d36feee301301c"
Alias Table for "PiHole_MAC"

Code: [Select]

# pfctl -t PiHole_MAC -T show
   192.168.144.11
   2001:579:4c:120:5555:9a73:b10d:e091
   fde4:b3e2:db9e:1a29::11
   fe80::53bb:1ff4:f59c:40b3