Messages

Hello, I don't see 143 in Gui, it's not available for selection. Only Multicast Listener Report 131
I want to test if it works with my ISP, I get a 131 from my ISP every 2 minutes and I think the reason is that I don't have 143 open

I understand, would it be useful to allow 130 131 132 143 for MLDv2?

130 131 132 143 MLD version 2 is omitted, I think it's necessary. 1 2 128 should be after the Bogonsv6 block and private networks, 1 2 128 are not for local addresses.

Hi, sorry for the delay in replying, the Opnsense rules in IPv6 are fine, they work as expected, without problems, Opnsense only uses 1 2 128 133 134 135 136 and I think that conforming more closely to RFC 4890 would be more practical and a little more secure.

Hi, would it be a good idea to change the automatically generated rules for RFC 4890?

# RFC 4890, section 4.4
pass quick inet6 proto icmp6 to { (self) ff02::/16 } icmp6-type \
   { 133 134 135 136 141 142 130 131 132 143 148 149 151 152 153 }

This is after martians.

# RFC 4890, section 4.3
pass quick inet6 proto icmp6 icmp6-type { 1 2 3 4 128 129 144 145 146 147 }

Is this a good idea ?

Hi, it's worth a try, I only have two interfaces and it looks like this. It works very well for me.


interface igc1 {
  send ia-pd 0; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_wan_script.sh"; # we'd like some nameservers please
};
id-assoc pd 0 {
  prefix-interface igc1 {
    sla-id 177;
    sla-len 8;
    ifid 273312202386047166;
  };
  prefix-interface igc0 {
    sla-id 178;
    sla-len 8;
    ifid 273312202386047166;
  };
};


igc0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: LAN (lan)
        options=4e0272b<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,TSO4,TSO6,LRO,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether xx:xx:xx:xx:xx:xx
        inet 10.154.96.129 netmask 0xffffff80 broadcast 10.154.96.255
        inet6 fe80::2e0:4dff:fe02:cdb2%igc0 prefixlen 64 scopeid 0x1
        inet6 2a01:cc00:cf00:6eb2:3cb::be prefixlen 64
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
igc1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: WAN (wan)
        options=4e0272b<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,TSO4,TSO6,LRO,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether xx:xx:xx:xx:xx:xx
        inet 94.107.56.16 netmask 0xfffffe00 broadcast 94.107.57.255
        inet6 fe80::2e0:4dff:fe02:cdb3%igc1 prefixlen 64 scopeid 0x2
        inet6 2a01:cc00:cf00:6eb1:3cb::be prefixlen 64
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

Hi, interface cxl0 it is not configured in id-assoc pd 0

Hello, what static IP do you have on LAN and network mask?

You're amazing Franco, thanks

I don't see a live view log either.

Hi, I have that problem too.

It seems strange to me too, I have to add the rule explicitly
They are allowed but type 130 is not.

From all to all 1,2,135,136
specific, from fe80::/10 to fe80::/10, ff02::/16 128,133,134,135,136

the second rule is out 128,129,,133,134,135,136

Hi everyone, this packet the firewall is blocking is an ICMP type 130 packet. This packet is sent every 125 seconds. It's from my ISP's Cisco.
Opnsense doesn't allow Type 130 by default.

Cisco MLD
General Query (Type 130)
Sent to learn about listeners on the attached link
Sets the Multicast Address Field to zero
Sent every 125 seconds

https://www.cisco.com/c/dam/global/sk_sk/assets/expo2011/pdfs/IPv6_multicast_security_Stefan_Kollar.pdf

I have managed to make the connection more or less stable, explicitly adding FF02:0:0:0:0:1:FF00::/104. Now I don't lose IPv6 over time.
Thank you for your work.

I think the problem is the NICs. I226-V version V2.17-0. I had to configure sysctl to be stable and fast.
hw.igc.max_interrupt_rate: 20000
hw.igc.enable_aim: 0

In this screenshot, version 2 is requested but I do not receive anything.

root@firewall:~ # netstat -sp icmp6
ісmpб:

97 calls to icmp_error
0 errors not generated in response to an icmp6 message
0 not generated because of rate limitation
Output histogram:
packet too big: 94
router solicitation: 1
router advertisement: 40
neighbor solicitation: 10
neighbor advertisement: 6
MLDV2 listener report: 10
0 messages with bad code fields
0 messages ‹ minimum length bad checksums
0 messages with bad length
0 total packets dropped due to failed ND Presolut

Input histogram:
unreach: 41
time exceed: 1
router solicitation: 1
router advertisement: 7025
neighbor solicitation: 6
neighbor advertisement: 5
Histogram of error messages to be generated:
3 no route
0 administratively prohibited
0 beyond scope
0 address unreachable
0 port unreachable
94 packet too big
0 time exceed transit
0 time exceed reassembly
0 erroneous header field
0 unrecognized next header
0 unrecognized option
0 redirect
0 unknown
0 message responses generated
0 messages with too many ND options
0 messages with bad ND options
0 bad neighbor solicitation messages
0 bad neighbor advertisement messages
0 bad router solicitation messages
0 bad router advertisement messages
0 bad redirect messages
0 default routers overflows
0 prefix overflows
0 neighbour entries overflows
0 redirect overflows