Automatically generated ICMP rules for IPV6 not passing taffic

[rocketraman]

The Bogons list includes 8000::/1  I think that includes the FE80

So yes block bogons will block link local.

Oh, you're right! 8000::/1 includes everything 8000 and above! Ipv4 has conditioned me to never consider anything less than a /8 on the CIDR.

At least now I know I'm not crazy -- but this seems like a questionable decision on the bogon list. Does anyone know if this has been raised an issue anywhere else?

[rocketraman]

I finally decided that you cannot use the Block Bogons for ipv6 as it breaks the protocol.

What I did was create an alias to download the bogons list directly from http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt

Then I created an alias for exclusions for !fe80::/10, !ff00::/8, !::1, and since I use NAT64 also !64:ff9b::/96.  I also use ULA internally, so I have an exclusion for the ULA prefix I am using too.

Then I created a another alias for bogons with the exclusions.

Why are you excluding ::1?

[Patrick M. Hausen]

Coming in from any real interface? Why of course. It's not a valid source address on any wire.

[rocketraman]

Coming in from any real interface? Why of course. It's not a valid source address on any wire.

Exactly. In this context, excluding `::1` from the bogon list means allowing it i.e. not considering it a bogon. Hence my question.

[IsaacFL]

I finally decided that you cannot use the Block Bogons for ipv6 as it breaks the protocol.

What I did was create an alias to download the bogons list directly from http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt

Then I created an alias for exclusions for !fe80::/10, !ff00::/8, !::1, and since I use NAT64 also !64:ff9b::/96.  I also use ULA internally, so I have an exclusion for the ULA prefix I am using too.

Then I created a another alias for bogons with the exclusions.

Why are you excluding ::1?

I don’t remember but it must have been showing in firewall logs under my bogon block rule so I excluded it?

[IsaacFL]

Coming in from any real interface? Why of course. It's not a valid source address on any wire.

Exactly. In this context, excluding `::1` from the bogon list means allowing it i.e. not considering it a bogon. Hence my question.

The default deny rule would catch it, but I am questioning it myself now.

[IsaacFL]

The Bogons list includes 8000::/1  I think that includes the FE80

So yes block bogons will block link local.

Oh, you're right! 8000::/1 includes everything 8000 and above! Ipv4 has conditioned me to never consider anything less than a /8 on the CIDR.

At least now I know I'm not crazy -- but this seems like a questionable decision on the bogon list. Does anyone know if this has been raised an issue anywhere else?

I question it myself cause it since it is in the autogenerated rules you can’t override it.  I especially don’t understand the ULA prefix because they are technically allowed to be routed at least locally. Site level Multicast prefix maybe also, though opnsense doesn’t support that.

[Reiner030]

Hi,
I found this thread while I have similar problems to cleanup our firewall log files from wrongly blocked packets (preparing migration from pfSense to OPNsense business "OPNsense 23.4-amd64").

We are using

• Telekom Speedport router which tries to send only DHCP ICMP messages.
  Since interface is setup to DHCPv6 these packages should be accepted ?
• Fritz!Box Cable Router which checks for other meshed devices.
  Here I try to setup an accept/drop rule without logging.

Problem for both events is that these log lines:

Code: [Select]

WAN108_Uplink_VDSL_Telekom 2023-06-02T16:05:05 fe80::1 ff02::1 ip Block bogon IPv6 networks from WAN108_Uplink_VDSL_Telekom
WAN110_Uplink_Cable_KD 2023-06-02T16:04:04 [fe80::ca0e:14ff:fe6c:4bcc]:53805 [ff02::1]:53805 udp Block bogon IPv6 networks from WAN110_Uplink_Cable_KD
can only be deactivated by deactivating "Block bogon networks" additional to "Block private networks" on their interfaces.

• For 1st problem the "Block private networks" should already "override"/"whitelist" the private networks?
  Else it's same problem as in https://forum.opnsense.org/index.php?topic=23733.0
• For both problems it should be somehow possible to prepend autogenerated rules with own rules but there seems no option for this case implemented yet?

Is there some special place for this request? So far I can see this forum seems the best one for my verrsion.