Ipv6 not staying blocked

[MickeyRat]

I have a few IPs I want to limit to my LAN only.  First I set up an alias called NoWAN to hold the IPs.  I've attached a pic of my rules.  These are the first rules in the list.  They block inbound and outbuound ipv4 and ipv6 traffic from anywhere except a LAN address.  Now here's the weird part.  They work fine for both ipv4 and ipv6 when I'm first connected but, after 10 minutes or so ipv6 starts leaking.  Here's what I see on reboot or when I cycle the network connections:

Code Select Expand

ping www.google.com
ping: www.google.com: Temporary failure in name resolution

After 10 minutes or so I get:

Code Select Expand

ping www.google.com
PING www.google.com(yx-in-x68.1e100.net (2607:f8b0:4002:c08::68)) 56 data bytes
64 bytes from yx-in-x68.1e100.net (2607:f8b0:4002:c08::68): icmp_seq=1 ttl=106 time=16.2 ms
64 bytes from yx-in-x68.1e100.net (2607:f8b0:4002:c08::68): icmp_seq=2 ttl=106 time=16.5 ms

Note that those are ipv6 adresses.

I've tried making separate rules for ipv4 and ipv6 with the same result.  I'm not a networking expert and I don't know much about ipv6.  So, any help would be appreciated.

[lfirewall1243]

Enable logging for these rules and show us the LiveView. :)
And does ipv4 traffic also doesn't getting blocked?

[MickeyRat]

Enable logging for these rules and show us the LiveView. :)
And does ipv4 traffic also doesn't getting blocked?

Thank you for the reply.  I added a description (Deny WAN Access In and Deny WAN Access Out) to both rules and I turned on logging.  I've attached a pic of the liveview log both detail and the view as it's going by when it's blocked.  It was a bit tricky given the traffic but. I managed to get a detail view when ipv6 is getting out. 

If I turn ipv6 off on the node, it times out and I do see the block on ipv4 in the liveview. 

I need to note that I saw something similar with nodes I set up to go through NordVPN.  Ipv6 was getting through even though I had blocking rules.  There were a lot of rules for that setup and I thought that I'd done something wrong so I disabled ipv6 at the nodes.  I never was satisfied with that solution.

[MickeyRat]

I have another data point.  Thanks to @lfirewall1243 for pointing out that I should be looking at the log.  So I again put in separate rules for ipv6 and ipv4 to see what's getting triggered.  The result is the same whether the ipv6 rules are first or the ipv4 rules are first.  The log shows that the ipv6 rules never get triggered.

[Greelan]

ICMP is pretty important for IPv6 functionality and the automatic floating ICMP rule is probably letting the pings out (the logs suggest that).

BTW, "LAN address" just means the interface address on OPNsense. I think you really want "LAN net".  And your "no WAN out" rule won't do anything. [emoji3]

[MickeyRat]

ICMP is pretty important for IPv6 functionality and the automatic floating ICMP rule is probably letting the pings out (the logs suggest that).

BTW, "LAN address" just means the interface address on OPNsense. I think you really want "LAN net".  And your "no WAN out" rule won't do anything. [emoji3]

Thank you for the reply.  I'd heard of ICMP but, I didn't know much about it.  So, I did a little reading and now I know a little more.  If I'm reading things correctly, ICMP might allow someone on the internet to see that the devices in the NoWAN alias exist and who my ISP is but, that's about all.   

That also explains the ipv6 leak that allowed DNSLeakTest.com to see my ISP for my VPN group until I disabled ipv6 on the nodes.  It may not be possible but, I'll try to come up with a floating rule that will block this.

Thank you for the info on the LAN addresses.  I'll make that change.  I didn't see a problem with communication on the LAN but, that's probably because my switches were routing the traffic and it never went to the router.  Yeah I never saw the out rule triggered.  I'll dump it.

Please educate me a little.  I believe the ICMP hypothesis is correct but, why don't I see this issue until it's connected a while?