System Log Notice cannot forward src flood

Started by meelokun, October 02, 2023, 06:23:32 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 02, 2023, 06:23:32 PM
Forgive me as im a complete novice when it comes to this sort of thing, but i need assistance in figuring out why my system log is flooded with a level 7 log level kernel notice relating to traffic that is unable to be forwarded, clearly relating to ipv6 (which i know very little about).

My log has been flooded for so long, ive reached 51GB worth of logs AND climbing!

The log message indicates that the system is unable to forward traffic from one interface (igc1) to another (igc0) and specifically mentions that it's having trouble with IPv6 traffic using both UDP (nxt 17) and a non-UDP (nxt 58) protocol.

I'm honestly not really sure where to start with troubleshooting on this one, but i will say that there has been strange network behavior with some of my TP-Link smartplugs (no longer accessible/toggleable in the Kasa app, or Sense Home App).

snippet of log
Code Select
2023-10-02T12:16:41-04:00 Notice kernel <7>cannot forward src fe80:2::3ff0:fb6b:56af:56d7, dst 2001:4860:4860::8888, nxt 17, rcvif igc1, outif igc0
2023-10-02T12:16:13-04:00 Notice kernel <7>cannot forward src fe80:2::3ff0:fb6b:56af:56d7, dst 2001:4860:4860::8888, nxt 58, rcvif igc1, outif igc0
2023-10-02T12:16:05-04:00 Notice kernel <7>cannot forward src fe80:2::a4f2:2ccb:4b03:18b2, dst 2001:4860:4860::8888, nxt 58, rcvif igc1, outif igc0
2023-10-02T12:15:57-04:00 Notice kernel <7>cannot forward src fe80:2::9ecc:6e40:bf07:3a9, dst 2001:4860:4860::8888, nxt 58, rcvif igc1, outif igc0
2023-10-02T12:15:12-04:00 Notice kernel <7>cannot forward src fe80:2::3ff0:fb6b:56af:56d7, dst 2001:4860:4860::8888, nxt 17, rcvif igc1, outif igc0
2023-10-02T12:15:05-04:00 Notice kernel <7>cannot forward src fe80:2::a4f2:2ccb:4b03:18b2, dst 2001:4860:4860::8888, nxt 58, rcvif igc1, outif igc0

I wonder if an errant setting was enabled or setting that might be causing this.. but not sure which.

Things to know - i have Verizon Fios. my igc0 interface is my WAN interface. igc1 is my LAN interface.
under Interfaces->WAN IPv6 configuration is set to DHCPv6
under Interfaces->LAN IPv6 configuration is set to Track Interface
under Interfaces->Settings IPv6 DHCP Prevent Release is enabled (recently enabled as of today, to see if this will help)

Running
Versions   OPNsense 23.7.5-amd64
FreeBSD 13.2-RELEASE-p3
OpenSSL 1.1.1w 11 Sep 2023
October 05, 2023, 11:39:37 AM #1
2001:4860:4860::8888 is Google DNS. It seems some devices in your LAN are trying to use Google DNS, but with a link-local source address (fe80::/10). That's impossible, these addresses are not routable. That's essentially what the error messages say.

You can use Interfaces: Diagnostics: NDP Table to identify the misbehaving devices.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
December 01, 2023, 04:50:50 AM #2
@meelokun did you ever get to the bottom of this? I am having the exact same issue. Dual stack IPv4+6, seeing lots of the same "cannot forward src..." errors. They're all link-local IPv6 addresses coming in on my OPNsense box's LAN interface and trying to go out the WAN interface. I can use the NDP lookup table to determine which devices are doing this, but it doesn't tell me why they're doing it.

I'm positive this is due to an IPv6 misconfiguration...somewhere. But not sure where to look next.
December 01, 2023, 10:17:07 AM #3
So only some devices do this? Do they have anything in common? This really doesn't look like something OPNsense could have an impact on (bug / misconfiguration).
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
December 06, 2023, 04:18:22 AM #4
I have seen this before in my network. In my case the culprits are android devices.
They can't get IPv6 address from SLAAC so they get stupid and trying to reach GUA addresses with their LLA sources.
December 11, 2023, 02:34:02 AM #5
Interesting about the Android devices. I only have one in the house and it only gets powered on every few weeks, so this wasn't that. I've turned off IPv6 on my LAN for the time being but I'll have to turn it back on and see if I can find any commonalities between the devices producing that issue.
November 01, 2024, 12:50:20 PM #6
older topic but how can I find the device that is still using fe80: .... I see only proper configured device in my IPv6 leases list...

<7>cannot forward src fe80:1::d1f2:9d6a:4c2e:ef7, dst 2a03:2880:..., nxt 17, rcvif re0, outif re1

As I understand from here, it must bei in my LAN (re0) and want to reach there WAN (re1) right?
November 01, 2024, 01:01:41 PM #7
Did you check the NDP table to identify the MAC address of the device? See my first comment back then.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
November 03, 2024, 09:39:47 PM #8
thanks, yes found it now in NDP table!
Print
Go Up Pages1
User actions