Home user configuration question for Comcast/Xfinity

[Sorjal]

In setting up my WAN, I've found that it relies on ipv6 link-local for the gateway and that gateway communicates from that link-local address including link-local to the multicast of ff02::2. I'm just learning all of this so I have guesses as to what is going on, that it's trying to check for new devices connected to it to assign them an ipv6 address, but would like to know if this is correct and what I should be doing about this traffic and why the gateway itself never resolves to an IPv6 address and instead remains a link-local one. Recently after trying a few things, I unchecked the normally checked block private networks after I manually added WAN rules to block the IPv4 address ranges it lists in the description. This probably isn't the right choice, but this is more for learning than say protecting a business's network, etc.

Checking the NDP table, I can find that address, that its manufacturer is Cisco and even double checked and its mac address doesn't match that of the cable modem.

Now I recently checked the System>Log Files>General logs and I'm seeing:

Code Select Expand

Notice kernel <7>cannot forward src fe80:2::2c8:****:****:****, dst 2601:193:8200:939:****:****:****:****, nxt 58, rcvif igc1, outif igc0

which by address is the link-local address for the gateway as the source with a destination that appears to be a combination of the IPv6 prefix and last 4 parts of the wan's dhcp assigned ipv6 address.

My guess is that there is something I misconfigured somewhere, a setting that needs to be enabled or disabled, etc. and I was wondering what other users may have for their dhcpv6 settings, etc. for Comcast/Xfinity that is correct (or at least isn't generating errors). Currently my DHCPv6 client configuration just has a prefix delegation of 64 and Use IPv4 connectivity checked, with Use VLAN priority disabled.

I've been messing around with different settings and configurations as I've been getting random latency spikes and trying to figure out if there's something left on my end that could be causing it versus something on their side (which honestly seems more likely as this has been ongoing for years even before having a firewall system between the cablee modem and my local lan)

On the LAN side, I have it set up to allow manual changes with a range that involves :dddd: so that I can tell immediately if an ipv6 address used was assigned locally and it's DNS servers listed as ::1 and the LAN track IPv6 address which is in that 2601:193:8200::/64 range and isn't the address in the error. This too is likely configured incorrectly, but again I'm messing around and trying to learn and have it so any ipv6 dns queries go to opnsense instead of out to comcast's dns servers.

One thing I know I should probably do, but haven't yet, is to create rules to redirect dns traffic to opnsense, but first I also need to get doh requests set up to be resolved locally as apple devices seem to love using that.

I've rambled a bunch here, but figured its better to provide the additional information that might not be needed than not provide enough.

Hardware wise, OPNsense is currently running on a Protecli Vault VP4650 with way too much memory (in case I wanted to mess around with virtual machines next) and an NVME ssd drive. Currently I have hyperthreading on in the bios and OPNsense reports 8 cores (4-cores, 8-threads). It uses Intel's i225-v controller and I've updated the bios a few months ago to the latest they provide and haven't seen any newer versions since.

Any help with resolving this error and other configuration suggestions would be greatly appreciated. Thank you.