Live view filled with plenty of Deny ff02::16 icmp AND udp 3702

[XabiX]

Hello Experts,

I don't understand why I am seeing this traffic and if I should either allow it or put a non verbose rule entry to stop it to fill the logs.

Besides I was trying WS and I see udp 3702 too blocked. My setup is IPv4 so not sure if I need those too.

Code Select Expand

[ndp -a
Neighbor                             Linklayer Address  Netif Expire    1s 5s
2a01:e0a:3ba:cb90::2                 92:f5:ca:c9:f3:92 vtnet0 permanent R
fe80::90f5:caff:fec9:f392%vtnet0     92:f5:ca:c9:f3:92 vtnet0 permanent R
fe80::9c90:88ff:fe48:d45b%vtnet1     9e:90:88:48:d4:5b vtnet1 permanent R
fe80::449f:54ff:fe80:6bf1%vtnet2     46:9f:54:80:6b:f1 vtnet2 permanent R
fe80::bc00:eeff:fe5d:31e3%vtnet3     be:00:ee:5d:31:e3 vtnet3 permanent R
2a01:e0a:3ba:cb91::1                 da:dc:fd:fa:f7:7c vtnet4 permanent R
fe80::b9a8:d032:e210:1c2a%vtnet4     dc:00:b0:44:74:64 vtnet4 23h56m0s  S
fe80::d8dc:fdff:fefa:f77c%vtnet4     da:dc:fd:fa:f7:7c vtnet4 permanent R
2a01:e0a:3ba:cb91:61da:fc7d:3083:ed4f dc:00:b0:44:74:64 vtnet4 23h56m0s  S
fe80::8db:32ff:feb9:b45c%vtnet6      0a:db:32:b9:b4:5c vtnet6 permanent R code]

[code]pfctl -s rules | grep "from fe80::/10"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick on vtnet4 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "202cde82e72bc8757ce87db904864c07"
pass in quick on vtnet4 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "202cde82e72bc8757ce87db904864c07"
pass in quick on vtnet4 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "fcfc7f20b012cb13daa2953a063f4f4e"
pass in quick on vtnet4 inet6 proto udp from fe80::/10 to (self) port = dhcpv6-client keep state label "a329a5ad6317f1c72757431e7a8232aa"
pass in quick on vtnet0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "4408d4bb3e3b231599822fa8f4546f8d"
pass in quick on vtnet0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "4408d4bb3e3b231599822fa8f4546f8d"
pass in quick on vtnet0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "3e5fbb29b91da43363e550aead699e16"
pass in quick on vtnet0 inet6 proto udp from fe80::/10 to (self) port = dhcpv6-client keep state label "43f521ff1b149fea894c4f31417849bb"
pass in quick on vtnet4 inet6 from fe80::/10 to ! (vtnet1:network) flags S/SA keep state allow-opts label "178c7c3c8c26cb8456b49510389dd6e3"/code]

Any help is more than welcome.

Merci

[Patrick M. Hausen]

You are seeing blocked IPv6 multicast traffic on WAN, probably by your ISP router or modem depending on what kind of device you have there. You can probably safely ignore it. Just disable logging for blocked packets.

Firewall > Settings > Advanced > Logging >  Default block

HTH,
Patrick

[XabiX]

Thanks Patrick!

My bad as I forgot that I have an internal interface which operates with IPv6 which is the media setup box of my ISP for TV and services like replay/netflix etc...

Therefore, if this is acceptable, should I allow this traffic just towards this LAN interface?

Is your comment also valid for the traffic towards udp 3702?

Merci

[Patrick M. Hausen]

My bad as I forgot that I have an internal interface which operates with IPv6 which is the media setup box of my ISP for TV and services like replay/netflix etc...

Therefore, if this is acceptable, should I allow this traffic just towards this LAN interface?

Multicast traffic is not generally routed across interfaces. There's just "something" on your WAN that transmits this stuff in case something else might answer. As far as I know ff02::16 is not a predefined well-known multicast address like the "all routers" or "all hosts" ones.

If your service work I would not permit anything in from WAN.

Is your comment also valid for the traffic towards udp 3702?

Yes.

Kind regards,
Patrick

[XabiX]

BTW I did remove: Log packets matched from the default block rules

but I still see those msg. I assume these are bc they are captured by my own deny all IPv6 rule?

[Patrick M. Hausen]

You do not need these block rules. OPNsense already has that builtin.

[XabiX]

I used them when I need to know what is being blocked. I have kept the rules but removed all loging.

Merci

Is there a way to disable IPv6 on my interfaces outside of the POP? Before i never saw these assigned maybe this is linked to an improvement of the Interface Overview :)

I do have: IPv6 Configuration Type to None on those interfaces.