Solicited Nodes Multicast Group

Started by Javier®, February 20, 2025, 05:43:24 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 20, 2025, 05:43:24 PM Last Edit: February 20, 2025, 05:55:36 PM by jr-acedo
Hello everyone, my ISP sends me an ICMP ff02::1:f00:1, I have created a firewall rule in WAN to allow.
If i don't believe the rule my local network soon you do not have ipv6 internet access.

WAN --- allow --- ipv6-icmp ---- fe80::/10 ---->> ff02::1:ff00:0/104

As RFC 4291 section 2.7.1 states:

Solicited-node multicast address are computed as a function of a node's unicast and anycast addresses. A solicited-node multicast address is formed by taking the low-order 24 bits of an address (unicast or anycast) and appending those bits to the prefix FF02:0:0:0:0:1:FF00::/104.

** ¯\_(ツ)_/¯ **  C'est la vie  ** ¯\_(ツ)_/¯ **
February 24, 2025, 08:30:24 PM #1
March 14, 2025, 02:51:51 PM #2 Last Edit: March 14, 2025, 02:58:46 PM by jr-acedo
I have managed to make the connection more or less stable, explicitly adding FF02:0:0:0:0:1:FF00::/104. Now I don't lose IPv6 over time.
Thank you for your work.

I think the problem is the NICs. I226-V version V2.17-0. I had to configure sysctl to be stable and fast.
hw.igc.max_interrupt_rate: 20000
hw.igc.enable_aim: 0
** ¯\_(ツ)_/¯ **  C'est la vie  ** ¯\_(ツ)_/¯ **
March 17, 2025, 03:32:53 PM #3 Last Edit: March 17, 2025, 04:09:53 PM by Javier®
Hi everyone, this packet the firewall is blocking is an ICMP type 130 packet. This packet is sent every 125 seconds. It's from my ISP's Cisco.
Opnsense doesn't allow Type 130 by default.

Cisco MLD
General Query (Type 130)
Sent to learn about listeners on the attached link
Sets the Multicast Address Field to zero
Sent every 125 seconds

https://www.cisco.com/c/dam/global/sk_sk/assets/expo2011/pdfs/IPv6_multicast_security_Stefan_Kollar.pdf
** ¯\_(ツ)_/¯ **  C'est la vie  ** ¯\_(ツ)_/¯ **
March 17, 2025, 05:10:56 PM #4
I'm not sure I follow. Neighbor discovery packets are already allowed (via the second "Automatically generated rule") - a separate rule allowing the solicited-node destination should not be necessary. (Or am I missing a bug that affects this?)

The multicast listener query is interesting. Does your provider offer multicast services of some sort (e.g. streams or some such)?
March 17, 2025, 06:26:02 PM #5 Last Edit: March 17, 2025, 06:45:10 PM by Javier®
It seems strange to me too, I have to add the rule explicitly
They are allowed but type 130 is not.

From all to all 1,2,135,136
specific, from fe80::/10 to fe80::/10, ff02::/16 128,133,134,135,136

the second rule is out 128,129,,133,134,135,136
** ¯\_(ツ)_/¯ **  C'est la vie  ** ¯\_(ツ)_/¯ **
Print
Go Up Pages1
User actions