[SOLVED] OPNsense Blocking RFC4890 ICMPv6 Traffic on LAN

Started by waldenj, February 20, 2025, 09:44:43 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 20, 2025, 09:44:43 PM Last Edit: February 28, 2025, 03:04:20 PM by waldenj Reason: Issue resolved! The fix works!
All,

I'm seeing tons of log spam in my firewall triggered by the IPv6 RFC4890 requirements (ICMP) rule. IPv6 is up and working on my LAN, and I receive a /56 delegation from my ISP.

This happens regardless of whether DHCPv6 & Router Advertisements are set manually or left on auto. IPv6 connectivity remains functional, but the log spam persists.

Not sure what's causing this. Anyone have any ideas? Thanks in advance!

February 20, 2025, 10:20:35 PM #1
Uncheck Firewall > Settings > Advanced > Logging > Default pass.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 20, 2025, 10:28:46 PM #2
Quote from: Patrick M. Hausen on February 20, 2025, 10:20:35 PMUncheck Firewall > Settings > Advanced > Logging > Default pass.

First place I checked. Everything under logging there is unchecked.

February 24, 2025, 08:29:22 PM #3
February 28, 2025, 08:31:20 AM #4
Trying that now. I am also seeing below in the log for the firewall. I don't have bogons blocked in the GUI set either. Could this be part of my issues?

Code Select
Error firewall /usr/local/etc/rc.filter_configure: The command '/sbin/pfctl -t bogonsv6 -T flush' returned exit code '255', the output was 'pfctl: Table does not exist.'
February 28, 2025, 08:38:01 AM #5
So far it seems to no longer be blocking on the LAN and triggering those entries. I wonder if this will help my android devices losing IPv6 connectivity after a while? I am still seeing the errors below though.

Code Select
Error firewall /usr/local/etc/rc.filter_configure: The command '/sbin/pfctl -t bogonsv6 -T flush' returned exit code '255', the output was 'pfctl: Table does not exist.'
February 28, 2025, 08:43:04 AM #6
February 28, 2025, 02:17:45 PM #7
Is it safe for me to upgrade to 25.1.2 in order to get the bogons fix or will that cause me to lose the kernel fix? Thank you for all the help!
February 28, 2025, 02:53:48 PM #8
Lock kernel from packages tab, then update (it will reboot but the kernel will stay), then unlock to make sure you get the next one. I expect this fix to land in 25.1.3.


Cheers,
Franco
February 28, 2025, 03:03:25 PM #9
Thank you! Looks like we are good to go! Issues resolved!
February 28, 2025, 03:12:24 PM #10
Thanks for testing, BTW. The plan is to ship this in the next and prepare a FreeBSD submission for it. Eventually someone will find this interesting for IPv6 deployments over there.  ;)


Cheers,
Franco
Print
Go Up Pages1
User actions