Re: [pfSense] 2.2.6 and IPv6 RA
Op 22-1-2016 om 8:53 schreef Antonio Prado: > Hi, > > on a fresh installed box, IPv4 configured on 2 NICs (WAN and LAN), IPv6 > not configured, pfSense starts advertising itself as IPv6 gateway on LAN > using its link-local address (fe80::/64). > > That's not the correct behavior I guess. > > Is it a bug? No, that sounds about right, it advertises itself as the gateway. You can safely run RA on the LAN even without a public prefix, this works fine in combination with static addressing as well. Some devices only allow you to set a static address, but not the gateway, they will pick it up from RA. I think you'll find that the RA has no options set for auto configuration. Cheers ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2.6 and IPv6 RA
On 1/22/16 11:02 AM, Seth Mos wrote: >> on a fresh installed box, IPv4 configured on 2 NICs (WAN and LAN), IPv6 >> not configured, pfSense starts advertising itself as IPv6 gateway on LAN >> using its link-local address (fe80::/64). >> >> That's not the correct behavior I guess. >> >> Is it a bug? > > No, that sounds about right, it advertises itself as the gateway. well, let me disagree. when a router (pfSense) has RA disabled (as previously stated in my message), it simply should not per RFC 4861. in other words, nevertheless pfSense 2.2.6 has no IPv6 configured (i.e. no v6 address on interfaces, RA disabled), it advertises itself as IPv6 gw. let me know thank you -- antonio ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2.6 and IPv6 RA
On 1/22/16 12:39 PM, Seth Mos wrote: >> in other words, nevertheless pfSense 2.2.6 has no IPv6 configured (i.e. >> no v6 address on interfaces, RA disabled), it advertises itself as IPv6 gw. > > Is your LAN interface not configured for IPv6 with address fe80::1:1? It > should be, it's in the default config, unless you disable it. it's correctly auto-configured: inet6 fe80::a236:9fff:fe3a:ff5c%lagg1 prefixlen 64 scopeid 0xb but it should not advertise itself as a gw, simply because it's not a gw and therefore it has not be instructed to do so. thank you -- antonio ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2.6 and IPv6 RA
Op 22-1-2016 om 12:15 schreef Antonio Prado: > On 1/22/16 11:02 AM, Seth Mos wrote: >>> on a fresh installed box, IPv4 configured on 2 NICs (WAN and LAN), IPv6 >>> not configured, pfSense starts advertising itself as IPv6 gateway on LAN >>> using its link-local address (fe80::/64). >>> >>> That's not the correct behavior I guess. >>> >>> Is it a bug? >> >> No, that sounds about right, it advertises itself as the gateway. > > well, let me disagree. > when a router (pfSense) has RA disabled (as previously stated in my > message), it simply should not per RFC 4861. > > in other words, nevertheless pfSense 2.2.6 has no IPv6 configured (i.e. > no v6 address on interfaces, RA disabled), it advertises itself as IPv6 gw. Is your LAN interface not configured for IPv6 with address fe80::1:1? It should be, it's in the default config, unless you disable it. Regards, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfblockerng
On 16-01-13 10:27 PM, Ugo Bellavance wrote: On 16-01-13 05:09 PM, Elijah Savage wrote: Can you give a few more details on this? "Finally, I think that this list, mentionned in the doc, should not be used: http://feeds.dshield.org/top10-2.txt. This one should: http://feeds.dshield.org/block.txt; The top10-2.txt file has last been updated in July 2015 according to my curl command and is not auto-documented. http://feeds.dshield.org/block.txt is updated frequently (as of now, its most recent generation is 5 minutes ago), it is auto-documented. Also, https://www.dshield.org/xml.html states "We offer one blocklist, and one blocklist only (http://www.dshield.org/block.txt)." Is anyone using pfblockerng with this list? Would someone want me to try to update the obsolete doc? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2.6 and IPv6 RA
On Fri, 2016-01-22 at 12:15 +0100, Antonio Prado wrote: > On 1/22/16 11:02 AM, Seth Mos wrote: > > > on a fresh installed box, IPv4 configured on 2 NICs (WAN and > > > LAN), IPv6 > > > not configured, pfSense starts advertising itself as IPv6 gateway > > > on LAN > > > using its link-local address (fe80::/64). > > > > > > That's not the correct behavior I guess. > > > > > > Is it a bug? > > > > No, that sounds about right, it advertises itself as the gateway. > > well, let me disagree. > when a router (pfSense) has RA disabled (as previously stated in my > message), it simply should not per RFC 4861. I've just skimmed through RFC 4861 and couldn't see this. I then grepped "disable" (three instances) and I think I found what you mean: Section 6.2.2: "The term "advertising interface" refers to any functioning and enabled interface that has at least one unicast IP address assigned to it and whose corresponding AdvSendAdvertisements flag is TRUE. A router MUST NOT send Router Advertisements out any interface that is not an advertising interface." That leads us to look into "AdvSendAdvertisements" and also wonder whether "at least one unicast IP address assigned" is IPv6 only or includes v4: Section 2.4: "address - an IP-layer identifier for an interface or a set of interfaces. " So that's clear! I started to follow up on AdvSendAdvertisements but it's also a bit random. The standard is a bit wooley. What is the fault you are actually trying to fix? Cheers Jon > in other words, nevertheless pfSense 2.2.6 has no IPv6 configured > (i.e. > no v6 address on interfaces, RA disabled), it advertises itself as > IPv6 gw. > > let me know > thank you > -- > antonio ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold