Have free IPv6 now, how to configure IPv6 & ipfilter firewall

Matthew Seaman matthew at FreeBSD.org
Sat Apr 1 17:06:15 UTC 2017

On 01/04/2017 16:11, Ernie Luzar wrote:
> Hello List;
> Yesterday 3/31/2017 6pm, Time Warner enabled IPv6 on the cable system
> that I am connected to. You ask how do I know that? I use ipfilter
> firewall with default "block". There has to be a rule to allow any thing
> in or out. The ipf.log started to fill up very quickly and rollover
> every 15 minutes. Inspection of the ipf.log showed this log record was
> the source of the flooding.
> fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 routeradvert/0 IN multicast

IPv6 addresses beginning feXX or ffXX are special.  In particular
addresses beginning fe80 are "link local" addresses.  These appear on
any IPv6 enabled interface, and they are only useful for communicating
with other devices on the same subnet -- similar in some ways to a MAC
address (and indeed, the last 4 digit groups -- 201:5cff:fe9d:1846 --
are derived from the MAC address of the interface.)

The address beginning with ff02 is another special.  This is a multicast
'All Nodes Address' -- which every IPv6 enabled machine should accept.
See RFC 4291 and
for the gory details.

All you're seeing here is a notification that fe80::201:5cff:fe9d:1846
is a router on your local network.  It's completely harmless, and a
vital part of the autoconfiguration process.

> Then I did a ifconfig command on the interface facing the public internet
>  rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>      options=2008<VLAN_MTU,WOL_MAGIC>
>      ether 00:10:b5:7b:1d:6f
>      inet netmask 0xfffffc00 broadcast
>      inet6 fe80::210:b5ff:fe7b:1d6f%rl0 prefixlen 64 scopeid 0x1
>      nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
>      media: Ethernet autoselect (100baseTX <full-duplex>)
>      status: active
> To my surprise I have an IPv6 address for the first time every. I have
> been a native IPv4 shop since FreeBSD 3.0. MY rc.conf file has this
> ifconfig_rl0="DHCP" statement.

You've only got a link local address here, which is not useful for
communicating with the IPv6 internet in general.

> My first though was to stop the ipf.log file flooding by adding a rule
> to block icmpv6. This rule complained about unknown protocol.
> block in quick on rl0 proto icmpv6
> My first question is how do I block the icmpv6 packet in ipfilter firewall?
> My 2nd question; Does ipfilter firewall need some kind of configuration
>  change to make it IPv6 aware? If so what?

IMHO -- this is wrong headed.  IPv6 is available to you, so embrace the
future and start using it.

> In my reading about IPv6, no where does it say that IPv4 & IPv6 CAN NOT
> exist together, is that true?

Sure, you can run dual stacked.  In fact, that's how everyone does it at
the moment since IPv6-only configurations still don't have anything like
complete coverage of the Internet.

> The handbook has this:
>  31.10.6. Router Advertisement and Host Auto Configuration
>  This section will help you setup rtadvd(8) to advertise the IPv6
> default route.
>  To enable rtadvd(8) you will need the following in your /etc/rc.conf:
>  rtadvd_enable="YES"
>  It is important that you specify the interface on which to do IPv6
> router solicitation.
>  For example to tell rtadvd(8) to use fxp0:
>  rtadvd_interfaces="fxp0"
>  Now we must create the configuration file, /etc/rtadvd.conf. Here is an
> example:
>  fxp0:\
>      :addrs#1:addr="2001:471:1f11:246::":prefixlen#64:tc=ether:
>  Replace fxp0 with the interface you are going to be using.
>  Next, replace 2001:471:1f11:246:: with the prefix of your allocation.
>  If you are dedicated a /64 subnet you will not need to change anything
> else.
>  Otherwise, you will need to change the prefixlen# to the correct value.
> ******** End of Handbook text  *************************************
> Now since I have free native IPv6, I think I only need to add these two
> statement to my rc.conf to achieve total IPv6 auto-configuration
> rtadvd_enable="YES"
> rtadvd_interfaces="rl0,xl0"
> rl0 = interface facing the public internet
> xl0 = interface facing the private lan
> Am I doing this correctly?

Hmmm.... not entirely, and "it depends."  Running rtadvd on rl0 makes no
sense -- you don't want to hand out addresses to your service provider
upstream, but rather receive addresses from them.  That's most easily
done by adding:

ifconfig_rl0_ipv6="-no_radr accept_rtadv"

or the equivalent:


Obviously, you'll need to adjust your firewall rules to allow the
necessary packets through.

Now, configuring IPv6 for your private lan depends on how your service
provider has set things up.  The big difference is that unlike IPv4, NAT
is not necessary to conserve limited IP space resources.  Every IPv6
enabled device gets its own directly routable address or, indeed as many
IPv6 addresses as it cares to use.  This means that either your service
provider has to allocate a routable IPv6 network block to you, or your
router will need to act as a bridge for IPv6 traffic, so your private
LAN devices can talk to your providers' systems.  You need to check with
your provider about how they intend for people to configure IPv6 things.

Certainly if you get a network allocated to you, and possibly even if
you don't then, yes, you should run rtadvd on the internal interface of
your router:


You may need to specify the IPv6 prefix for the interface, if your
rtadvd doesn't get one automatically:

ipv6_prefix_xl0="2001:db8::"   # This is just an example. Substitute
                               # the network address from your provider.

That's generally all you need to do to get started: rtadvd has pretty
good defaults and you can frequently run it successfully without needing
to create a rtadvd.conf file.

If you don't get your own routed network, then one way rtadvd on your
router could work is to relay the config it picks up from your provider
to the hosts on your private LAN.  I don't actually know if this works
in practice, never having tried it, but I think it might based on what
I'm reading in the manuals.

> About jails, I can create a jail that uses an IPv6 address. Is there a
> way to auto-configuration that jail's IPv6 address?

Yeah -- this is a bit tricky.  All of the autoconfig methods tend to be
keyed on the interface MAC address, hence you only get one address per
interface from them, which isn't helpful for adding aliases dedicated to
jails.  However, if your service provider will route an IPv6 network for
you, you would get at least a /64 network and you can assign any IPv6
addresses from within that block for use in your private LAN.  This
gives you about 2^62 possible addresses to use, which is way bigger than
the entire IPv4 Internet...

Otherwise, if they are just handing out individual addresses, then you
can pretty much pick an address at random from their range and be almost
certain that no-one else is using it.  I've a script here that will help
doing that:




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20170401/965265ea/attachment.sig>

More information about the freebsd-questions mailing list