Pfsense detecting ip6 addresses on ip4 only internal network

So, I am getting an ip6 address blocked internally on my ip4 only network. I am not sure what is trying to use ip6, bet something is being blocked on the LAN side trying to get through the firewall. At least I think it is ip6.

The IP source - [fe80::f692:bfff:fea3:312f]

Destination - [ff02::1]:10001

Since I have no ip6 DHCP running, it must be a device that has assigned it’s own ip6 address. I know nothing about the new ip6 stuff, so I have no clue how to get an idea what device it is. Any thoughts since I have all ip6 stuff disabled on pfsense?

That fe80 address is a link local device attempting to do neighbor discovery (the ff02 address is a multicast address for this purpose). The MAC address of the originating device is f6-92-bf-a3-32-2f (which is assigned to Ubiquiti), so it looks like a router or switch on your network is trying to find the IP6 addresses of other devices on the network. Find the device with that MAC and you’ve got your culprit.

1 Like

Nice! Thanks. I tried googling a few things to figure it out and go nothing. I figured I was missing some sort of understanding of what I was looking at. I will start looking at mac addresses and see about finding a way to kill it.

How did you figure out the originating MAC address?

For non-DHCP in IP6, it is usually embedded in the link-local IP address itself. Luckily, your device used that algorithm, so I just plucked out the bytes surrounding the FF-FE pair and there it was… The pattern is easy to recognize once you know it’s there.

Here’s the first article that ddg showed me, not sure how well they describe things, but if you scan the pictures you’ll see grossly what I did.

Thank you. I also found some online sites that extract MAC from an IPV6 address. Very useful in tracking down devices flooding the network with various IPV6 packets. Ubiquiti devices seem to be the worst offenders and I have yet to find a way to turn off their IPV6 noise.

Seems to be coming from my 10G Unifi switch. Not sure how or why it is trying to broadcast like it is. It has an IP4 address and communicates over that. Very strange. I can not find a setting in the controller or the switch specific settings in the controller to limit this. Maybe I am overlooking something.