# Filter/block IPv6 packets



## unkle (Sep 8, 2012)

Hello,

I'd like to block all IPv6-traffic coming from a specific IP on my LAN.

I have a PC on my LAN that causes my DSL-modem to reset from time to time. Battling this issue for weeks I'm thinking that it might be due to IPv6-packages.

My ISP swapped my modem two times and has now sent me third, newer model, but this also resets when connecting the pc (Raspberry Pi) to the network after a while.

Route is: RPi -> switch -> internal-nic -> external-nic -> DSL-modem.
In/External-nic is on the FreeBSD-box.

I'm thinking that I can make my FreeBSD server (which acts as router/gateway/firewall) filter the packets that is causing the reset on the modem.
But how ?

in my /etc/rc.conf I've put: 
	
	



```
ipv6_enable="NO"
```
I've also done 
	
	



```
sysctl net.inet6.ip6.forwarding=0
```
 but it does not seem to do the trick. Im guessing that PF still lets the packets pass through (?).

In pf.conf I've tried with this to deny ALL traffic but the RPi still connects to the internet:

```
block out quick on $External from $RPi to any
block out quick on $External from $RPiWifi to any
block in quick on $External from $RPi to any
block in quick on $External from $RPiWifi to any
```
(warning: Im -not- familiar with fw-rules and I have a hard time understanding them, so please excuse my poor skills on this)

My reasoning for the rules is that I want to know which lines work and dont work, and when confirmed I'll later be able to specify that only IPv6-traffic is to be blocked.

(If you are wondering why I dont just disable IPv6 on the Raspberry its because I've already tried, and failed. And also, when trying out new distros/images it seems to be the default that IPv6 is enabled and so it would be "easier" to just block that traffic once and for all outside the RPi).

Software:
FreeBSD 8.2-Stable

Hardware:
Source of problems - Raspberry Pi
DSL Modem 1 - Zyxel p2602R-d1a
DSL Modem 2 - Zyxel p2601hn-f1
(another strange thing is that all modems is configured (by the ISP) as bridges but I guess they still react to some specific kinds of packets).


----------



## kpa (Sep 8, 2012)

If you have disabled IPv6 routing there's no way the IPv6 traffic could get trough your router. My guess is that the Raspberry Pi is using some kind of tunneling protocol, teredo or similar that uses IPv4 UDP transport for IPv6 connectivity. I have a hard time believing though that the tunneled IPv6 could cause the modem to reset just like that.

Edit: Check if the modem has a setting that says something like "UDP flood prevention", turn it off if there is such setting and it's on.


----------



## unkle (Sep 8, 2012)

```
pfctl -sa -vvvv
```
Gives me this:

```
Interface Stats for xl1               IPv4             IPv6
  Bytes In                        26380566                0
  Bytes Out                      694245407                0
  Packets In
    Passed                          377431                0
    Blocked                           9322                0
  Packets Out
    Passed                          644525                0
    Blocked                             38                0
```
xl1 = External interface
So I guess you are right about no IPv6 traffic getting through.

Is there a way to filter this "tunneling" traffic somehow ?

I am really confused on this. I've tried to do some packet-sniffing with tcpdump but im not able to interpret the results properly. It is quite frustrating because my internet is crippled 2-3 times an hour when the Raspberry is connected. Streaming content is also a "no go".


----------

