I have a purely ipv4 network, all my lan based devices have ipv6 disabled.
however, every time an android phone / ipad device is connected to my wifi,
i get flooded with ipv6 5353 traffic.
I can i prevent the wifi from passing this traffic
In order to assist you, can you provide a more detailed description of this traffic?
Do you mean this? https://www.speedguide.net/port.php?port=5353
My firewall gets full of this traffic from devices on the wifi
VLAN_GUEST Block all IPv6 (1000000003) [fe80::1c57:6d67:7399:6ff4]:5353 [ff02::fb]:5353 UDP
openwrt is on my access points, and i want to prevent this traffic from even going on the LAN/VLAN segments
Are you running mDNS, Bonjour or some other auto discovery for Apple devices?
this is coming from android phones
FYI - to be clear, it appears your device is indeed blocking this traffic. If you believe that's not the case, feel free to elaborate more.
Are you asking to install blockers on the Androids - or is there just some confusion with regarding the log message?
that is my pfsense firewall that is blocking the traffic on the vlan interface.
I want to block it on the openwrt access points, so it doesn't get from the wifi to the lan/vlan network in the first place
I don't think you easily can, because Wifi/LAN traffic is "Layer 2", which is beneath the level of firewalls like iptables.
if ip6 is disabled, the traffic shouldn't even be looked at.
Client devices don't care if you have disabled IPv6 on your router and access points. They will always create link local IPs and send traffic to the network. Block them on the access point firewall if they are such an issue.
2 Likes
isn't that what I asked? i.e. how to do it.
My access points are tplink devices with openwrt.
different wifi ssids are bridged to vlans.
i want to stop these devices from sending this traffic to the vlans.
And that's what @trendy has written. Even you you filter on layer 2 on the access points,but clients will still send this traffic.
Either you filter on the client which will not be possible on Android or you drop the traffic on the access point but why do you even care about if it is IPv4 or IPv6 because traffic to port 5353 will be send anyway?
And besides some historic lab setup why do people want to avoid IPv6 at all?
Since a few years we (as in human mankind) have reached the point that IPv6 is finally there (as in deployed by many ISPs) and we came to the point that we might even see to finally depricate IPv4 once and for all which is a great achievement. IPv4 was just an experiment which slipped out of the lab and could not be changed and IPv6 is for most parts pretty well designed and solves a lot of issues we face with IPv4.
Back to topic, if you really want to drop that traffic just look up the nftables wiki for what you need and enable your firewall on the access point and configure your firewall. But ignoring IPv6 and even prevent clients from using it, is just point less in my opinion....
2 Likes
Because many are afraid of v6
If you look at management of v4 and v6 you will see many differences
slaac, stateless, stateful, PD, RA, ND ula, gua, second address, tmp address ...etc
now, androids does not use DHCP, only slaac or PD which is out of normal mind
you have NULL controll over v6 addresses
and you never be able to filter things based on addresses
only way to have at least minimal security is to put androids on guest vlan, and nothing more
OpenWRT is far away from ability to stop rogue v6 RA at bridge level (at least on GUI), you need to use decent managed switches to protect rest of network from rogue RA or similar things
it is a nightmare
don't get me wrong, i am using v6 everyday on my job, i love bigger address space in private segment, you have "virgin" addresses, no need to use always 192.168, 169.254, 172.16 and similar
but from concept of security, network security, it is a real mess
how many time home users forgot that there is v6 and they simply does not set up proper v6 firewall, for ex guest->lan
or how hard is to allow one single Android from guest to access to NAS on LAN but other to be stopped ?
and home users will give up this fight
again, i am using v6 everyday, with managed switches, and OWRT + other vendors
but ... again, maybe i am wrong ?
1 Like
well said. pretty crazy. It reminds me of uPnP, another year 2000s standard that held great promise along the same line of thinking with RA, the port puncturing. I'm thinking the software environment Y2K era (which is probably where beta ipv6 and uPnP, etc, etc incubated in the late 1990s from late 80s/early 90s writings) promoted this mindset among the higher level programmer's standard acceptable practice.
my access points are connected to netgear management switches. so i could block it there. how to do that?
You may consult netgear for that.
I'll disagree that security in IPv4 is any different that in IPv6.
OpenWrt by default includes both v4 and v6 in the zone.
And that is absolutely fine for the majority of the population.
IPv6 SLAAC address being based on the interface MAC address, in most cases is static enough.
Which is quite a weak security method, as addresses can be spoofed. So you'd have to have an advanced setup with managed switch running dhcp snooping, ra guard, etc to protect from such threats, which goes way beyond the home environment.
Same applies for rogue dhcp servers in IPv4. What is your point?
2 Likes
I try to address your points as good as I can but I'm on mobile...
Yes they can't use dhcpv6 but this not that much of an issue because these mobile devices are not better then shitty IOT. If you need predictable addresses in corporate environment you can use a VPN...
But that's ok. If you don't can trust devices these are put in an untrusted network.
Regarding unwanted RA. This needs to be filtered on a switch and not on access points so I don't see the issue here.
1 Like
My whole point was, that home users are already skiled enough to, somehow, understand v4. Even my grandmother know that OWRT is on 1.1 on default and will have DHCP server
so far, so good
Human readable addresses are easy for firewall, dhcp leases at least give you some kind of controll, no, not full control, but at least you have what to set 
managed switches are good in v4 settings, filtering rogue dhcp / arp etc
and now, v6 is here an HOME user need to learn at least 10 new technology to be able to controll, minimaly, v6
it is something which you give up, as HOME user
no, i don't say that v4 is better than v6
simply, you have double management, and whole knowledge about v4 will be useless with v6
for everyday HOME users, it is simply, too much
v4 is mature technology, you could find many examples how to "fix" things
v6 is not even implemented as it should in Android or IOT
even managed switches does not have full stack comparable to v4, to catch rogue devices
so, to close this Offtopic ...
i could understand why HOME users have fear of v6
We have a different definition of the home user, hence there is no point to discuss it further. Also my grandmother doesn't know the IP address of her router, even though she has learnt to use facebook and skype. You are picturing quite advanced users, who may be many in your circle of tech savvy friends, but the vast majority of the home users doesn't care about their IP nor they need to access the nas from the guest, as they have neither.
Home users don't know neither v4 or v6. They want to enter the wifi password on their phone and start browsing.
3 Likes