Dear FreeBSD Community Members,
I am encountering an anomaly in filtering ICMPv6 Time Exceeded packets using PF and have been unable to resolve it after days of troubleshooting. I hereby submit detailed data for assistance.
### Environment
- **System Version**: FreeBSD 14.2-RELEASE
- **Network Topology**:
- WAN Interface (vtnet1): ffff:ffff:ffff:c00:be24:11ff:fec8:2995
- LAN Interface (vtnet0) downstream host: ffff:ffff:ffff:c80::ed01
### Issue
PF rules fail to block ICMPv6 "Time Exceeded" (code `timex`) packets as expected. Packet captures show persistent Time Exceeded packets from both the WAN interface's own address and the LAN downstream host.
### Configuration
**Relevant PF Rules** (via `pfctl -s rules`):
```bash
scrub on vtnet0 inet all max-mss 1452 fragment reassemble
scrub on vtnet0 inet6 all max-mss 1432 fragment reassemble
scrub on vtnet1 inet all max-mss 1452 fragment reassemble
scrub on vtnet1 inet6 all max-mss 1432 fragment reassemble
scrub in all fragment reassemble
block drop in on ! vtnet0 inet6 from ffff:ffff:ffff:c80::/64 to any
block drop in on vtnet0 inet6 from fe80::be24:11ff:feb5:34c2 to any
block drop in inet6 from ffff:ffff:ffff:c80::1 to any
block drop in on ! vtnet1 inet6 from ffff:ffff:ffff:c00::/64 to any
block drop in on vtnet1 inet6 from fe80::be24:11ff:fec8:2995 to any
block drop in inet6 from ffff:ffff:ffff:c00:be24:11ff:fec8:2995 to any
block drop in on ! vtnet0 inet from 10.0.1.0/24 to any
block drop in inet from 10.0.1.1 to any
block drop in on ! vtnet1 inet from 10.0.0.0/24 to any
block drop in inet from 10.0.0.3 to any
block drop in inet all label "8164f82fd0b4f3b0e0c494228a454c17"
block drop in inet6 all label "8164f82fd0b4f3b0e0c494228a454c17"
pass in quick inet6 proto ipv6-icmp all icmp6-type unreach keep state label "626492ff45a8ab017e64d2633e4353a0"
pass in quick inet6 proto ipv6-icmp all icmp6-type toobig keep state label "626492ff45a8ab017e64d2633e4353a0"
pass in quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state label "626492ff45a8ab017e64d2633e4353a0"
pass in quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state label "626492ff45a8ab017e64d2633e4353a0"
pass out quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echoreq keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echorep keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routersol keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routeradv keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbrsol keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbradv keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echoreq keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echorep keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routersol keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routeradv keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbrsol keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbradv keep state label "059d951a570d95d8eb0ebe73a815298d"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state label "01e29ebb8358a6aba43a844d1ca0fde4"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state label "01e29ebb8358a6aba43a844d1ca0fde4"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state label "01e29ebb8358a6aba43a844d1ca0fde4"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state label "01e29ebb8358a6aba43a844d1ca0fde4"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state label "01e29ebb8358a6aba43a844d1ca0fde4"
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state label "e002663fbbf99ff36821cb39b887010f"
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state label "e002663fbbf99ff36821cb39b887010f"
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state label "e002663fbbf99ff36821cb39b887010f"
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state label "e002663fbbf99ff36821cb39b887010f"
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state label "e002663fbbf99ff36821cb39b887010f"
block drop in quick inet proto tcp from any port = 0 to any label "055888faf366f8a2c7f1750d10972bd8"
block drop in quick inet proto udp from any port = 0 to any label "055888faf366f8a2c7f1750d10972bd8"
block drop in quick inet6 proto tcp from any port = 0 to any label "055888faf366f8a2c7f1750d10972bd8"
block drop in quick inet6 proto udp from any port = 0 to any label "055888faf366f8a2c7f1750d10972bd8"
block drop in quick inet proto tcp from any to any port = 0 label "7a8b700e4eb5aee74ba3bb8c84ab144e"
block drop in quick inet proto udp from any to any port = 0 label "7a8b700e4eb5aee74ba3bb8c84ab144e"
block drop in quick inet6 proto tcp from any to any port = 0 label "7a8b700e4eb5aee74ba3bb8c84ab144e"
block drop in quick inet6 proto udp from any to any port = 0 label "7a8b700e4eb5aee74ba3bb8c84ab144e"
block drop in quick proto tcp from <sshlockout> to (self) port = ssh label "e4ddd6926820aea1dd5627b7f4af97e7"
block drop in quick proto tcp from <sshlockout> to (self) port = http label "e01434ee628f9054e449c7dc4ae58447"
block drop in quick from <virusprot> to any label "ee12eb4ed372a1de1d91c2c2264a6c6d"
pass in quick on vtnet0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "1df7b65b293bf138df10f236a7889eee"
pass in quick on vtnet0 proto udp from any port = bootpc to (self) port = bootps keep state label "385edc3329288e020aa9bbe9f9914de5"
pass out quick on vtnet0 proto udp from (self) port = bootps to any port = bootpc keep state label "58ca7742b2c97951641023f18e2dd59d"
pass in quick on vtnet0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "93a3ec8d3bffcef3c5aba95049fbce9e"
pass in quick on vtnet0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "93a3ec8d3bffcef3c5aba95049fbce9e"
pass in quick on vtnet0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "30777d55b45b20e9adcc20cb2f3933b3"
pass in quick on vtnet0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "0aeb6bb1a5993a31eeecab028bfe1877"
pass in quick on vtnet0 inet6 proto udp from fe80::/10 to (self) port = dhcpv6-client keep state label "a0f6f000d6307aa53aed01860159cd21"
pass out quick on vtnet0 inet6 proto udp from (self) port = dhcpv6-server to fe80::/10 keep state label "c36df141fbb3aafac8e43d2108af569b"
pass in quick on vtnet1 inet6 proto udp from any to fe80::/10 port = dhcpv6-client keep state label "53acc87a4aa9df50dfb50501555f51f2"
pass out quick on vtnet1 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-server keep state label "f8b4dd066ea6064b85b94f0cae8f2fba"
pass out quick on vtnet1 inet6 proto udp from fe80::/10 port = dhcpv6-client to ff02::/16 port = dhcpv6-server keep state label "f8b4dd066ea6064b85b94f0cae8f2fba"
pass out all flags S/SA keep state allow-opts label "fcc89aee950e474ad952872fb6c678aa"
pass in quick on vtnet0 proto tcp from any to (self) port = ssh flags S/SA keep state label "36d299b849ebe9b05a0f6345a51a906b"
pass in quick on vtnet0 proto tcp from any to (self) port = http flags S/SA keep state label "fef898ed65e45e8c227a870f82b2b68d"
pass out route-to (vtnet1 10.0.0.1) inet from (vtnet1) to ! (vtnet1:network) flags S/SA keep state allow-opts label "da1a7bddd05216fcc8839f084af527e3"
pass out route-to (vtnet1 fe80::d810:3fff:fe54:f853) inet6 from (vtnet1) to ! (vtnet1:network) flags S/SA keep state allow-opts label "357b1d3f657309c37f99bebd6221cf2f"
block drop log quick on vtnet0 inet6 proto ipv6-icmp from ffff:ffff:ffff:c00:be24:11ff:fec8:2995 to any icmp6-type timex label "bf0651143a049649aac2b9e17d98432e"
block drop log quick on vtnet1 inet6 proto ipv6-icmp from ffff:ffff:ffff:c00:be24:11ff:fec8:2995 to any icmp6-type timex label "bf0651143a049649aac2b9e17d98432e"
block drop log quick on vtnet0 inet6 proto ipv6-icmp from ffff:ffff:ffff:c80::ed01 to any icmp6-type timex label "1dbd8027ee33d2bdc6c34ea1c778e65a"
block drop log quick on vtnet1 inet6 proto ipv6-icmp from ffff:ffff:ffff:c80::ed01 to any icmp6-type timex label "1dbd8027ee33d2bdc6c34ea1c778e65a"
pass in quick on vtnet1 reply-to (vtnet1 10.0.0.1) inet all flags S/SA keep state label "005917ee3c40de5b8c34240d5d3ddd53"
pass in log quick on vtnet1 reply-to (vtnet1 fe80::d810:3fff:fe54:f853) inet6 all flags S/SA keep state label "db09466eb3b2e76202bc79ee27df9ce6"
pass in quick on vtnet0 inet all flags S/SA keep state label "b7d1f980ddf1e13937003c60a3d4a577"
pass in log quick on vtnet0 inet6 all flags S/SA keep state label "be8eb7fbca3e01bd3889d1057ad851f6"
anchor "iperf" all
```
### Diagnostics
**Packet Capture** (via `tcpdump -i vtnet1 "icmp6 and [...]"`):
```bash
root@OPNsense:~ # tcpdump -i vtnet1 "icmp6 and (host ffff:ffff:ffff:c00:be24:11ff:fec8:2995 or host ffff:ffff:ffff:c80::ed01)"
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vtnet1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
19:54:35.325648 IP6 ffff:ffff:ffff:c80::ed01 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:36.910490 IP6 ffff:ffff:ffff:c00:be24:11ff:fec8:2995 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:36.977762 IP6 ffff:ffff:ffff:c80::ed01 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:37.972877 IP6 ffff:ffff:ffff:c00:be24:11ff:fec8:2995 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:38.000617 IP6 ffff:ffff:ffff:c80::ed01 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:38.970676 IP6 ffff:ffff:ffff:c00:be24:11ff:fec8:2995 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:38.995217 IP6 ffff:ffff:ffff:c80::ed01 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:39.952570 IP6 ffff:ffff:ffff:c00:be24:11ff:fec8:2995 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:39.992829 IP6 ffff:ffff:ffff:c80::ed01 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:40.395997 IP6 fe80::d810:3fff:fe54:f853 > ffff:ffff:ffff:c00:be24:11ff:fec8:2995: ICMP6, neighbor solicitation, who has ffff:ffff:ffff:c00:be24:11ff:fec8:2995, length 32
19:54:40.952720 IP6 ffff:ffff:ffff:c00:be24:11ff:fec8:2995 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:40.991098 IP6 ffff:ffff:ffff:c80::ed01 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:41.954732 IP6 ffff:ffff:ffff:c00:be24:11ff:fec8:2995 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:41.990499 IP6 ffff:ffff:ffff:c80::ed01 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:42.953133 IP6 ffff:ffff:ffff:c00:be24:11ff:fec8:2995 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:42.992638 IP6 ffff:ffff:ffff:c80::ed01 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:43.944446 IP6 ffff:ffff:ffff:c00:be24:11ff:fec8:2995 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:43.992624 IP6 ffff:ffff:ffff:c80::ed01 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
18 packets captured
3566 packets received by filter
0 packets dropped by kernel
```
**Rule Counters**:
```bash
block drop log quick on vtnet0 inet6 proto ipv6-icmp from ffff:ffff:ffff:c00:be24:11ff:fec8:2995 to any icmp6-type timex label "bf0651143a049649aac2b9e17d98432e"
[ Evaluations: 117 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 23826 State Creations: 0 ]
block drop log quick on vtnet1 inet6 proto ipv6-icmp from ffff:ffff:ffff:c00:be24:11ff:fec8:2995 to any icmp6-type timex label "bf0651143a049649aac2b9e17d98432e"
[ Evaluations: 35 Packets: 1 Bytes: 112 States: 0 ] # Only 1 packet blocked
[ Inserted: uid 0 pid 23826 State Creations: 0 ]
block drop log quick on vtnet0 inet6 proto ipv6-icmp from ffff:ffff:ffff:c80::ed01 to any icmp6-type timex label "1dbd8027ee33d2bdc6c34ea1c778e65a"
[ Evaluations: 31 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 23826 State Creations: 0 ]
block drop log quick on vtnet1 inet6 proto ipv6-icmp from ffff:ffff:ffff:c80::ed01 to any icmp6-type timex label "1dbd8027ee33d2bdc6c34ea1c778e65a"
[ Evaluations: 14 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 23826 State Creations: 0 ]
other rules show zero matches
```
### Troubleshooting Completed
- Verified rule load order.
- Issue persists even when blocking all interfaces/directions for Time Exceeded packets.
### Reproduction
Consistently observed for:
1. Firewall-generated ICMPv6 Time Exceeded packets.
2. Packets from LAN downstream host (`ffff:ffff:ffff:c80::ed01`).
### Assistance Requested
1. Are there known limitations in PF for handling ICMPv6 Time Exceeded packets?
2. Does the rule syntax require adjustments?
3. Are there kernel-level parameters needed to enforce this filtering?
Full diagnostics and ruleset are inline above.
Thank you for your time and expertise!
I am encountering an anomaly in filtering ICMPv6 Time Exceeded packets using PF and have been unable to resolve it after days of troubleshooting. I hereby submit detailed data for assistance.
### Environment
- **System Version**: FreeBSD 14.2-RELEASE
- **Network Topology**:
- WAN Interface (vtnet1): ffff:ffff:ffff:c00:be24:11ff:fec8:2995
- LAN Interface (vtnet0) downstream host: ffff:ffff:ffff:c80::ed01
### Issue
PF rules fail to block ICMPv6 "Time Exceeded" (code `timex`) packets as expected. Packet captures show persistent Time Exceeded packets from both the WAN interface's own address and the LAN downstream host.
### Configuration
**Relevant PF Rules** (via `pfctl -s rules`):
```bash
scrub on vtnet0 inet all max-mss 1452 fragment reassemble
scrub on vtnet0 inet6 all max-mss 1432 fragment reassemble
scrub on vtnet1 inet all max-mss 1452 fragment reassemble
scrub on vtnet1 inet6 all max-mss 1432 fragment reassemble
scrub in all fragment reassemble
block drop in on ! vtnet0 inet6 from ffff:ffff:ffff:c80::/64 to any
block drop in on vtnet0 inet6 from fe80::be24:11ff:feb5:34c2 to any
block drop in inet6 from ffff:ffff:ffff:c80::1 to any
block drop in on ! vtnet1 inet6 from ffff:ffff:ffff:c00::/64 to any
block drop in on vtnet1 inet6 from fe80::be24:11ff:fec8:2995 to any
block drop in inet6 from ffff:ffff:ffff:c00:be24:11ff:fec8:2995 to any
block drop in on ! vtnet0 inet from 10.0.1.0/24 to any
block drop in inet from 10.0.1.1 to any
block drop in on ! vtnet1 inet from 10.0.0.0/24 to any
block drop in inet from 10.0.0.3 to any
block drop in inet all label "8164f82fd0b4f3b0e0c494228a454c17"
block drop in inet6 all label "8164f82fd0b4f3b0e0c494228a454c17"
pass in quick inet6 proto ipv6-icmp all icmp6-type unreach keep state label "626492ff45a8ab017e64d2633e4353a0"
pass in quick inet6 proto ipv6-icmp all icmp6-type toobig keep state label "626492ff45a8ab017e64d2633e4353a0"
pass in quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state label "626492ff45a8ab017e64d2633e4353a0"
pass in quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state label "626492ff45a8ab017e64d2633e4353a0"
pass out quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echoreq keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echorep keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routersol keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routeradv keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbrsol keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbradv keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echoreq keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echorep keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routersol keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routeradv keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbrsol keep state label "059d951a570d95d8eb0ebe73a815298d"
pass out quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbradv keep state label "059d951a570d95d8eb0ebe73a815298d"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state label "3f20ec4acb4b7b181533fd1c2fc06be8"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state label "01e29ebb8358a6aba43a844d1ca0fde4"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state label "01e29ebb8358a6aba43a844d1ca0fde4"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state label "01e29ebb8358a6aba43a844d1ca0fde4"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state label "01e29ebb8358a6aba43a844d1ca0fde4"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state label "01e29ebb8358a6aba43a844d1ca0fde4"
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state label "e002663fbbf99ff36821cb39b887010f"
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state label "e002663fbbf99ff36821cb39b887010f"
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state label "e002663fbbf99ff36821cb39b887010f"
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state label "e002663fbbf99ff36821cb39b887010f"
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state label "e002663fbbf99ff36821cb39b887010f"
block drop in quick inet proto tcp from any port = 0 to any label "055888faf366f8a2c7f1750d10972bd8"
block drop in quick inet proto udp from any port = 0 to any label "055888faf366f8a2c7f1750d10972bd8"
block drop in quick inet6 proto tcp from any port = 0 to any label "055888faf366f8a2c7f1750d10972bd8"
block drop in quick inet6 proto udp from any port = 0 to any label "055888faf366f8a2c7f1750d10972bd8"
block drop in quick inet proto tcp from any to any port = 0 label "7a8b700e4eb5aee74ba3bb8c84ab144e"
block drop in quick inet proto udp from any to any port = 0 label "7a8b700e4eb5aee74ba3bb8c84ab144e"
block drop in quick inet6 proto tcp from any to any port = 0 label "7a8b700e4eb5aee74ba3bb8c84ab144e"
block drop in quick inet6 proto udp from any to any port = 0 label "7a8b700e4eb5aee74ba3bb8c84ab144e"
block drop in quick proto tcp from <sshlockout> to (self) port = ssh label "e4ddd6926820aea1dd5627b7f4af97e7"
block drop in quick proto tcp from <sshlockout> to (self) port = http label "e01434ee628f9054e449c7dc4ae58447"
block drop in quick from <virusprot> to any label "ee12eb4ed372a1de1d91c2c2264a6c6d"
pass in quick on vtnet0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "1df7b65b293bf138df10f236a7889eee"
pass in quick on vtnet0 proto udp from any port = bootpc to (self) port = bootps keep state label "385edc3329288e020aa9bbe9f9914de5"
pass out quick on vtnet0 proto udp from (self) port = bootps to any port = bootpc keep state label "58ca7742b2c97951641023f18e2dd59d"
pass in quick on vtnet0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "93a3ec8d3bffcef3c5aba95049fbce9e"
pass in quick on vtnet0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "93a3ec8d3bffcef3c5aba95049fbce9e"
pass in quick on vtnet0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "30777d55b45b20e9adcc20cb2f3933b3"
pass in quick on vtnet0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "0aeb6bb1a5993a31eeecab028bfe1877"
pass in quick on vtnet0 inet6 proto udp from fe80::/10 to (self) port = dhcpv6-client keep state label "a0f6f000d6307aa53aed01860159cd21"
pass out quick on vtnet0 inet6 proto udp from (self) port = dhcpv6-server to fe80::/10 keep state label "c36df141fbb3aafac8e43d2108af569b"
pass in quick on vtnet1 inet6 proto udp from any to fe80::/10 port = dhcpv6-client keep state label "53acc87a4aa9df50dfb50501555f51f2"
pass out quick on vtnet1 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-server keep state label "f8b4dd066ea6064b85b94f0cae8f2fba"
pass out quick on vtnet1 inet6 proto udp from fe80::/10 port = dhcpv6-client to ff02::/16 port = dhcpv6-server keep state label "f8b4dd066ea6064b85b94f0cae8f2fba"
pass out all flags S/SA keep state allow-opts label "fcc89aee950e474ad952872fb6c678aa"
pass in quick on vtnet0 proto tcp from any to (self) port = ssh flags S/SA keep state label "36d299b849ebe9b05a0f6345a51a906b"
pass in quick on vtnet0 proto tcp from any to (self) port = http flags S/SA keep state label "fef898ed65e45e8c227a870f82b2b68d"
pass out route-to (vtnet1 10.0.0.1) inet from (vtnet1) to ! (vtnet1:network) flags S/SA keep state allow-opts label "da1a7bddd05216fcc8839f084af527e3"
pass out route-to (vtnet1 fe80::d810:3fff:fe54:f853) inet6 from (vtnet1) to ! (vtnet1:network) flags S/SA keep state allow-opts label "357b1d3f657309c37f99bebd6221cf2f"
block drop log quick on vtnet0 inet6 proto ipv6-icmp from ffff:ffff:ffff:c00:be24:11ff:fec8:2995 to any icmp6-type timex label "bf0651143a049649aac2b9e17d98432e"
block drop log quick on vtnet1 inet6 proto ipv6-icmp from ffff:ffff:ffff:c00:be24:11ff:fec8:2995 to any icmp6-type timex label "bf0651143a049649aac2b9e17d98432e"
block drop log quick on vtnet0 inet6 proto ipv6-icmp from ffff:ffff:ffff:c80::ed01 to any icmp6-type timex label "1dbd8027ee33d2bdc6c34ea1c778e65a"
block drop log quick on vtnet1 inet6 proto ipv6-icmp from ffff:ffff:ffff:c80::ed01 to any icmp6-type timex label "1dbd8027ee33d2bdc6c34ea1c778e65a"
pass in quick on vtnet1 reply-to (vtnet1 10.0.0.1) inet all flags S/SA keep state label "005917ee3c40de5b8c34240d5d3ddd53"
pass in log quick on vtnet1 reply-to (vtnet1 fe80::d810:3fff:fe54:f853) inet6 all flags S/SA keep state label "db09466eb3b2e76202bc79ee27df9ce6"
pass in quick on vtnet0 inet all flags S/SA keep state label "b7d1f980ddf1e13937003c60a3d4a577"
pass in log quick on vtnet0 inet6 all flags S/SA keep state label "be8eb7fbca3e01bd3889d1057ad851f6"
anchor "iperf" all
```
### Diagnostics
**Packet Capture** (via `tcpdump -i vtnet1 "icmp6 and [...]"`):
```bash
root@OPNsense:~ # tcpdump -i vtnet1 "icmp6 and (host ffff:ffff:ffff:c00:be24:11ff:fec8:2995 or host ffff:ffff:ffff:c80::ed01)"
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vtnet1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
19:54:35.325648 IP6 ffff:ffff:ffff:c80::ed01 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:36.910490 IP6 ffff:ffff:ffff:c00:be24:11ff:fec8:2995 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:36.977762 IP6 ffff:ffff:ffff:c80::ed01 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:37.972877 IP6 ffff:ffff:ffff:c00:be24:11ff:fec8:2995 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:38.000617 IP6 ffff:ffff:ffff:c80::ed01 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:38.970676 IP6 ffff:ffff:ffff:c00:be24:11ff:fec8:2995 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:38.995217 IP6 ffff:ffff:ffff:c80::ed01 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:39.952570 IP6 ffff:ffff:ffff:c00:be24:11ff:fec8:2995 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:39.992829 IP6 ffff:ffff:ffff:c80::ed01 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:40.395997 IP6 fe80::d810:3fff:fe54:f853 > ffff:ffff:ffff:c00:be24:11ff:fec8:2995: ICMP6, neighbor solicitation, who has ffff:ffff:ffff:c00:be24:11ff:fec8:2995, length 32
19:54:40.952720 IP6 ffff:ffff:ffff:c00:be24:11ff:fec8:2995 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:40.991098 IP6 ffff:ffff:ffff:c80::ed01 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:41.954732 IP6 ffff:ffff:ffff:c00:be24:11ff:fec8:2995 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:41.990499 IP6 ffff:ffff:ffff:c80::ed01 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:42.953133 IP6 ffff:ffff:ffff:c00:be24:11ff:fec8:2995 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:42.992638 IP6 ffff:ffff:ffff:c80::ed01 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:43.944446 IP6 ffff:ffff:ffff:c00:be24:11ff:fec8:2995 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
19:54:43.992624 IP6 ffff:ffff:ffff:c80::ed01 > [ ... ]: ICMP6, time exceeded in-transit for ffff:ffff:ffff:cf1::52d, length 72
18 packets captured
3566 packets received by filter
0 packets dropped by kernel
```
**Rule Counters**:
```bash
block drop log quick on vtnet0 inet6 proto ipv6-icmp from ffff:ffff:ffff:c00:be24:11ff:fec8:2995 to any icmp6-type timex label "bf0651143a049649aac2b9e17d98432e"
[ Evaluations: 117 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 23826 State Creations: 0 ]
block drop log quick on vtnet1 inet6 proto ipv6-icmp from ffff:ffff:ffff:c00:be24:11ff:fec8:2995 to any icmp6-type timex label "bf0651143a049649aac2b9e17d98432e"
[ Evaluations: 35 Packets: 1 Bytes: 112 States: 0 ] # Only 1 packet blocked
[ Inserted: uid 0 pid 23826 State Creations: 0 ]
block drop log quick on vtnet0 inet6 proto ipv6-icmp from ffff:ffff:ffff:c80::ed01 to any icmp6-type timex label "1dbd8027ee33d2bdc6c34ea1c778e65a"
[ Evaluations: 31 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 23826 State Creations: 0 ]
block drop log quick on vtnet1 inet6 proto ipv6-icmp from ffff:ffff:ffff:c80::ed01 to any icmp6-type timex label "1dbd8027ee33d2bdc6c34ea1c778e65a"
[ Evaluations: 14 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 23826 State Creations: 0 ]
other rules show zero matches
```
### Troubleshooting Completed
- Verified rule load order.
- Issue persists even when blocking all interfaces/directions for Time Exceeded packets.
### Reproduction
Consistently observed for:
1. Firewall-generated ICMPv6 Time Exceeded packets.
2. Packets from LAN downstream host (`ffff:ffff:ffff:c80::ed01`).
### Assistance Requested
1. Are there known limitations in PF for handling ICMPv6 Time Exceeded packets?
2. Does the rule syntax require adjustments?
3. Are there kernel-level parameters needed to enforce this filtering?
Full diagnostics and ruleset are inline above.
Thank you for your time and expertise!
