Video Screencast Help

Firewall blocks IPV6 traffic

Created: 19 Jun 2012 | 3 comments

Hi everyboody,

endpoint protection firewall blocks an IPV6 traffic and I am not sure if this is traffic which needs to be blocked or which I can safely allow:

Direction: incoming
Protocol: UDP
Remote Host: FE80:0:0:0:943A:C7BF:A417:1F96
Remote Port: 61940
Local Host: FF02:0:0:0:0:0:0:C
Local Port: 1900

I have the same occurences several times and I suspect this is local traffic within our network. Unfortunately I am not well versed with IPV6 addresses. Maybe somebody could enlighten me?


Comments 3 CommentsJump to latest comment

greg12's picture

AFAIK, FF02:0:0:0:0:0:0:C is a pre-defined multicast address for IPv6 DHCP servers. The FE80... address is probably a link-local IPv6 client address (see here).

I assume your clients are configured to get their IPv6 addresses automatically from DHCP. The traffic you see is their (failing) attempt to accomplish this.

The data you have posted arguably stem from a DHCP server.

If you have a traditional IPv4 infrastructure with IPv4 DHCP, the blocked traffic shouldn't bother you.

Check the traffic log at the SEP client (View Logs > Network Threat Protection > View Logs > Traffic Log). You'll see the rule which is the cause of this behavior. Probably it's not a IPv6 blocking rule (you are using SEP 12.1) but something like "Block all other IP traffic".


omg1010's picture

Hi Mark,

my infrastructure in principle is a D-Link Router which acts as DHCP server (IPv4 only). On my server (server 2008) I can see a service DHCP Client being started but I suppose that is not the one causing this behavior.

The applicable rule is: "block UPNP discovery" ...


Jason1222's picture

Greg's guess is probably the closest you will get to an accurate answer.

IPv6 traffic is blocked by default.

Lest's break it down a little more:

Remote Host: FE80:0:0:0:943A:C7BF:A417:1F96

This is the equivalent to an APIPA address. An address that is automatically assigned to a machine, by itself from a failure to acquire an address from a DHCP server and not having one statically assigned.  The IPv4 equivalent would be 169.254.x.x  Thus allowing for all clients on a local subnet to be able to continue to communicate with each other if failure of a DHCP server were to occur.

Local Host: FF02:0:0:0:0:0:0:C is the default broadcast address for SSDP (Simple Service Discovery Protocol).  It's IPv4 equivalent is:

SSDP uses UDP traffic, so this is normal logs and it is also normal to see it blocked.

* * * * * * *

Do you have Windows 7/Vista or Linux/Mac boxes that have IPv6 capabilities?

Basically, one or more (depending on the log files and different Remote Host IPs) is just sending a regular packet every now and again (UDP).  It is asking for anyone using IPv6 traffic on the segment, to reply and say: "Hey, I'm here and these are the services I am running and the ports they are using".  Like, DHCP, Wins, DNS, NTP, IIS, Apache, etc.

* * * * * * * *

Now, back to the original question.  Safe and to allow?

Well, from the machine blocking the requests, open a command prompt (elevated) and:

PING -a FE80:0:0:0:943A:C7BF:A417:1F96

The machine should return it's registerd name.

If you know and trust it, you could safely disregard these messages.  IPv6 is not completely pass through (yet), so you should consider the possibility of disabling this rule might allow external traffic (that you don't want) into your network.

Hope that helps.