https://community.checkpoint.com/t5/Firewall-and-Security-Management/ipv6-missing-os-route-RFx/m-p/29689#M88714 <HTML><HEAD></HEAD><BODY><P>sorted by adding ::ffff:0:0:0/96 to the Security Policies (Stealth one) for IN and OUT.</P><P>NO more packets from mapped ipv6 nat46 addresses out <BR />Also, look at the default gaia clish config of:</P><P>set ipv6 inbound-route-filter ospf3 instance default accept-all-ipv6</P><P>- that is very much the root cause of the packets for kernel ipv6 nat floods.</P><P>@TAC - should you want or have a time for t-shooting that please let me know. I'm happy to be ipv6 lab rabit if y</P></BODY></HTML> Sat, 02 Feb 2019 09:21:40 GMT Jerry 2019-02-02T09:21:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ipv6-missing-os-route-RFx/m-p/29685#M88710 <HTML><HEAD></HEAD><BODY><P>Hi Mates, got something unusual to you (at least I think it is unique but might be wrong). I cannot get a rid of the logs (stealth-wise) of following entries and R80.20 report them all the time in logs as dropped due to the "missing OS route".</P><P>What do you think? It is just misconcept of ipv6 route vs. nat64/46 or I'm just getting paranoid at some point?</P><P></P><P>Sorry if the entire ipv6 isn't your strongest point Im afraid I live with ipv6 with CP for a while now and each of my customer's plus myself privately uses ipv6 as "dual-stack" all the time so my ipv6 issues are either sporadic and serious or I'm sorting them out myself on-the-fly <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>Thanks for all the hints in advance. Here is the log record (should you need anyth. else - ask):</P><P></P><P>ps. bond1 is "internal-lan-interface" not WAN facing one.</P><P></P><P><EM>Time: 2019-02-01T10:48:11Z</EM><BR /><EM>Interface Direction: inbound</EM><BR /><EM>Interface Name: bond1</EM><BR /><EM>Id: 01020301-e6bf-c920-5c54-23eb02ff0000</EM><BR /><EM>Id Generated By Indexer:true</EM><BR /><EM>First: true</EM><BR /><EM>Sequencenum: 4</EM><BR /><EM>Source: ::ffff:0.0.0.3</EM><BR /><EM>Destination: ::ffff:0.0.2.161</EM><BR /><EM>Destination Port: 3</EM><BR /><EM>IP Protocol: 6</EM><BR /><EM>Message Information: <STRONG>Missing OS route</STRONG></EM><BR /><EM>Action: Drop</EM><BR /><EM>Type: Log</EM><BR /><EM>Policy Name: bla-bla-bla</EM><BR /><EM>Policy Management: cp</EM><BR /><EM>Db Tag: {52FA5790-CA72-A24C-A4A7-315A6C4DDFD4}</EM><BR /><EM>Policy Date: 2019-02-01T10:42:14Z</EM><BR /><EM>Blade: Firewall</EM><BR /><EM>Origin: cp</EM><BR /><EM>Service: TCP/3</EM><BR /><EM>Product Family: Access</EM><BR /><EM>Interface: bond1</EM><BR /><EM>Description: TCP/3 Traffic Dropped from ::ffff:0.0.0.3 to ::ffff:0.0.2.161</EM></P><P></P><P><EM><IMG __jive_id="78086" alt="no clue where this is coming from but also ... what to do with that crap :( " class="image-1 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/78086_tempsnip.png" /></EM></P></BODY></HTML> Fri, 01 Feb 2019 10:59:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ipv6-missing-os-route-RFx/m-p/29685#M88710 Jerry 2019-02-01T10:59:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ipv6-missing-os-route-RFx/m-p/29686#M88711 <HTML><HEAD></HEAD><BODY><P>Hi Jerry,&nbsp;</P><P></P><P>I'll be honest, IPv6 on Check Point is not my strongest point at the minute, this is something I intend to lab very shortly. However are the necessary routes present within Gaia for the destination host/network?</P><P></P><P>Might also be worth checking the Linux level routing table to see if the routes are present there. I believe you should be able to execute the "route" command from expert to see this.</P><P></P><P>Failing that I would suggest raising a TAC case to get this looked at.&nbsp;</P><P></P><P>Regards</P><P>Mark</P></BODY></HTML> Fri, 01 Feb 2019 20:03:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ipv6-missing-os-route-RFx/m-p/29686#M88711 Mark_Mitchell 2019-02-01T20:03:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ipv6-missing-os-route-RFx/m-p/29687#M88712 <HTML><HEAD></HEAD><BODY><P>Thanks Mark. Indeed it is one of the options. I do appreciate your reply.</P><P></P><P>Let's see what I can do about TAC SR/. In the meantime I'll try to find out whether the routes towards that 'unknown' subnets are actually possible to handle by blackholing to my honeypot or simply re-route somewhere.</P><P>Although I do believe that there is something wrong on the ipv6 stack with <A href="https://community.checkpoint.com/t5/tag/gaiaipv6/tg-p"></A>‌ and I think I found something interesting out there which may clarify me being paranoid. Also in terms of the routing itself I do use ipv6 only internally on that gw hence my frustration with regards to the traffic passers (ipv6 packets out of the blue) which aren't anywhere configured on my net. That's why it is so wired as I do not use any of those IPs anywhere within the infrastructure.</P><P>Maybe now I have managed to clarify that at least a little here.</P><P></P><P>Cheers again and hope to see from you soon <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>J.</P></BODY></HTML> Sat, 02 Feb 2019 07:51:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ipv6-missing-os-route-RFx/m-p/29687#M88712 Jerry 2019-02-02T07:51:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ipv6-missing-os-route-RFx/m-p/29688#M88713 <HTML><HEAD></HEAD><BODY><P>I think I found the problem <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" />&nbsp;</P><P></P><P>have a look:&nbsp;<A href="https://en.wikipedia.org/wiki/Reserved_IP_addresses">https://en.wikipedia.org/wiki/Reserved_IP_addresses</A></P><P></P><P>I believe one of my SGs is taking the mapped ipv6 multicast from mapped ipv4 address hence that traffic <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" />&nbsp;mapping with new R80.20 nat64/nat46 does not yet mattured though <IMG src="https://community.checkpoint.com/legacyfs/online/checkpoint/emoticons/silly.png" />&nbsp;</P></BODY></HTML> Sat, 02 Feb 2019 08:55:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ipv6-missing-os-route-RFx/m-p/29688#M88713 Jerry 2019-02-02T08:55:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ipv6-missing-os-route-RFx/m-p/29689#M88714 <HTML><HEAD></HEAD><BODY><P>sorted by adding ::ffff:0:0:0/96 to the Security Policies (Stealth one) for IN and OUT.</P><P>NO more packets from mapped ipv6 nat46 addresses out <BR />Also, look at the default gaia clish config of:</P><P>set ipv6 inbound-route-filter ospf3 instance default accept-all-ipv6</P><P>- that is very much the root cause of the packets for kernel ipv6 nat floods.</P><P>@TAC - should you want or have a time for t-shooting that please let me know. I'm happy to be ipv6 lab rabit if y</P></BODY></HTML> Sat, 02 Feb 2019 09:21:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ipv6-missing-os-route-RFx/m-p/29689#M88714 Jerry 2019-02-02T09:21:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ipv6-missing-os-route-RFx/m-p/29690#M88715 <HTML><HEAD></HEAD><BODY><P>Hi Jerry,</P><P></P><P>Really glad you managed to find the solution to your problem, and thanks for sharing your solution.&nbsp;</P><P></P><P>Definitely something I am going to lab.</P><P></P><P>Regards</P><P>Mark</P></BODY></HTML> Sat, 02 Feb 2019 10:20:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ipv6-missing-os-route-RFx/m-p/29690#M88715 Mark_Mitchell 2019-02-02T10:20:47Z