@louis2 said in Firewalling MAC addresses:
can have multiple addresses in favor of multiple functions / applications. So this all together makes it impossible to filter on IP-address.
While yes clients can have multiple IPv6 address - they don't have too.
If applicable/needed they my servers are accessible from the internet via IPV6.
Why? Do you have clients that only have IPv6? While again using IPv6, are you behind IPv4 nat and can only provide access that is not natted via IPv6?
So IPV6 is available it will use IPV6.
Which is another good reason that if your not up to speed on all the differences and changes that IPv6 brings to just not use it..
b) Multiple and changing global addresses (fixed, temporarily, changing all the time for security reasons)
Again they do not have too. My ntp server this is served to the public via ntp pool, its IPv6 it only has the 1 address I gave it - and it doesn't change.. It doesn't use temp IPv6 addresses, because I told it not too, etc..
If you are not ready to embrace all the changes that come with IPv6 - don't use it, or yeah your going to have to ramp up and learn how to handle the differences. Mac addresses are not the solution to firewalling IPv6 and as stated pfsense does not have any real support for using mac addresses in filtering other than captive portal, or limits by doing static arp, etc. If you need to or feel you need/want to use mac filtering in your network - then you prob better off using something else as your firewall that supports it. Pfsense has limited mac abilities from a firewall point of view, and I don't think they are going to be adding any new abilities in that area like next week ;)