Secure Wireless Hotspot rule with IPv6
-
How to configure a secure wireless hotspot [1] with IPv6?
With IPv4 was a simple rule "allow 443 not RFC1918" easy, but how to handle this with IPv6?Rule1 Block all 2001::/56 (my local subnet)
Rule2 Allow all 2001::/16I start with IPv6 right now and there are more questions than answers at the moment :)
[1] https://docs.netgate.com/pfsense/en/latest/wireless/byod.html?highlight=hotspot
-
@slu simpler solution would just not to enable IPv6 on your hotspot network that is for sure..
If your first rule blocked all access to your whole delegated prefix, ie that 56 - then how would you ask pfsense via its gua for dns, or ntp, etc.. And 2001::/16 wouldn't be correct anyway.. That overlaps teredo space..
Google AAAA for example is 2607:f8b0:4009:814::2004
Where did you come up with 2001::/16 ?? I take it your 2001::/56 is an obfuscation of your actual prefix
But in general yes, allow what you want to access via your gua address space for services to pfsense. Then block your prefix for anything else would prevent access to any of your other local networks.
As to the last one - you could just allow any verse trying to scope all of public IPv6 space..
-
@johnpoz said in Secure Wireless Hotspot rule with IPv6:
@slu simpler solution would just not to enable IPv6 on your hotspot network that is for sure..
Well, that was for years now, but some guests need IPv6 connections.
@johnpoz said in Secure Wireless Hotspot rule with IPv6:
Where did you come up with 2001::/16
I read that in the Netgate docs:
https://docs.netgate.com/pfsense/en/latest/network/ipv6/subnets.html#special-ipv6-subnetsBut after your post I see my ISP start with other IPv6 addresses than 2001, so that must be wrong.
My intern IPv6 networks musst be fc00::/7 and the second address some of my ISP /56 assigned networks.
But for what is 2001::/16 than? -
@slu said in Secure Wireless Hotspot rule with IPv6:
some guests need IPv6 connections.
No they don't ;) What resource do they need to get to that is only IPv6?
haha - they should update that.. That for sure isn't correct.. If you wanted to create a cidr that included all Ipv6 gua space it would be 2000::/3
-
@johnpoz said in Secure Wireless Hotspot rule with IPv6:
No they don't ;) What resource do they need to get to that is only IPv6?
All new internet access here only IPv6 connections, in this case you can not connect to any home service outgoing of my hotspot network...
-
@slu your saying you get no IPv4 address, not even a rfc1918 or cgnat range 100.64/10.. I find that a very odd deployment for normal ISP, ie your isp cellular? For that to work your isp would have to be doing like the phone companies do and translate all your IPv6 traffic to IPv4.. Since a vast majority of the internet is not on IPv6 yet..
If you want to provide Ipv6 - you were on the right track, just that 2001::/16 is not correct.. And you would want to allow whatever traffic you might want to pfsense IPv6 address, dns, ntp, etc.. Then block your local prefix, then either use any for the "internet" for ipv6 or use the 2000::/3 cidr.. They wouldn't be able to get to a shit ton of stuff if you only allowed 2001::/16
-
@johnpoz said in Secure Wireless Hotspot rule with IPv6:
@slu your saying you get no IPv4 address, not even a rfc1918 or cgnat range 100.64/10.. I find that a very odd deployment for normal ISP, ie your isp cellular?
I check this, musst be some rfc1918 or cgant address because I can access IPv4 services in the internet.
-
@slu said in Secure Wireless Hotspot rule with IPv6:
because I can access IPv4 services in the internet.
They could be doing 464XLAT like the phone companies do.. My phone gets no IPv4 address, not even rfc1918 or cgnat space.. It makes sense with stuff like phones - there are billions of them on the planet.. Even using all of rfc1918 space would not provide for enough address space.. So they would have to overlap and use the same IPs in different regions, etc.. How many phones are on t-mobile for example ;)
But that would seem odd for your typical local isp to do such a thing.. It would be simpler for them to just use cgnat to provide IPv4 if they do not have enough public IPv4 to use.. And then sure assign you a ipv6 prefix
Look on your pfsense wan - you saying it has no ipv4 address?
As to your clients.. There is no major player services on the planet that you can not get to via IPv4.. So are you talking that they can get to their home plex server or something that is on some other isp that doesn't provide IPv4 so they need to get to their home network from your network via IPv6? That would make sense - but why should you care if they can do that from your hotspot?
Sure if they said hey I can not get to amazon or facebook, or their bank or medical page, etc. But that they can not talk to some service that is only on IPv6.. This not going to be a major player.. Sure they might not be able to vpn to their home network if their isp doesn't give them ipv4..
-
@johnpoz said in Secure Wireless Hotspot rule with IPv6:
@slu your saying you get no IPv4 address, not even a rfc1918 or cgnat
The ipv4 is CGNAT and I have a new "ipv6 problem",
my ISP change the ipv6 subnet prefix /56 with every new dial in.How do I add a firewall rule with an changing /56 subnet without cutting out
my complete ISP subnet/destinations? -
@slu said in Secure Wireless Hotspot rule with IPv6:
my ISP change the ipv6 subnet prefix /56 with every new dial in.
No you don't say ;) It is so unlike an ISP to have some shit IPv6 deployment.. hahahaah
Did you try setting pfsense not to release the prefix?
You can use the variables lan net, lan address, So vs using a cidr, just create specific blocks to your other networks lan net, opt net, optX net, etc..
So my "simple" solution is looking better isn't it - why exactly do these clients need IPv6 again? They can't get to their home hosted plex servers or something that only have IPv6 for unsolicited inbound traffic.. What major resource on the internet can they not get to exactly with IPv4?
If working with your isp ipv6 deployment methods is painful - you could always just setup a HE tunnel, free /48 that never changes.. And you can setup the PTRs on it as well.. Highly doubt your isp lets you do that with the prefixes they give you that change any time the wind blows..
-
@johnpoz said in Secure Wireless Hotspot rule with IPv6:
No you don't say ;)
Yes we have two locations, one with static /56 (no problem) and one with dynamic /56...
@johnpoz said in Secure Wireless Hotspot rule with IPv6:
It is so unlike an ISP to have some shit IPv6 deployment..
You say it, this makes the good IPv6 technologie wrongly bad...
@johnpoz said in Secure Wireless Hotspot rule with IPv6:
Did you try setting pfsense not to release the prefix?
Didn't know that, thanks for the hint!
I try... -
Something, related to the captive portal, is missing in this thread :
See here : Captive PortalCurrently, Captive Portal does not support IPv6.
IPv6 over Wifi, protected using the whatever AP method you use, works just fine with IPv6.
But when you activate a "captive portal" on a pfSense interface, you have only IPv4 to worry about. -
@Gertjan
thanks for the hint, I didn't see that. -
@johnpoz said in Secure Wireless Hotspot rule with IPv6:
haha - they should update that.. That for sure isn't correct.. If you wanted to create a cidr that included all Ipv6 gua space it would be 2000::/3
How can we trigger this change in the docs?
-
@slu said in Secure Wireless Hotspot rule with IPv6:
How can we trigger this change in the docs?
You could put in a redmine..
-
@johnpoz said in Secure Wireless Hotspot rule with IPv6:
You could put in a redmine..
https://redmine.pfsense.org/issues/14948
Hope I done it right.