Network separation with a dynamic IPv6-PD

gadean · Jan 13, 2024, 8:02 PM

Hey there,
i'm currently trying to setup IPv6 to get it finally up and running in my network.

First of all a few infos:
Version: 2.7.2-RELEASE
"Do not allow PD/Address release": checked
My IPv6 Prefix changes when i'm rebooting or restart the modem
Yes, my ISP sucks
No, i can't change that

I've 9 networks but for simplicity lets say 3 - it's rinse and repeat for the other network/VLAN.

001_LAN
005_GUEST
170_MGMT

For IPv4 it's easy to create a "internet only" rule:
create an RFC1918 alias
create an inverted firewall rule with the alias
done
login-to-view

But with IPv6 and a changing Prefix, that doesn't work.
The only idea i came up with is creating a "block"-rule for each network and then at the end an "allow"-rule
login-to-view

Downsides:

if i add a new network i've to add a "block"-rule to each network but that doesn't concern me, since i'm not planning on adding another network.
Multiple "block"-rules per network - i don't really care about that

Question:
Does the "... subnets" contain both the GUA and ULA (if configured)?
Would that work or am i missing something?
I should add ICMPv6 rules, right? Since IPv6 loves ICMP :D

Regards,
gadean

Bob.Dig · Jan 13, 2024, 9:23 PM

@gadean said in Network separation with a dynamic IPv6-PD:

Does the "... subnets" contain both the GUA and ULA (if configured)?

Yes

Would that work or am i missing something?

This is the way

I should add ICMPv6 rules, right? Since IPv6 loves ICMP :D

You don't have to.

LARunnerJ · Jan 19, 2024, 5:27 AM

I have two rules to keep segregation between VLANs. I'm not sure if this is what you're trying to do.

login-to-view

The first works for IPv6. For whatever reason, I cannot add it as a part of my private network alias (used for the IPv4 traffic) and have it work. Not a big deal for me. I get a /56 from my ISP.

Joel

gadean · Jan 23, 2024, 9:30 AM

Oh the famous ::0/56 from https://redmine.pfsense.org/issues/6626 - didn't knew it works now :D

The problem with aliases was already discussed in the issue

IonutIT · Jan 23, 2024, 9:32 AM

@gadean

The ::0/56 rule only works if it's set as is (not as an alias) and only in the specific VLAN firewall, it will not work in the Floating section of the firewall. It's definitely a hacky workaround but it does work.

gadean · Jan 29, 2024, 11:01 AM

@Bob-Dig said in Network separation with a dynamic IPv6-PD:

@gadean said in Network separation with a dynamic IPv6-PD:

Does the "... subnets" contain both the GUA and ULA (if configured)?

Yes

Looks like that is not the case.
I've also tried adding a virtual ip (single address/network) to the interface and rebooted, but the ... subnets table contains only my ipv4 and GUA address

Even though the documentation says that it should be included:

Interface Subnets
An entry in this list is present for each interface on the firewall. These macros specify the subnet for that interface exactly, including any IP alias VIP subnets that differ from the defined interface subnet.

Bob.Dig · Jan 29, 2024, 11:12 AM

@gadean said in Network separation with a dynamic IPv6-PD:

Looks like that is not the case.

Right. You need a patch, see here. Too bad it is not included in the auto-patches.

gadean · Jan 29, 2024, 11:14 AM

@Bob-Dig You are the best!
Thanks for the info, i really appreciate it