Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 Firewall rules for external internet access only

    IPv6
    ipv6 rules gua internet access whitelist
    2
    3
    73
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Destari
      last edited by

      I am trying to ensure that devices in my environment are able to utilize Global Unicast Addresses for internet access, but I am running into a brick wall when it comes to cross-VLAN protections.

      I receive a /60 block from the ISP and utilize SLAAC to distribute a /64 to each VLAN. Addresses are working perfectly, my clients are getting auto-configured. The /60 block I am receiving from the ISP, however, is not static. It should be, but over the past year while testing various things, it has shown to not be stable. Before anyone comments on it, I am not sending release notices and I am using a static DUID-EN.

      Now for the firewall rule part of things:
      I operate a whitelist-only network, so my rules explicitly allow traffic with a default reject/deny. For all of my IPv4 traffic I am able to utilize a firewall rule that allows traffic from the local subnet on that interface to any non-RFC1918 address on selected ports to ensure outbound internet access is available, without opening up any traffic east-west between VLANs. This is possible because of local IPv4 behind NAT. I cannot seem to come up with an equivalent protection in a GUA IPv6 environment.
      That rule looks like:

      IPv4-only allow from lan_subnets to NOT RFC1918

      If I create a "similar" IPv6 rule like so:

      IPv6-only allow from lan_subnets to NOT wan_subnets

      then my firewall will allow traffic to anything not in the /60 prefix allocated to the WAN, however, that means it also allows traffic to any other VLAN using ULA addresses, etc. Absolutely not the intended behavior.

      If I instead create an IP alias that contains the /60 prefix I received from the ISP as well as the entire RFC4193 ULA space, then as soon as my ISP prefix changes, and clients update their address, traffic now falls outside of the alias and all east-west traffic opens up without notice. Absolutely unacceptable.

      There must be some way to handle this, both for the obvious compliance/audit constraints on certain networks but also basic network security. I just seem to be missing something here. Any help would be appreciated.

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @Destari
        last edited by Bob.Dig

        @Destari You can create an interface group, containing all the interfaces with IPv6. Now you have that interface group's subnet-alias. That will be updated with a prefix change and can be used in any rule.

        But prefix changes don't work well in pfSense in general, which is a different topic.

        D 1 Reply Last reply Reply Quote 0
        • D
          Destari @Bob.Dig
          last edited by

          @Bob-Dig That looks like it worked! Is there a limitation I should be aware of with how quickly those rules will update? I just don't want to leave an open hole in my firewall whenever my ISP drops the ball.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.