Can FDQN resolve to the active IPV6 address?
-
I'm trying to create a firewall rule to block IPV6 traffic from an iOS device that's being routed through my VPN. An alias defined with an FDQN for the device works for routing its IPV4 traffic, but not for its IPV6 traffic. Every time the device connects to the network it gets a new IPV6 address (the IPV4 address stays the same unless I renew the lease.)
I'm happy to set static IPs to get around this problem, but while I can set a static IPV4 address it seems that iOS doesn't allow configuration of a static IPV6 address. Usually there are 2-4 IPV6 addresses in the list, but they can't be edited. Even in Static mode the last IPV6 address in the list changes each time the device connects, and that seems to be the active address (the other addresses generally stay constant, but don't work in the firewall rules.)
Is there any way to get an FDQN to resolve to the active IPV6 address?
-
Those changing addresses are called privacy addresses. They change regularly. On my computer, I get a new one every day and they last for a week. However, there should also be a consistent MAC address based address. However, that one is not normally used for outgoing connections. One of the privacy addresses will be and will change regularly. I doubt there will be a FQDN for those addresses. On my own network, the DNS points to the MAC based addresses, not privacy.
-
I'm trying to create a firewall rule to block IPV6 traffic from an iOS device that's being routed through my VPN. An alias defined with an FDQN for the device works for routing its IPV4 traffic, but not for its IPV6 traffic. Every time the device connects to the network it gets a new IPV6 address (the IPV4 address stays the same unless I renew the lease.)
I'm happy to set static IPs to get around this problem, but while I can set a static IPV4 address it seems that iOS doesn't allow configuration of a static IPV6 address. Usually there are 2-4 IPV6 addresses in the list, but they can't be edited. Even in Static mode the last IPV6 address in the list changes each time the device connects, and that seems to be the active address (the other addresses generally stay constant, but don't work in the firewall rules.)
Is there any way to get an FDQN to resolve to the active IPV6 address?
The phone reads the router advertised subnet prefix in an icmp packet, and generates random addresses that are not currently in use for its outgoing connections. These addresses change regularly, and are not predictable.
pFsense somehow "knows" to what device those addresses belong to, because it knows the associated mac address, and that one (presumably) stays the same. But I don't think that you can make a firewall rule on that one.
I don't know how you can accomplish what you need with ipv6. Maybe with mac based vlans, but I don't think pFsense supports those. -
Thanks for the replies. Pretty-much confirms what I thought.
pfSense knows the MAC addresses of all the devices connected to my network. Sure would be nice if it supported firewall rules based on LAN MAC addresses. Seems like it wouldn't be hard to implement. Is there some security reason not to support it?
-
Thanks for the replies. Pretty-much confirms what I thought.
pfSense knows the MAC addresses of all the devices connected to my network. Sure would be nice if it supported firewall rules based on LAN MAC addresses. Seems like it wouldn't be hard to implement. Is there some security reason not to support it?
Read me first to see what has been said already ;)
-
you could just turn off ipv6 on your network ;)
Or you could put your ios device on a different segment so you can route the traffic that way. Dynamic vlans perfect sort of solution for this when you want to use the same ssid, etc.
Privacy IPs yeah going to make a lot of firewalling stuff more difficult..
-
Thanks for the replies. Pretty-much confirms what I thought.
pfSense knows the MAC addresses of all the devices connected to my network. Sure would be nice if it supported firewall rules based on LAN MAC addresses. Seems like it wouldn't be hard to implement. Is there some security reason not to support it?
You said that iPhone was coming through a VPN. That means it's MAC will not be available. MAC addresses are on the local network only. They do not pass through routers, most VPNs etc..
-
I don't think the device is coming in a vpn, sounds like to me he is trying to route specific traffic out a vpn.. Ie a client vpn setup on pfsense. In such a case pfsense would know the mac of the device behind it on one of its locally connected networks.
-
johnpz is correct. I'm trying to route iOS devices to the VPN.
I haven't dug into VLANs yet, but if I understand the recommendation it sounds like I could put all devices that use the VPN on a separate segment and route based on that. I'll check it out.
Meanwhile, yeah – I turned off IPV6.
-
Yup if you want specific devices to use vpn be it ipv4 or ipv6 if you put them on their own network then really easy to force all their traffic or all their ipv6 or ipv4 traffic out a vpn..
If your going to want to play with vlans you will want/need a vlan capable switch and a vlan capable of AP.. After that its easy peasy lemon squezzy.. Both such devices are very reasonable priced these days even on a home budget..
With IPv4 its not an issue just doing simple policy routing.. But with ipv6 and the temp addresses for outgoing connections that clients use it gets to be more difficult to be sure. So unless you can turn those off on a client and set them up to only use specific ipv6 address it is very difficult to know what ipv6 address is a specific client.
-
If your going to want to play with vlans you will want/need a vlan capable switch and a vlan capable of AP.. After that its easy peasy lemon squezzy.. Both such devices are very reasonable priced these days even on a home budget..
Yeah, just before reading your post my quick study of VLAN revealed that I'll need new hardware. Reasonable prices on an individual basis, but to be able to route any device to the VPN or not, I'll have to replace five GB switches and 2 APs, one of which is 802.11/ac. Probably looking at about $400-$500, less what I can get for the old stuff on eBay. Any recommendations on models?
Also, my switches are cascaded (daisy-chained). I think I'd have to set it up so the ports used for cascading aren't defined as VLAN ports so a downstream switch can have ports on two different VLANs and they would pass through on upstream non-VLAN ports to the router. In other words, only ports connected to devices would be assigned to a VLAN, not the interconnecting ports. Would that work?
All that said, given the cost its probably best to disable IPV6 until iOS allows configuration of static IPV6 addresses. OSX does, so maybe there's hope. Maybe iOS 11 will have it.
[EDIT] I just realized that a managed wireless AP might do the trick because the iOS devices are wireless only. Can the managed AP enter the LAN through one of the unmanaged switches and still have its respective VLANs respected? What about rest of the devices that connect to the unmanaged switches? Would they just be on the regular LAN?
-
What switches do you have an what AP?
You can connect a dumb switch to a vlan switch where all ports on the dumb switch are on a specific vlan you set on the smart switch.. And while a dumb switch can carry vlan tags quite often.. That is borked setup.. Understand how your connected and why and what devices are where we can determine if you can still get by with leveraging your dumb switches..
If they are all just downstream from say a core switch then replace the core with smart and you can still use all your dumb - just limit to all devices on the dumb would have to be on same vlan. But each dumb could be on a different vlan.
Also how many nics does pfsense have? You can just do physical networking vs vlans for wired devices. And if you can connected a AP that does vlans directly to pfsense port you could still do vlans.
Running vlans over a dumb switch can work - but its BORKED setup.. And not secure, etc. etc.. And depending on the dumb switch it could strip the tags, etc. But again you most likely would not have to replace all your switches just the 1 between your AP and pfsense if you can not connect your AP directly to pfsense.
All of that said switches that can do vlans are not all that expensive.. Nor are AP that can do vlans..
Best case cost.
5 x 8 port smart = 5 x $30 = 150$
2 x AP (both AC) = 2 x $80 = 180$So brand new equipment your looking at 330 roughly..
The unifi ac lite model is $80
And you can pick up 8 port gig switches, tp-link, netgear, etc. for 30 bucks..If you draw up your network and what hardware your working with for port density, AP (maybe they run 3rd party firmware like dd-wrt that does vlans) we can figure out how to get you started with vlans on the cheap!!!
Depending on your layout maybe you only need 1 switch and can get by with 1 AP to provide you the guest and other wifi networks you want, etc.
-
Doh! I thought I needed a managed switch to get VLAN capabiliy, and that was going to run $55-$65 per switch. When you mentioned $30 I found some "unmanaged" switches that have fully configurable VLAN support, like the TP-Link TL-SG108E for $33. Thanks.
My setup is detailed below. I think the big problem is that I have three switches cascaded downstream from my main switch (the one on the pfSense LAN NIC). Even if I replace all three dumb switches with smart switches, all the devices on those switches would have to be on the same VLAN unless I cascade them on non-VLAN ports. Can I do that? Will the non-VLAN ports pass VLAN tags? I suspect you would call this configuration "borked", but I don't see any other way to be able to configure any downstream devices to use any VLAN.
That said, I think most – if not all -- of the downstream devices don't have IPV6 capability, so I can route them to the VPN (or not) based on their host names or configure static IPV4 addresses for them. The only real issue is dealing with the the iOS devices coming through the main AP. Those need to be on VLANs so I can route their IPV6 traffic properly.
I think I can do this with a single AP (or maybe two if I want to route guests through the VPN, which is doubtful). Would it be totally borked to have a couple of VLANs defined in the AP and have all the hardwired devices on the non-VLAN network? After all, doesn't the AP have to connect to the main switch on a non-VLAN port?
Here's my setup:
OFFICE (work at home, so it's a business office)
Running pfSense on a Zotac ZBOX C1327 with two NICs (not expandable)
ZBOX NIC rel0 ----> Comcast Business DPC3939 modem/router in bridged mode (75mbps/15mbps, native IPV6.)
ZBOX NIC rel1 ----> Dumb switch #1 (NetGear GS108)Dumb Switch #1 ----> ZBOX NIC rel1
----> Dumb switch #2 in office (NetGear GS308)
----> Dumb switch #3 in upstairs entertainment center (NetGear GS108)
----> AP - Secure 802.11ac/b/g/n primary wi-fi network (Apple Time Capsule, bridged)
----> 2 printers
----> 2 SDRs (software defined radios)Dumb Switch #2 ----> Dumb switch #1
----> Dumb switch #4 in basement equipment closet (old Linksys 10/100 switch, not currently used)
----> SDRTime Capsule ----> Dumb switch #1
----> Desktop PC
----> MacBook ProENTERTAINMENT CENTER
Dumb switch #3 ----> Dumb switch #1 in office
----> Dumb switch #5 in basement entertainment center (Netgear GS108)
----> Dish Hopper
----> Apple TV
----> DVD Player
----> Serial-to-Ethernet converter for audio system controlBASEMENT ENTERTAINMENT CENTER
Dumb switch #5 ----> Dumb switch #3
----> Dumb switch #6 on utility panel (NetGear GS105)
----> Dish Joey
----> TV
----> PS 4
----> AV receiver
----> DVD Player
----> Apple Time Capsule (older model, runs unsecured Guest network)UTILITY PANEL
Dumb switch #6 ----> Dumb switch 5
----> Electricity usage monitor
----> Interface/storage for electricity monitor
----> Vonage telephone interfaceBASEMENT EQUIPMENT CLOSET
Dumb switch #4 ----> Dumb switch #1
-
"TP-Link TL-SG108E"
One thing on that switch, there has been tons of talk here about the tp-link cheap switches. And while they do support vlans.. You can not remove vlan 1 from any port.. For a home/smb setup not a deal breaking.. But its pretty shitty to be honest.. I have one in my av cab..
"Even if I replace all three dumb switches with smart switches, all the devices on those switches would have to be on the same VLAN unless I cascade them on non-VLAN ports. "
No.. that is not how it works.. If you have 3 smart switches daisy chained then any port on any switch in that chain could be on any vlan you want.. So you have a nice breakdown here of your devices. Which devices there do you want on different networks/vlans?
If you state what vlan/network you want on your devices then we can figure out how many smart switches you need..
"oesn't the AP have to connect to the main switch on a non-VLAN port?"
Again no that is not how it works.. The port you connect to your AP (that is going to do vlans) would be a trunk port, ie it would carry tags of all the different vlans you want to use on your wifi networks..
If your going to connect your AP to your switch1, and all the devices on downstream can be on same network, or atleast all devices on the downstream switches can be on same then you only need 1 smart switch..
So you have this.. See attached.
-
I think I get it. I happened to read up on access ports and trunk ports before you posted but didn't realize the AP would connect via a trunk port and the switches would be cascaded on trunk ports. That makes sense.
I'm not clear on what happens to the underlying LAN subnet when you use a VLAN. If a smart switch is connected to the firewall NIC via a trunk, must all the switch ports be assigned to a VLAN or designated as a trunk, or can a port be neither – i.e., on the underlying LAN subnet? In other words, once you enable/define VLAN ports is the underlying LAN subnet directly accessible?
Suppose I had a dumb switch connected to the NIC and a smart switch connected via a trunk port to the dumb switch. Would the dumb switch be able to pass the trunk info? If so, then the other ports on the dumb switch would be on the underlying LAN subnet, right?
One reason I'm asking about this is to determine how to connect to the pfSense web interface in a VLAN environment (especially when defining the VLANs.) I saw a recommendation not to use the same LAN for VLANs that's used to connect to pfSense. I only have one LAN NIC, so that's not possible. I've also seen instructions to enable WAN access to the firewall when defining VLANs to keep from getting locked out. Not sure I like that idea. So I'm wondering if I can connect to pfSense on the underlying LAN subnet by using a switch port that's not defined as a VLAN or trunk port.
-
"dumb" switches usually (at least my dumb switches work that way) don't touch the 802.1q tags: dumb switches ignore them and pass them on. so yes: you can feed a trunk port into a dumb switch, and split the packets to the correct vlan with a "smart" switch connected to the dumb switch.
-
"Suppose I had a dumb switch connected to the NIC and a smart switch connected via a trunk port to the dumb switch. "
And what vlan on that trunk would be the native untagged vlan? You would not configure it that way. The port you connect a dumb switch to would be just access and be in a specific vlan on the smart switch and any traffic sent out its port would be untagged..
What you would do in your setup is lan would be untagged the native network on the physical interface.. Then any other networks you create would be vlans that sit on top of the physical lan interface and their traffic would be tagged.
So you going to mark your stuff on what should be in what? And I we can draw it up - which makes it easier to understand.
-
I think I get it. I happened to read up on access ports and trunk ports before you posted but didn't realize the AP would connect via a trunk port and the switches would be cascaded on trunk ports. That makes sense.
I'm not clear on what happens to the underlying LAN subnet when you use a VLAN. If a smart switch is connected to the firewall NIC via a trunk, must all the switch ports be assigned to a VLAN or designated as a trunk, or can a port be neither – i.e., on the underlying LAN subnet? In other words, once you enable/define VLAN ports is the underlying LAN subnet directly accessible?
Suppose I had a dumb switch connected to the NIC and a smart switch connected via a trunk port to the dumb switch. Would the dumb switch be able to pass the trunk info? If so, then the other ports on the dumb switch would be on the underlying LAN subnet, right?
One reason I'm asking about this is to determine how to connect to the pfSense web interface in a VLAN environment (especially when defining the VLANs.) I saw a recommendation not to use the same LAN for VLANs that's used to connect to pfSense. I only have one LAN NIC, so that's not possible. I've also seen instructions to enable WAN access to the firewall when defining VLANs to keep from getting locked out. Not sure I like that idea. So I'm wondering if I can connect to pfSense on the underlying LAN subnet by using a switch port that's not defined as a VLAN or trunk port.
What happens is VLAN tags are applied to frames that are on a VLAN. However, the VLAN traffic is mixed in with the native LAN traffic. Only devices that are configured for the VLAN will receive those frames. Dumb switches are generally capapble of passing VLAN frames. In pfSense, you can configure VLANs on an interface and then use it as you would any other interface.
-
"Dumb switches are generally capapble of passing VLAN frames."
True but they do not honor them or understand them.. So to them all traffic is no different than its default traffic… So you loose your separation of layer 2 traffic and broadcast and multicast that should be in a vlan now get sent to all ports on the switch.. Its not a good edit to do this, pretty much ever!!! Maybe if you your smart switch died and you had dumb switch you could use, until the new dumb switch gets delivered.. Other than that - no I would never suggest anyone ever do such a thing..
And just because they are generally capable of not stripping the tags, this is not for sure and could be possible they just do not pass on the tags or strip them completely... Lets go over it again - its a bad idea to think its ok to send tagged traffic over a dumb switch. ;)
-
And just because they are generally capable of not stripping the tags, this is not for sure and could be possible they just do not pass on the tags or strip them completely… Lets go over it again - its a bad idea to think its ok to send tagged traffic over a dumb switch. ;)
Actually, since switches are not suppose to touch the frame they're passing, they shouldn't even notice it's a VLAN frame. It's just another valid frame. Where the issue may arise is if the frame is larger than the standard maximum Ethernet frame size, due to the extra 4 bytes the tags use. However, I don't know how common that situation is. Of course, only 802.3 frames have a maximum size. Ethernet II frames have no such restriction. IP is normally carried on Ethernet II frames.
One situation where you often have VLANs to the user is with VoIP. With VoIP phones, you can usually connect a computer to the phone, which in turn connects to the switch. An unmanaged switch will work, though CoS will not be available. You just need to have the VoIP PBX provide it's own VLAN tagging and the phones configured to use the VLAN. Regardless, managed switches should be used in all but the smallest networks.