How to create IPv6 firewall rules?
-
Hi,
I'm trying to get my feet wet with IPv6 as my ISP has native support now. I
configured it on two interfaces, so far so good. But I struggle to create firewall rules. I just don't know how.E.g. in IPv4 I had an alias like
internal_nets = 10.0.0.0/8, 192.168.0.0/16
So I could allow external traffic with a rule “allow !internal_nets”. But in IPv6 the addresses are dynamic. A new address every other day or so (domestic
connection).- How to create an alias for the internal nets (IPv6)?
- How to create firewall rules if I don't know the address of the hosts?
Very basic questions, but I couldn't find anything relevant in the pfSense documentation. A nudge in the right direction would be much appreciated.
2.4.5-RELEASE-p1
-
@zjgn I don't think it is possible yet.
Somewhat workarounds are to make the IPv6-address live longer like so:
@JKnott said in DDNS IPv6 Cloudflare:
Also, there's a setting you want to ensure is selected. It's "Do not allow PD/Address release" on the WAN page. If that's not selected, the address might change. I found all it took was to disconnect/reconnect the WAN Ethernet cable.
Or to get a IPv6-tunnel from HE with their addresses not changing at all.
But still, you have to watch closely for Temporary IPv6 Addresses, SLAAC and such, it is a pain in the a...
-
@Bob-Dig said in How to create IPv6 firewall rules?:
But still, you have to watch closely for Temporary IPv6 Addresses,
It's nice to be quoted.
As for the temporary addresses, they're normally used only for outgoing connections, so you generally don't need to create rules for them. However, if you want to allow incoming connections, you use the consistent address, often MAC based, and create the rules for it.
-
@JKnott said in How to create IPv6 firewall rules?:
It's nice to be quoted.
You deserved it.
@JKnott said in How to create IPv6 firewall rules?:
As for the temporary addresses, they're normally used only for outgoing connections, so you generally don't need to create rules for them.
Unless you want to block connections from that host.
In the end, I created multiple interfaces to get back control, one of them has no IPv6 at all. If your gear supports vlans, you can go with that, but mine didn't.
-
One last thing, you can define Static Mappings within the DHCPv6 Server & RA to set hostnames, like with ipv4, so at least incoming firewall rules will then work just fine using aliases containing these hostnames, even with a dynamic IPv6-prefix on that interface.
-
@Bob-Dig said in How to create IPv6 firewall rules?:
@zjgn I don't think it is possible yet.
?? I'm very surprised that this isn't possible in pfsense. I assume many people use it on domestic connections with changing IPs. But apparently not many people bothered setting up IPv6, though.
Somewhat workarounds are to make the IPv6-address live longer like so:
@JKnott said in DDNS IPv6 Cloudflare:
Also, there's a setting you want to ensure is selected. It's "Do not allow PD/Address release" on the WAN page. If that's not selected, the address might change. I found all it took was to disconnect/reconnect the WAN Ethernet cable.
I tried that. Didn't work. After a reboot the address changed. And even it it worked for a while, I don't want my firewall rules get outdated after a while, out of my control. That's not a robust design.
Or to get a IPv6-tunnel from HE with their addresses not changing at all.
Getting an IPv4 to IPv6 tunnel on a native IPv6 connection seems like a crutch. I just checked, my ISP only offers static IPs on business connections, not on domestic ones.
But still, you have to watch closely for Temporary IPv6 Addresses, SLAAC and such, it is a pain in the a...
So far (with IPv4) I use DHCP and registered the host names in DNS. Then the aliases and rules are based on the host name. I don't know how to do that with IPv6 and SLAAC. As far as I found out so far, SLAAC addresses don't register in DNS, so one has to use DHCPv6 to create rules based on the hostname. But this doesn't work with Android devices. This IPv6 stuff looks very messy still (or it's my lack of understanding, or a mix of both).
-
@Bob-Dig said in How to create IPv6 firewall rules?:
One last thing, you can use Static Mappings with the DHCPv6 Server & RA to create firewall rules for hostnames, like with ipv4, so at least incoming firewall rules will work just fine using aliases, even with dynamic IPv6-address-prefixes on that interface.
I'll look into that. Thanks.
But does this help creating a default outbound rule? Basically most of my VLANs have a rule stating “allow all outgoing traffic to the internet but not other vlans” (as mentioned in the OP). For that I use an alias “internal_nets”.
I fail to see how static mappings would help creating such a rule. Is there another approach creating such a rule? I need to allow outgoing traffic somehow.
-
@zjgn Have you tried something like that (for every vlan, probalbly a lot of work)?
Also, I am guessing here, had no demand for that myself and haven't tested it.
-
And if you want to go to the extreme, you could deploy private IPv6-addresses and then use NPt, which works flawlessly.
(Edit: But not with a dynamic prefix. ) -
@Bob-Dig said in How to create IPv6 firewall rules?:
@zjgn Have you tried something like that (for every vlan, probalbly a lot of work)?
I just tried, and a test rule seems to work. That would be very verbose, though. But it's a solution after all.
The big question is if the NET-based rules are automatically updated when the prefix changes? Otherwise the rules invalidate themselves after a short while.
If this works, I could at least get outgoing traffic flowing. That doesn't solve creating rules for individual hosts, though. But it's a step forward, thanks.
-
@Bob-Dig said in How to create IPv6 firewall rules?:
And if you want to go to the extreme, you could deploy private IPv6-addresses and then use NPt, which works flawlessly.
NPt is basically NAT, right? If so: Nope. Just no.
That's why I started looking into IPv6 in the first place. I want to get rid of NAT.
Regarding extreme: I just want a simple IPv6 config for my home network. A few vlans, voip/sip, web server dmz, guest vlan, etc. Nothing fancy. Basic standard stuff, I suppose. But apparently it's not so simple to implement in pfsense.
Thanks for the quick responses so far.
-
You understand that pfsense creates its own aliases for any network its attached to be it IPv4 or IPv6.. Just the name of that network, ie LAN Net, or VLAN Net, etc. etc..
So you can just use those in your rules..
-
@johnpoz Thanks for confirming.
-
@Bob-Dig said in How to create IPv6 firewall rules?:
Unless you want to block connections from that host.
Then you'd have to block every address for the prefix. While you know the consistent address, the privacy addresses can be anywhere with the 18.4 billion, billion addresses a /64 provides. The only way around this would be to filter on MAC addresses, which pfSense doesn't do.
In the end, I created multiple interfaces to get back control, one of them has no IPv6 at all. If your gear supports vlans, you can go with that, but mine didn't.
What is it you're trying to do?
-
@johnpoz said in How to create IPv6 firewall rules?:
So you can just use those in your rules..
But you can't use these in an alias and stack them, right?
-
@JKnott said in How to create IPv6 firewall rules?:
@Bob-Dig said in How to create IPv6 firewall rules?:
Unless you want to block connections from that host.
Then you'd have to block every address for the prefix. While you know the consistent address, the privacy addresses can be anywhere with the 18.4 billion, billion addresses a /64 provides. The only way around this would be to filter on MAC addresses, which pfSense doesn't do.
Or you can disable privacy extensions on that host. My ubunt servers don't use it in the beginning.
In the end, I created multiple interfaces to get back control, one of them has no IPv6 at all. If your gear supports vlans, you can go with that, but mine didn't.
What is it you're trying to do?
Getting back control is what I did. Some has to do with using the vpn-clients and defeat any leaks.
-
@Bob-Dig said in How to create IPv6 firewall rules?:
But you can't use these in an alias and stack them, right?
No AFAIK you can not stack them... Or join them into a parent alias sort of thing..
Just create distinct rules would be one option... The whole nonsense that is dynamic space is the only reason this is an issue.. Or you could just create the rules with whatever blocks of space you wanted. I have a /48 from HE, so my IPv6 address space never changes.. Had that same space for like 10+ years now..
-
@johnpoz said in How to create IPv6 firewall rules?:
@Bob-Dig said in How to create IPv6 firewall rules?:
But you can't use these in an alias and stack them, right?
No AFAIK you can not stack them... Or join them into a parent alias sort of thing..
That's unfortunate. It would make for much cleaner rules and be quicker to implement if there are many VLANs.
-
@zjgn I am just thinking about that: if the VLANs are more like DMZs, you could create one block rule for every VLAN (source = *, destination = vlan(x)) and then deploy those rules on all the vlans by using Interface Groups or floating rules. It should have no impact if the connection is on the same VLAN anyway.
Just some, maybe wrong, thoughts. -
I have been trying out a lot with dynamic IPv6 and my conclusion was not to use IPv6 for internal communication for now (only for Internet communication), and only use IPv6 for one WAN of my Dual-WAN setup, there are just too many open topics for regarding dynamic IPv6 in pfSense. I currently mainly waiting for https://redmine.pfsense.org/issues/4881 and https://redmine.pfsense.org/issues/6880. Maybe also https://redmine.pfsense.org/issues/9536 and https://redmine.pfsense.org/issues/6626.
To prevent communication between my VLANs, I have basically done what @Bob-Dig suggested above, i.e. with block rules using "xxx net", as combined IPv4+IPv6 rules, so it blocks at least both.
My target scenario is going to be to use ULAs and (dynamic) NPt to be able use use fail-over between the WANs, but it also makes internal communication easier because the prefix stays static. In my opinion, NPt should not be directly compared with NAT in IPv4, because it works very very differently as the whole prefix is just translated 1:1 so you can still communicate directly without any port mapping or keeping any state. For incoming traffic the destination prefix is just mapped to the internal one and for outgoing traffic the source prefix is just mapped to the public one, but the host part, ports etc. stay the same.
For "DMZ stuff" and also for IPSec VPN from my iPhone, I have separate public IPv4 addresses and an IPv6 prefix independently of my ISPs from a dedicated "static IP provider", connected via OpenVPN, because this is crappy anyway with dynamic addresses.
-
Thanks for your input. Those bug reports confirm that IPv6 in pfSense isn't really usable as of now (at least on domestic connections), which is a great shame.
Those bug reports are many years old. So there doesn't really seem to be much interest in getting IPv6 to work for a wider audience.
-
@zjgn I've heard, it is in the works, but no ETA.
-
If the ISP is not respecting the Do not allow PD/Address release setting, how is that pfSense's fault?
Re. that 9536 problem. It mentions passing other blocks to another router. I have done that here, so it does work.
I use that setting and my prefix is solid. Prior to that setting being available, my prefix changed easily too.
-
@JKnott "Do not allow PD/Address release" is nothing the ISP can respect because it doesn't even notice. This setting just means that pfSense does not send a release: "dhcp6c will send a release to the ISP on exit, some ISPs then release the allocated address or prefix. This option prevents that signal ever being sent" There is no such thing as "prevent release" in DHCPv6, the DHCP server may assign new prefixes/addresses basically whenever it (or its administrator) likes, see https://tools.ietf.org/html/rfc3315#section-19. So even without reconnecting you might get a new IP addresses/prefixes, although ISPs usually don't do that.
As the name DHCP Dynamic Host Configuration Protocol already says, it's dynamic. That means you have to be able to react to these changes, otherwise you should not use DHCP to assign/get IP addresses/prefixes. Therefore all settings that cannot deal with this like the issues I mentioned above are not suitable for use with DHCP. If you do it and configure your dynamic prefix statically there, it will break sooner or later, even if the "Do not allow PD/Address release" workaround works for some time.
-
Well, that setting definitely works for me. When I first started using pfSense, that option was not available and my prefix frequently changed, for something as little as disconnecting/reconnecting the WAN cable. Then, when it was added, my prefix became solid. I can disconnect/reconnect that cable all I want, reboot, etc. and I still keep my prefix. The one and only occasion when it didn't work was when I had that problem with my ISP, about 1.5 years ago, where they weren't providing a valid prefix. Here's a packet capture from when I had that problem. It clearly shows an error and when they fixed that, IPv6 worked again and my prefix has been steady since then.
User Datagram Protocol, Src Port: 547, Dst Port: 546
DHCPv6
Message type: Reply (7)
Transaction ID: 0x18a8e9
Client Identifier
Option: Client Identifier (1)
Length: 14
Value: 0001000123eb5e12001617a7f2d3
DUID: 0001000123eb5e12001617a7f2d3
DUID Type: link-layer address plus time (1)
Hardware type: Ethernet (1)
DUID Time: Feb 4, 2019 15:33:22.000000000 EST
Link-layer address: 00:16:17:a7:f2:d3
Server Identifier
Option: Server Identifier (2)
Length: 14
Value: 00010001159bb6e50021285fd2b7
DUID: 00010001159bb6e50021285fd2b7
DUID Type: link-layer address plus time (1)
Hardware type: Ethernet (1)
DUID Time: Jun 27, 2011 17:47:17.000000000 EDT
Link-layer address: 00:21:28:5f:d2:b7
Identity Association for Prefix Delegation
Option: Identity Association for Prefix Delegation (25)
Length: 72
Value: 000000000000000000000000000d003800064e6f20707265...
IAID: 00000000
T1: 0
T2: 0
Status code
Option: Status code (13)
Length: 56
Value: 00064e6f2070726566697820617661696c61626c65206f6e...
Status Code: NoPrefixAvail (6)
Status Message: No prefix available on Link
'CMTS89.WLFDLE-BNDL1-GRP3'
DNS recursive name server
Option: DNS recursive name server (23)
Length: 32
Value: 2607f7980018001000000640712552042607f79800180010...
1 DNS server address: 2607:f798:18:10:0:640:7125:5204
2 DNS server address: 2607:f798:18:10:0:640:7125:5198One of the reasons for the DUID is to keep the prefix associated with a device, such as a firewall running pfSense.
-
@JKnott, yes I understand that, it definitely improves the situation in some cases, specifically in these cases where the ISP under normal circumstances only assigns new prefixes after the client explicitly sent a release. So for these ISPs you will only get new IP addresses very rarely if you never send a release (which is what this setting does), e.g. when their DHCP server crashes or when they are reorganizing their address space. But you are more or less just lucky when your ISPs implementation behaves like that. Many ISPs (like mine, too) just assign new IP addresses with each reconnection for whatever reason (implementation reasons, save resources, keep static IP addresses as a USP for the more expensive business tariffs, ...) and in my understanding this is perfectly fine from DHCP perspective.
-
And for privacy reasons, I even like dynamic IPs (and prefixes) in general.
-
Oh yes, that's definitely a good point!
-
That conflicts with RFC 8415, which includes:
"If the client wishes to obtain a distinctly new address or prefix and
deprecate the existing one, the client sends a Release message to the
server for the IAs using the original IAID. The client then creates
a new IAID, to be used in future messages to obtain leases for the
new IA."That seems to say that a device is supposed to specifically release the association and the setting simply tells pfsense to not release the address, etc..
What's the point of having a permanent identifier, if the ISP ignores it?
-
@Bob-Dig said in How to create IPv6 firewall rules?:
And for privacy reasons, I even like dynamic IPs (and prefixes) in general.
Well, if you turn off that setting, then pfSense gets amnesia.
-
@JKnott Implications only work in one direction. This only describes what to do when the client from its side wants a distinctly new address/prefix so when the server behaves like the one of your ISP. This says nothing about other situations where the address/prefix may change as well.
The IAID is the ID of "a construct through which a server and a client can identify, group, and manage a set of related IPv6 addresses or delegated prefixes.", so to distinguish different sets of DHCP parameters, e.g for different interfaces "A client must associate at least one distinct IA with each of its network interfaces for which it is to request the assignment of IPv6 addresses from a DHCP server. The client uses the IAs assigned to an interface to obtain configuration information from a server for that interface. Each such IA must be associated with exactly one interface.".
The point of having a permanent identifier is that the DHCP server can use it to distinguish the IAs even if the client restarts (e.g. not to switch the IP addresses of the interfaces), but it doesn't imply that it isn't allowed to changes prefixes or any other information within the IA if it or its administrator likes.
For "Assignment of Prefixes for IA_PD" what we are talking here about, https://tools.ietf.org/html/rfc8415#section-13.3 is relevant, which basically says that's not covered at all by RFC8415 ("The mechanism through which the server selects prefix(es) for delegation is not specified in this document.") so basically "do as you like", as examples "static assignment based on subscription to an ISP, dynamic assignment from a pool of available prefixes" and as one example it refers to https://tools.ietf.org/html/rfc3162 (RADIUS, which is probably often used on ISP side for logins) and it gives even the RADIUS server much freedom, e.g. it says "This Attribute indicates an IPv6 prefix (and corresponding route) to be configured for the user. It MAY be used in Access-Accept packets, and can appear multiple times. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer these prefix(es), but the server is not required to honor the hint."
-
We got into this discussion because @zjgn said:
"Thanks for your input. Those bug reports confirm that IPv6 in pfSense isn't really usable as of now (at least on domestic connections), which is a great shame.To which I replied:
If the ISP is not respecting the Do not allow PD/Address release setting, how is that pfSense's fault?If that setting works with some ISPs, but not others, is the problem with pfSense, as @zjgn implies? Or the ISP, as I suggest? It seems to me this wouldn't affect only pfSense, but any firewall/router that uses DHCPv6-PD, so @zjgn shouldn't be blaming pfSense for something beyond it's control.
-
@JKnott The "Do not allow PD/Address" is not even relevant in this descussion. When you are getting your IP prefix via DHCP, that means you get it dynamically. If you copy this dynamic prefix into a static configuration, you are doing it wrong. Period. If you have a dynamic prefix, all settings you want to use have to support that. If you have a static prefix, configure it statically and do not get it via DHCP!
Settings in pfSense that do not support dynamic prefixes (some even do already, like e.g. the IP configurations for LANs that have the "track interface" option) are just not usable in this scenario. You may call it a bug or you might call it just missing features, but it's pfSense's task to support dynamic prefixes ideally for all settings. It can be done and as it was mentioned before, they are working on it, it's just work that has to be done, and as pfSense has many features compared to other routers (e.g. not many routers support Multi-WAN at all), it's much work. Therefore I cannot follow your conclusion "It seems to me this wouldn't affect only pfSense, but any firewall/router that uses DHCPv6-PD, so @zjgn shouldn't be blaming pfSense for something beyond it's control.".
"Do not allow PD/Address" is just a workround that works in some situations, but it is not a static prefix/address. Period.
-
@HG said in How to create IPv6 firewall rules?:
The "Do not allow PD/Address" is not even relevant in this descussion. When you are getting your IP prefix via DHCP, that means you get it dynamically. If you copy this dynamic prefix into a static configuration, you are doing it wrong. Period. If you have a dynamic prefix, all settings you want to use have to support that. If you have a static prefix, configure it statically and do not get it via DHCP!
Who's copying an address into a static config? I am using DHCPv6-PD. Always have. When I use that setting, my prefix does not change. Is that not the purpose of it? According to my understanding, if that setting is not enabled, pfSense will tell my ISP to release my prefix and that's exactly what was happening before it was available. A loose comparison would be DHCPv4 static mappings. DHCP is still being used, but the address doesn't change. Even without that, DHCP addresses don't normally change, unless the lease has expired and the address is no longer available. With my ISP, my IPv4 address is virtually static. It only changes when I change hardware. Other than that, there was one occasion several years ago, when they renumbered the network, which forced an address change on everyone. By comparison, without that setting, my prefix would change if I did nothing more than disconnect/reconnect the WAN cable, which made it even worse than plain DHCP on IPv4.
-
You both have valid reasons.
I for myself think that the first thing that should be made possible in pfSense is the integration of NPt for dynamic prefixes, should be rather easy to implement by now.What I can't tell is, if it would solve all the problems with the lack of fine control over IPv6 we now have over IPv4...
Privacy extensions maybe could be implemented at the router level and not the host level? That potentially would help for example.
Or better, the firewall just knows all the hosts with all their addresses, however this is possible.
This fine control is probably the reason why we are using (and loving) pfSense in the first place. -
@Bob-Dig said in How to create IPv6 firewall rules?:
Privacy extensions maybe could be implemented at the router level and not the host level?
????
Privacy extensions are host addresses. They have to be on the host.
-
@JKnott said in How to create IPv6 firewall rules?:
@Bob-Dig said in How to create IPv6 firewall rules?:
Privacy extensions maybe could be implemented at the router level and not the host level?
????
Privacy extensions are host addresses. They have to be on the host.
See it in the context of the problems we got now in pfSense. But first you have to see the problems.
-
I believe the relevant part of the original question is:
"How to create firewall rules if I don't know the address of the hosts?"
@zjgn was trying to solve a problem that doesn't exist, due to his unfamiliarity with IPv6 and privacy addresses. I pointed out that he only had to worry about the consistent address, which is often based on the MAC address, but could also be a random number. This is the address that's used for incoming connections and for which the rules have to be written. The privacy addresses are normally used for outgoing connections, which are blocked for incoming connections by default. As mentioned, if privacy addresses are a problem, they can be disabled. Then you mentioned using NPt, for some reason, and the discussion moved into how that didn't work because the prefix was changing, etc.. Does that sum it up? The next question is why the prefix is changing. I maintain it shouldn't, when Do not allow PD/Address release is set, though I know some ISPs will change the prefix anyway. This reminds me of when some ISPs would frequently change the IPv4 address, when there was no need to. In short, they were just being nasty.
-
@JKnott said in How to create IPv6 firewall rules?:
@Bob-Dig
"How to create firewall rules if I don't know the address of the hosts?"No, the problem we are facing is that pfSense doesn't know all the addresses of a host and therefore we can't create granular firewall rules, especially for outgoing connections, like we could for IPv4.
-
@Bob-Dig said in How to create IPv6 firewall rules?:
No, the problem we are facing is that pfSense doesn't know all the addresses of a host and therefore we can't create granular firewall rules, especially for outgoing connections, like we could for IPv4.
Well, given that privacy addresses come and go by design, there's no way around that, short of filtering on the MAC address, which pfSense doesn't do.