Blocking access to internal nets

  • I'm trying to wrap my head about ipv6 and how all of this works, and it's probably a bad thing, but I'm implementing it at home and clueless about it.  To give you an idea of what I have going on….

    I have 6 internal segments that are on different VLAN's...  So, for example:

    Workstations: vlan110 -
    Servers: vlan111 -
    WirelessInternal: vlan112 -
    Visitor: vlan113 -

    Then I have my Comcast WAN address/interface.  In the WAN setup, I have it set to a /60 and all my network gateways are pretty much getting IPv6 addresses.  Similar to the above example, this is what I have...

    WAN: 2001:558:6033 <foo>Servers: 2601:248:4b00 <foo>WirelessInternal: 2601:248:4b01:4821 <foo>Visitor: 2601:248:4b01:9786: <foo>My goal is to prevent the Visitor subnet from accessing the internal networks for IPv4 and IPv6.  With IPv4, it's easy as I just have a rule setup in the firewall to deny all to dst  It looks like this:

    IPV4* * * * * none Block Internal Networks

    Now since IPv6 doesn't have nonroutable address space...from what I know...  I was wondering how I can block IPv6 traffic on the visitor network to internal IPv6 address space.  I have a feeling that if I block 2601:* bad things will happen.  I'm sure it's an easy fix, but it's something that is kind of important to get right.  :)

    Thank you in advanced!</foo></foo></foo></foo>

  • LAYER 8 Global Moderator

    well just block access to the /64 your using on your other network segments..

    your different networks segments track should be set to different prefix out of our /60 which gives you 16 /64s to work with.

  • @johnpoz:

    well just block access to the /64 your using on your other network segments..

    your different networks segments track should be set to different prefix out of our /60 which gives you 16 /64s to work with.

    Thank you for the response.  So, if I understand this correctly, I look up the ipv6 address for the gateways…to where I can put all of it into an alias and add that to the firewall block?  So, for example...


    and add all of the other ones?


  • If you're requesting a /60 from Comcast… they should give you something like...


    for you to use on your various internal networks.

    In pfSense, on the interfaces for your various internal networks, you'll select Track Interface for your IPv6 setting, then select WAN and a prefix ID. If you select prefix ID 5, your address block for that interface would be 2601:aaaa:bbbb:ccc5::/64

    A /60 gets you 16 prefix ID's (0-F), giving you up to 16 internal networks that can each have a /64.

    What you then do is create IPv4/IPv6 rules on the visitor network blocking access to Workstations Network, Servers network, etc. Don't worry about the addresses, as there's a good likelihood that they'll change over time. Select the pre-defined options and let pfSense do the work for you.

  • I'm having this same issue. My IPV6 addresses are assigned over DHCPv6, however, meaning it can technically change at any time. Thus I don't want to create rules or aliases containing the current network addresses. I'd also like to avoid having to create multiple rules at the top of every interface page blocking access to every other interface's network, and I don't see a way to block them all in one rule since I can't select "NOT <multiple networks="">" in the destination for a rule or add dynamically assigned networks to an alias.

    I used to do this the same way the OP does, with an alias pointing to 10/8, 172.16/12, 192.168/16. Now I have no idea how to keep track.</multiple>

  • LAYER 8 Netgate

    Tell Comcast to assign IPv6 properly.

    Cox has been pretty good about honoring the DUID and giving the same /56 every time despite a couple gear changes and a few IPv4 reassigned addresses.

    My experience helping people with Comcast has not been so steady.

    This is ultimately not between you and pfSense, but between you and your ISP.

    You might get some joy using LAN net, SERVERS net, WIRELESSINTERNAL net, etc in your firewall rules.

  • Given making my ISP act differently is not practically feasible, it would seem using the "net" options is the way to go. However, these can not be combined in aliases, as far as I know.

    On IPv4, I have have an alias called "private" which covers 10/8, 172.16/12, and 192.168/16, and I can add outbound rules allowing port 80 and 443 to "NOT private".
    Great. One rule allows outbound traffic, and I can add additional rules for any internal pinholes. Great.

    With IPv6, I don't see a way to do this. I'd apparently need a setup like the following for each interface:
    1. A couple of pinhole rules for internal servers I want to be accessible cross-interface
    2. General blocking rules for traffic to the "net" of every other internal interface
    3. An allow rule generally allowing port 80 and 443 to anywhere, which includes any interface I forgot to block, or moved around or whatnot

    This is not a pretty solution.

  • LAYER 8 Netgate

    Get a prettier ISP.

  • This is why customization exists. We don't ask people who's hardware doesn't do hardware TCP segmentation to "get a better NIC". We don't ask people who's ISP's require a certain mac address (presumably from their shitty provided router) to get one that doesn't require that, and we don't ask people who wish to communicate with a weird IPSec router that insists on acting as the initiator to get a less weird router at the remote site. pfSense will work with and around all of those restrictions, and plenty of others.

    Your insistence that this particular issue must be resolved at the ISP level is really not helpful, and I don't understand what makes this case stand out as one that couldn't be handled by pfSense. After all, there's nothing about DHCP that allows you to expect your lease to remain valid outside of your given lease time. The whole point is that it's not static.

  • I ended up writing a script that regularly polls the IPv6 IP's and masks of every interface that has a private IPv4 address. I output that along with my previous list of RFC1918 addresses and put it all in a file for pfSense to read. If the file changes, I trigger an alias update via PHP. Seems to work quite well :)

  • Banned

  • LAYER 8 Netgate

    Nobody would dream of getting an IPv4 /19 routed for use on internal networks that the ISP could just change on a whim any time they felt like it.

    Until the ISPs get a clue, people will come to the conclusion, like you, that it is STILL better to just use IPv4 and NAT.

  • Does any of you have any sort of feedback from your ISP why they keep doing that? I hope it's not the usual ignorance of "it's safer for the client". It really boggles my mind because the IPv6 address space is so large that you could assign a personal /48 to every single person who has every lived on earth, that's a hell a lot /48s.

  • My most recent reply was that my ISP is still rolling out the IPv6 infrastructure, so they'll be changing things from time to time. Also, non-static DHCP is just how they do things, because static IP's are for business connections, and those cost like 10x the price for the same speed.  :-\

  • LAYER 8 Netgate

    So until they get their crap together get a /48 from and use a tunnel. They manage to statically assign /48s to people all over the world - free - and manage to stay in business.

  • What sort of bandwidth do you get on those?

  • LAYER 8 Netgate

    Works fine. I never thought about it. I am native now and not really in a position to test it.

    What I get won't matter to you. It's what you get that will matter.

    Try it and see. It's free.