Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 firewall, multiple subnets

    IPv6
    2
    2
    970
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      robero
      last edited by

      We have 170 vlans and subnets on our intranet. Increasing number of users need us to open access from internet to intranet. So we are running out of ipv4 addresses and maintaining nat is becoming very time consuming. We have to therefore move our intranet to ipv6 in order to get rid of nat and get more public addresses.

      How do you configure firewall for ipv6? We need as a basic rule to block all traffic between all vlans and from internet and give access to internet for everyone on our intranet. Rest of the rules are exceptions to this.
      In ipv4 world it was just two lines in floating Rules:
      -allow traffic from rfc1918 to everywhere except rfc1918
      -block the rest.

      How do you separate intranet from internet in ipv6 world? What rules should I use? Can I refer to Prefixes?
      We have dhcp6 working and static ipv6 address space from our ISP, our backup internet connection has dynamic ipv6 and dhcp6.

      The only way I have found this might work is to make floating rules that block traffic from everywhere to each vlan. However that would mean 170 lines on our firewall, quite a hassle to maintain.

      Have not found discussion on this forum or elsewhere discussing this. Would really appreciate if someone could point me to the right direction. I feel I am missing something essential. This should not be this difficult, right? I have experience in home ipv6, but this is the first ipv6 production for me.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You would do it exactly like you do with IPv4, but using IPv6.

        In IPv6 you generally will have a routed prefix. You would use that instead of RFC1918.

        Example:

        You are routed this prefix:

        2001:db8:4b56::/48

        You assign:

        VLAN100: 2001:db8:4b56:64::/64
        VLAN101: 2001:db8:4b56:65::/64
        VLAN102: 2001:db8:4b56:66::/64
        VLAN103: 2001:db8:4b56:67::/64

        On VLAN 100-103 you would:
        Pass anything to any local assets they need, like DNS servers
        Reject anything to This Firewall
        Reject anything to 2001:db8:4b56::/48 (and possibly more if you are using any ULA addresses locally, etc.)
        Pass anything to any

        It can be beneficial to use an alias for the block destination. You could add 2001:db8:4b56::/48, fc00::/7, etc to it.

        Yes, there is added responsibility to identify local addresses that need protection without the perceived convenience of just blocking RFC1918. But this responsibility is no different than having routed, public subnets in IPv4.

        If you are careful in your planning, such as setting all VLANs to use the same DNS server addresses, you might even be able to get away with defining an interface group and using one set of rules for them all.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.