IPv6 firewall, multiple subnets



  • We have 170 vlans and subnets on our intranet. Increasing number of users need us to open access from internet to intranet. So we are running out of ipv4 addresses and maintaining nat is becoming very time consuming. We have to therefore move our intranet to ipv6 in order to get rid of nat and get more public addresses.

    How do you configure firewall for ipv6? We need as a basic rule to block all traffic between all vlans and from internet and give access to internet for everyone on our intranet. Rest of the rules are exceptions to this.
    In ipv4 world it was just two lines in floating Rules:
    -allow traffic from rfc1918 to everywhere except rfc1918
    -block the rest.

    How do you separate intranet from internet in ipv6 world? What rules should I use? Can I refer to Prefixes?
    We have dhcp6 working and static ipv6 address space from our ISP, our backup internet connection has dynamic ipv6 and dhcp6.

    The only way I have found this might work is to make floating rules that block traffic from everywhere to each vlan. However that would mean 170 lines on our firewall, quite a hassle to maintain.

    Have not found discussion on this forum or elsewhere discussing this. Would really appreciate if someone could point me to the right direction. I feel I am missing something essential. This should not be this difficult, right? I have experience in home ipv6, but this is the first ipv6 production for me.


  • Netgate

    You would do it exactly like you do with IPv4, but using IPv6.

    In IPv6 you generally will have a routed prefix. You would use that instead of RFC1918.

    Example:

    You are routed this prefix:

    2001:db8:4b56::/48

    You assign:

    VLAN100: 2001:db8:4b56:64::/64
    VLAN101: 2001:db8:4b56:65::/64
    VLAN102: 2001:db8:4b56:66::/64
    VLAN103: 2001:db8:4b56:67::/64

    On VLAN 100-103 you would:
    Pass anything to any local assets they need, like DNS servers
    Reject anything to This Firewall
    Reject anything to 2001:db8:4b56::/48 (and possibly more if you are using any ULA addresses locally, etc.)
    Pass anything to any

    It can be beneficial to use an alias for the block destination. You could add 2001:db8:4b56::/48, fc00::/7, etc to it.

    Yes, there is added responsibility to identify local addresses that need protection without the perceived convenience of just blocking RFC1918. But this responsibility is no different than having routed, public subnets in IPv4.

    If you are careful in your planning, such as setting all VLANs to use the same DNS server addresses, you might even be able to get away with defining an interface group and using one set of rules for them all.