Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FW-rules related to an specific "IPV6-device"

    Scheduled Pinned Locked Moved Firewalling
    25 Posts 5 Posters 3.1k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      louis2
      last edited by

      John, Derelict,

      Yep If you do it the way you desctibe yes, you are right, however ....

      As described above,

      • at the gateway of "other" VLAN's you should define rules, related to what is allowed to leave the vlan
      • at the gateway of the VLAN "to protect" you should describe what is allowed to enter the VLAN

      That is more secure and .... it even cost less rules, because if you have to add a rule at the GW of each other VLAN that it is not allowed to go to the protected VLAN:

      • it will cost you n-rules
      • you can forget to add a rule at one of the vlans
      • and perhaps each vlan is managed by/under responsibility its own department manager, which does not match

      So what I did is the following

      Assume we have only three VLAN's

      • PCLAN which should be capable to access the NAS in the GreenZone
      • We have the GreenZone which should only be accessable from the PCLAN
      • We have the Redzone which should under no circumstances be allowed to reach the NAS / GreenZone

      So now what I did

      • PCLAN
        Rule-1: PASS destination GreenZone

      • Floating Rules
        Rule-1: BLOCK, Interface "GreenZone", Direction out, Address IPV4+IPV6, TCP+UDP
        Rule-2: PASS, QUICK, Interface "GreenZone", Direction out, Address IPV4+IPV6 ,TCP+UDP, Source PCLAN

      • RedZone (or any other (V)LAN
        Nothing OR
        Rule-1: Pass Destination GreenZone OR
        Rule-1: BLOCK Destination GreenZone OR

      So with the rules given under PCLAN I give permission to go to the NAS
      With Floating Rule-1, I block traffic out of any (V)LAN,
      With Floating Rule-2 I make an exception for the PCLAN

      The rules related to any other interface e.g. Redzone do not matter. What ever is there, systems in that vlan will never have access to my NAS

      That is how I do it at the moment. The only point is, that the Floating rules having an InterFace set, should be at the interface tab and not on the Floating tab. (and it would be handy if the rule direction would be presented in the GUI.

      Can you support me?

      Louis

      1 Reply Last reply Reply Quote 0
      • L Offline
        louis2 @Bob.Dig
        last edited by

        @Bob-Dig

        Inline with my owh perception ant the more after this thread and also the thread you where refering to (How to create IPv6 firewall rules?), I am more that ever convinced that it is simply impossible to create device specific IPV6-rules based on IP-address.

        So IMHO no other option than mac-filtering (I know not supported in pfSense).

        Louis

        1 Reply Last reply Reply Quote 0
        • L Offline
          louis2 @Derelict
          last edited by

          @Derelict

          In line with my original perception and the more after reading the responses in this thread
          and also reading the thread “How to create IPv6 firewall rules?”,

          I am more than ever convinced that it is simply impossible to create device specific IPV6-rules based on IPV6-address.

          The only option I see is using the device its mac-address. Its level-2 I know.

          I also know mac and IP van both be spoofed, but never the less, having the option to “allow” or “block” a specific device is very wroth full having.

          Also note that it is not a good idea to force a specific IPV6 address in a / all specific computers, if even possible(!). And apart form that the changing addresses are helping privacy a bit.

          So my conclusion can not be different than that we have to push in the direction of mac based rules!!

          Louis

          1 Reply Last reply Reply Quote 0
          • L Offline
            louis2 @johnpoz
            last edited by

            @johnpoz

            In line with my original perception and the more after reading the responses in this thread
            and also reading the thread “How to create IPv6 firewall rules?”,

            I am more than ever convinced that it is simply impossible to create device specific IPV6-rules based on IPV6-address.

            The only option I see is using the device its mac-address. Its level-2 I know.

            I also know mac and IP van both be spoofed, but never the less, having the option to “allow” or “block” a specific device is very wroth full having.

            Also note that it is not a good idea to force a specific IPV6 address in a / all specific computers, if even possible(!). And apart form that the changing addresses are helping privacy a bit.

            So my conclusion can not be different than that we have to push in the direction of mac based rules!!

            Louis
            PS this is a copy of my post to @Derelict (since you are two most relevant people around here ☺ )

            1 Reply Last reply Reply Quote 0
            • L Offline
              louis2
              last edited by

              Note that I found another discussion on this subject a couple of years ago

              https://forum.netgate.com/topic/103460/firewalling-mac-addresses

              Whatever! given IPV6 with its "changing IPs" we simply need! mac-filtering to be able to filter traffic from or towards a specific devices in our own subnet.

              • to allow something for that device (originating or destinating)
              • or to block something

              Just the same things you can do with an IPV4-adress

              Louis

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.