Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking InterVLAN with IPv6

    Scheduled Pinned Locked Moved IPv6
    11 Posts 4 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BarronC
      last edited by

      We are beginning to implement IPv6. At my business we have 4 Vlans.; at home I have 2. I have rules to block Vlan25 from getting to Vlan1, see screenshot. RFC1918 is an alias for that network space.

      What is the proper and clean way to do this for IPv6?

      Do I need to make a rule blocking every interface's network from Vlan25?

      Thanks

      c9d342c9-5773-4bd3-8afb-5779a7ad4bd2-image.png

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @BarronC
        last edited by

        Your rules wouldn't allow vlan25guest to go to any ipv6 currently..

        But if you don't want vlan25 to go to ipv6 that is local, then sure create the same sort of alias for your IPv6 local networks. Or create rules using your different vlan net via IPv6.

        If you don't want other vlans to talk to vlan25 on ipv6.. Then you would put those rules on their interfaces. Or you could get all fancy and do it via floating rules.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • Bob.DigB
          Bob.Dig LAYER 8
          last edited by Bob.Dig

          Don't role out IPv6. Especially with a dynamic prefix it would be really hard to secure it and you where right to do it for every other interface.

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @Bob.Dig
            last edited by

            @bob-dig

            That's just plain dumb. There is no reason for not using IPv6. As for the prefix changing, how often does that happen? Also, you can use the network name in filters, without actually specifying addresses. If I had pfsense up & running at the moment¹, I could give some examples.

            1. The computer I had been running pfsense on died recently. Its replacement is currently on a slow boat from China. It should be here in a week or two.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            Bob.DigB 1 Reply Last reply Reply Quote 0
            • Bob.DigB
              Bob.Dig LAYER 8 @JKnott
              last edited by Bob.Dig

              @jknott You can't have a RFC1819 with IPv6 because of no NATing. You can't do NPt on pfSense with a dynamic Prefix.
              In the end, it is easier to not role out IPv6 everywhere is my answer to this. But sure, it is only my opinion and maybe OP has static IPv6. The rules in the picture given don't look to good at first sight anyhow.

              Hope you get your new machine in a timely fashion. 🏃

              JKnottJ 1 Reply Last reply Reply Quote 0
              • B
                BarronC
                last edited by

                @johnpoz said in Blocking InterVLAN with IPv6:

                Your rules wouldn't allow vlan25guest to go to any ipv6 currently..

                Yes, thanks. I had not enabled IPv6 on the lan at home yet.

                Can you please give your input on the changed rules below? I have one more, an opnvpn issue. Should I assign an interface to that and block it also?

                Thanks

                bfa7118e-b7af-44b5-8dd7-a37f56b72c85-image.png

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @BarronC
                  last edited by johnpoz

                  Well 1 thing that jumps out at me is your rejecting access to lan address and opt address.. But what about wan?

                  If you don't want this vlan talking to any interface on pfsense, other than what you allowed. Then just use the "this firewall" built in alias.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 1
                  • JKnottJ
                    JKnott @Bob.Dig
                    last edited by

                    @bob-dig

                    I've said this before, not running IPv6 is head in sand stupidity. The longer this happens, the longer we'll be stuck with IPv4 and hacks like NAT, STUN, etc..

                    IIRC, it's possible to specify a LAN by name, instead of address. Will that not work for this. It appears the OP is already doing that with IPv4, with network names such as VLAN25GUEST. As far as I can see in his first post, the only reference to NAT is the RFC1918 alias. He created a rule !RFC1918, to block access to other networks. The way I did that for IPv6 was I specified my entire /56 prefix, to block anything that wasn't already allowed.

                    If I had pfsense available, I could post the rules I created for a similar situation.

                    As for changing prefixes, how often does that happen. After the option for not releasing the prefix was added to pfsense, my prefix hasn't change and even survived changing NICs, which would cause my IPv4 address to change. I do know some ISPs don't follow the best practices to provide persistent prefixes. Is that the case here? If not, the prefix is unlikely to change. Mine has been rock solid, though I don't expect it to survive the complete replacement of the firewall/router hardware.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    Bob.DigB 1 Reply Last reply Reply Quote 0
                    • Bob.DigB
                      Bob.Dig LAYER 8 @JKnott
                      last edited by Bob.Dig

                      @jknott Because of NAT, IPv4 could and eventually will live for ever.

                      I now have a setup with a dynamic prefix and another router in front of pfSense, so "Do not allow PD/Address release" isn't helping anymore.
                      I get a new IP and a new /56 every 24 hours and I even like that.

                      Although to get this to work I had to so some tweaking. But I would say that in one of seven days it is still not working as expected... grrr.

                      And I rolled out that IPv6 prefix only on one interface, most don't have IPv6. And for my servers I use the HE tunnel, I got with the help of those fine people in this thread. 😊

                      JKnottJ 1 Reply Last reply Reply Quote 0
                      • JKnottJ
                        JKnott @Bob.Dig
                        last edited by

                        @bob-dig said in Blocking InterVLAN with IPv6:

                        Because of NAT, IPv4 could and eventually will live for ever.

                        And that is the problem. IPv4 hasn't been adequate for many years as there are nowhere near enough addresses to go around, There have been several threads here about someone stuck behind CGN, unable to set up a VPN. Just this past Saturday, one of my friends was having issues because of NAT. A group of us connect with Jitsi for a video chat (we used to meet in a restaurant prior to the pandemic) every week. At first, we were using a publicly available server, but he then set up our own. Occasionally, someone was a problem connecting an it appears the problem is due to NAT & STUN. Neither of those are necessary with IPv6. The sooner the world moves to IPv6, the sooner we can get rid of IPv4 and all those hacks.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @JKnott
                          last edited by johnpoz

                          @jknott said in Blocking InterVLAN with IPv6:

                          The sooner the world moves to IPv6, the sooner we can get rid of IPv4 and all those hacks.

                          Yup and this 1 guy is holding it up... JFC dude the world is waiting for you to get IPv6 running on your local network already..

                          Amazon is waiting for you to give them the green light so they can finally move to it, same with twitter.. Shoot of the top like 1 million sites, 28% or so are ipv6.. All the others been waiting for you to give them the go! ;)

                          I think my ISP is waiting on you as well - since they don't provide it.. Nor do they have it even on their road map.. So make sure you call them when you done so they can get started..

                          In what year do you think this graph will hit even 50%?

                          graph.png

                          The world is waiting on you dude - would you hurry up already ;)

                          I think once you give the green light this graph is just going to shoot to the moon.. Just like gamestop stock prices ;)

                          graph2.png

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.