• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Blocking InterVLAN with IPv6

Scheduled Pinned Locked Moved IPv6
11 Posts 4 Posters 1.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    BarronC
    last edited by Jan 31, 2021, 5:54 PM

    We are beginning to implement IPv6. At my business we have 4 Vlans.; at home I have 2. I have rules to block Vlan25 from getting to Vlan1, see screenshot. RFC1918 is an alias for that network space.

    What is the proper and clean way to do this for IPv6?

    Do I need to make a rule blocking every interface's network from Vlan25?

    Thanks

    c9d342c9-5773-4bd3-8afb-5779a7ad4bd2-image.png

    J 1 Reply Last reply Jan 31, 2021, 6:46 PM Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator @BarronC
      last edited by Jan 31, 2021, 6:46 PM

      Your rules wouldn't allow vlan25guest to go to any ipv6 currently..

      But if you don't want vlan25 to go to ipv6 that is local, then sure create the same sort of alias for your IPv6 local networks. Or create rules using your different vlan net via IPv6.

      If you don't want other vlans to talk to vlan25 on ipv6.. Then you would put those rules on their interfaces. Or you could get all fancy and do it via floating rules.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • B
        Bob.Dig LAYER 8
        last edited by Bob.Dig Jan 31, 2021, 7:08 PM Jan 31, 2021, 7:08 PM

        Don't role out IPv6. Especially with a dynamic prefix it would be really hard to secure it and you where right to do it for every other interface.

        J 1 Reply Last reply Jan 31, 2021, 8:54 PM Reply Quote 0
        • J
          JKnott @Bob.Dig
          last edited by Jan 31, 2021, 8:54 PM

          @bob-dig

          That's just plain dumb. There is no reason for not using IPv6. As for the prefix changing, how often does that happen? Also, you can use the network name in filters, without actually specifying addresses. If I had pfsense up & running at the moment¹, I could give some examples.

          1. The computer I had been running pfsense on died recently. Its replacement is currently on a slow boat from China. It should be here in a week or two.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          B 1 Reply Last reply Jan 31, 2021, 9:05 PM Reply Quote 0
          • B
            Bob.Dig LAYER 8 @JKnott
            last edited by Bob.Dig Jan 31, 2021, 9:06 PM Jan 31, 2021, 9:05 PM

            @jknott You can't have a RFC1819 with IPv6 because of no NATing. You can't do NPt on pfSense with a dynamic Prefix.
            In the end, it is easier to not role out IPv6 everywhere is my answer to this. But sure, it is only my opinion and maybe OP has static IPv6. The rules in the picture given don't look to good at first sight anyhow.

            Hope you get your new machine in a timely fashion. 🏃

            J 1 Reply Last reply Feb 1, 2021, 2:43 AM Reply Quote 0
            • B
              BarronC
              last edited by Feb 1, 2021, 2:23 AM

              @johnpoz said in Blocking InterVLAN with IPv6:

              Your rules wouldn't allow vlan25guest to go to any ipv6 currently..

              Yes, thanks. I had not enabled IPv6 on the lan at home yet.

              Can you please give your input on the changed rules below? I have one more, an opnvpn issue. Should I assign an interface to that and block it also?

              Thanks

              bfa7118e-b7af-44b5-8dd7-a37f56b72c85-image.png

              J 1 Reply Last reply Feb 1, 2021, 2:26 AM Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator @BarronC
                last edited by johnpoz Feb 1, 2021, 2:26 AM Feb 1, 2021, 2:26 AM

                Well 1 thing that jumps out at me is your rejecting access to lan address and opt address.. But what about wan?

                If you don't want this vlan talking to any interface on pfsense, other than what you allowed. Then just use the "this firewall" built in alias.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 1
                • J
                  JKnott @Bob.Dig
                  last edited by Feb 1, 2021, 2:43 AM

                  @bob-dig

                  I've said this before, not running IPv6 is head in sand stupidity. The longer this happens, the longer we'll be stuck with IPv4 and hacks like NAT, STUN, etc..

                  IIRC, it's possible to specify a LAN by name, instead of address. Will that not work for this. It appears the OP is already doing that with IPv4, with network names such as VLAN25GUEST. As far as I can see in his first post, the only reference to NAT is the RFC1918 alias. He created a rule !RFC1918, to block access to other networks. The way I did that for IPv6 was I specified my entire /56 prefix, to block anything that wasn't already allowed.

                  If I had pfsense available, I could post the rules I created for a similar situation.

                  As for changing prefixes, how often does that happen. After the option for not releasing the prefix was added to pfsense, my prefix hasn't change and even survived changing NICs, which would cause my IPv4 address to change. I do know some ISPs don't follow the best practices to provide persistent prefixes. Is that the case here? If not, the prefix is unlikely to change. Mine has been rock solid, though I don't expect it to survive the complete replacement of the firewall/router hardware.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  B 1 Reply Last reply Feb 1, 2021, 8:28 AM Reply Quote 0
                  • B
                    Bob.Dig LAYER 8 @JKnott
                    last edited by Bob.Dig Feb 1, 2021, 8:39 AM Feb 1, 2021, 8:28 AM

                    @jknott Because of NAT, IPv4 could and eventually will live for ever.

                    I now have a setup with a dynamic prefix and another router in front of pfSense, so "Do not allow PD/Address release" isn't helping anymore.
                    I get a new IP and a new /56 every 24 hours and I even like that.

                    Although to get this to work I had to so some tweaking. But I would say that in one of seven days it is still not working as expected... grrr.

                    And I rolled out that IPv6 prefix only on one interface, most don't have IPv6. And for my servers I use the HE tunnel, I got with the help of those fine people in this thread. 😊

                    J 1 Reply Last reply Feb 1, 2021, 11:51 AM Reply Quote 0
                    • J
                      JKnott @Bob.Dig
                      last edited by Feb 1, 2021, 11:51 AM

                      @bob-dig said in Blocking InterVLAN with IPv6:

                      Because of NAT, IPv4 could and eventually will live for ever.

                      And that is the problem. IPv4 hasn't been adequate for many years as there are nowhere near enough addresses to go around, There have been several threads here about someone stuck behind CGN, unable to set up a VPN. Just this past Saturday, one of my friends was having issues because of NAT. A group of us connect with Jitsi for a video chat (we used to meet in a restaurant prior to the pandemic) every week. At first, we were using a publicly available server, but he then set up our own. Occasionally, someone was a problem connecting an it appears the problem is due to NAT & STUN. Neither of those are necessary with IPv6. The sooner the world moves to IPv6, the sooner we can get rid of IPv4 and all those hacks.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      J 1 Reply Last reply Feb 2, 2021, 5:54 AM Reply Quote 0
                      • J
                        johnpoz LAYER 8 Global Moderator @JKnott
                        last edited by johnpoz Feb 2, 2021, 6:03 AM Feb 2, 2021, 5:54 AM

                        @jknott said in Blocking InterVLAN with IPv6:

                        The sooner the world moves to IPv6, the sooner we can get rid of IPv4 and all those hacks.

                        Yup and this 1 guy is holding it up... JFC dude the world is waiting for you to get IPv6 running on your local network already..

                        Amazon is waiting for you to give them the green light so they can finally move to it, same with twitter.. Shoot of the top like 1 million sites, 28% or so are ipv6.. All the others been waiting for you to give them the go! ;)

                        I think my ISP is waiting on you as well - since they don't provide it.. Nor do they have it even on their road map.. So make sure you call them when you done so they can get started..

                        In what year do you think this graph will hit even 50%?

                        graph.png

                        The world is waiting on you dude - would you hurry up already ;)

                        I think once you give the green light this graph is just going to shoot to the moon.. Just like gamestop stock prices ;)

                        graph2.png

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        11 out of 11
                        • First post
                          11/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received