Blocking InterVLAN with IPv6
-
We are beginning to implement IPv6. At my business we have 4 Vlans.; at home I have 2. I have rules to block Vlan25 from getting to Vlan1, see screenshot. RFC1918 is an alias for that network space.
What is the proper and clean way to do this for IPv6?
Do I need to make a rule blocking every interface's network from Vlan25?
Thanks
-
Your rules wouldn't allow vlan25guest to go to any ipv6 currently..
But if you don't want vlan25 to go to ipv6 that is local, then sure create the same sort of alias for your IPv6 local networks. Or create rules using your different vlan net via IPv6.
If you don't want other vlans to talk to vlan25 on ipv6.. Then you would put those rules on their interfaces. Or you could get all fancy and do it via floating rules.
-
Don't role out IPv6. Especially with a dynamic prefix it would be really hard to secure it and you where right to do it for every other interface.
-
That's just plain dumb. There is no reason for not using IPv6. As for the prefix changing, how often does that happen? Also, you can use the network name in filters, without actually specifying addresses. If I had pfsense up & running at the moment¹, I could give some examples.
- The computer I had been running pfsense on died recently. Its replacement is currently on a slow boat from China. It should be here in a week or two.
-
@jknott You can't have a RFC1819 with IPv6 because of no NATing. You can't do NPt on pfSense with a dynamic Prefix.
In the end, it is easier to not role out IPv6 everywhere is my answer to this. But sure, it is only my opinion and maybe OP has static IPv6. The rules in the picture given don't look to good at first sight anyhow.Hope you get your new machine in a timely fashion.
-
@johnpoz said in Blocking InterVLAN with IPv6:
Your rules wouldn't allow vlan25guest to go to any ipv6 currently..
Yes, thanks. I had not enabled IPv6 on the lan at home yet.
Can you please give your input on the changed rules below? I have one more, an opnvpn issue. Should I assign an interface to that and block it also?
Thanks
-
Well 1 thing that jumps out at me is your rejecting access to lan address and opt address.. But what about wan?
If you don't want this vlan talking to any interface on pfsense, other than what you allowed. Then just use the "this firewall" built in alias.
-
I've said this before, not running IPv6 is head in sand stupidity. The longer this happens, the longer we'll be stuck with IPv4 and hacks like NAT, STUN, etc..
IIRC, it's possible to specify a LAN by name, instead of address. Will that not work for this. It appears the OP is already doing that with IPv4, with network names such as VLAN25GUEST. As far as I can see in his first post, the only reference to NAT is the RFC1918 alias. He created a rule !RFC1918, to block access to other networks. The way I did that for IPv6 was I specified my entire /56 prefix, to block anything that wasn't already allowed.
If I had pfsense available, I could post the rules I created for a similar situation.
As for changing prefixes, how often does that happen. After the option for not releasing the prefix was added to pfsense, my prefix hasn't change and even survived changing NICs, which would cause my IPv4 address to change. I do know some ISPs don't follow the best practices to provide persistent prefixes. Is that the case here? If not, the prefix is unlikely to change. Mine has been rock solid, though I don't expect it to survive the complete replacement of the firewall/router hardware.
-
@jknott Because of NAT, IPv4 could and eventually will live for ever.
I now have a setup with a dynamic prefix and another router in front of pfSense, so "Do not allow PD/Address release" isn't helping anymore.
I get a new IP and a new /56 every 24 hours and I even like that.Although to get this to work I had to so some tweaking. But I would say that in one of seven days it is still not working as expected... grrr.
And I rolled out that IPv6 prefix only on one interface, most don't have IPv6. And for my servers I use the HE tunnel, I got with the help of those fine people in this thread.
-
@bob-dig said in Blocking InterVLAN with IPv6:
Because of NAT, IPv4 could and eventually will live for ever.
And that is the problem. IPv4 hasn't been adequate for many years as there are nowhere near enough addresses to go around, There have been several threads here about someone stuck behind CGN, unable to set up a VPN. Just this past Saturday, one of my friends was having issues because of NAT. A group of us connect with Jitsi for a video chat (we used to meet in a restaurant prior to the pandemic) every week. At first, we were using a publicly available server, but he then set up our own. Occasionally, someone was a problem connecting an it appears the problem is due to NAT & STUN. Neither of those are necessary with IPv6. The sooner the world moves to IPv6, the sooner we can get rid of IPv4 and all those hacks.
-
@jknott said in Blocking InterVLAN with IPv6:
The sooner the world moves to IPv6, the sooner we can get rid of IPv4 and all those hacks.
Yup and this 1 guy is holding it up... JFC dude the world is waiting for you to get IPv6 running on your local network already..
Amazon is waiting for you to give them the green light so they can finally move to it, same with twitter.. Shoot of the top like 1 million sites, 28% or so are ipv6.. All the others been waiting for you to give them the go! ;)
I think my ISP is waiting on you as well - since they don't provide it.. Nor do they have it even on their road map.. So make sure you call them when you done so they can get started..
In what year do you think this graph will hit even 50%?
The world is waiting on you dude - would you hurry up already ;)
I think once you give the green light this graph is just going to shoot to the moon.. Just like gamestop stock prices ;)