Firewall rules for IPV6 track interface.

bassopt

Hi.
First of all i'm completely new to ipv6 and i'm trying to learn a bit here.

My isp provides me a /56 prefix so I went to pfsense configured as a DHCP6 and Track interface ony my LAN interface o WAN.
As for RA set it to managed and set a DHCP sever from ::1000 to ::2000
Everything is working fine except for the fact that all the devices I have behing the lan interface are completely exposed and accessible on IPV6 address but firwalled on IPV4 execpt for the few ports i really needed to open on/nat forward on IPV4.
I know nat doesn't exist on IPV6 so how do i secure my devices behind IPV6?
I have a few virtual machines running docker and other services i don't want to expose to the world!! do I need to configure a firewall on each of them? ( this is quite a pain..) or there any way to do it on pfsense?
I've searched everywhere for info of ipv6 firewall rules and there's verry little information on it.

Thanks... I'm really lost here!

Best regards.
J.O.

Bob.Dig

@bassopt said in Firewall rules for IPV6 track interface.:

I'm really lost here!

Looks like it... so what have you done? pfsense is OOTB secure... restore defaults I guess.

bassopt

@bob-dig said in Firewall rules for IPV6 track interface.:

OOTB

I've done exactly what i said above nothing else.

Interfaces --> WAN --> DHCP6 Client Configuration --> DHCPv6 Prefix Delegation size="56" --> Save
Interfaces --> LAN --> General Configuration --> IPv6 Configuration Type="Track Interface"
Interfaces --> LAN --> Track IPv6 Interface --> IPv6 Interface="WAN"
Interfaces --> LAN --> Track IPv6 Interface --> IPv6 Prefix ID="0" --> Save
Services --> DHCPv6 Server & RA --> Router Advertisements --> Router mode="Managed" --> Save
Services --> DHCPv6 Server & RA --> DHCPv6 Server --> "Enable DHCPv6 server on interface LAN"
Range from="::1000"
Range to="::2000" -- > Save

Firewall rules for the lan interface are the ones defined by default by pfsense for LAN interface (pass all traffic for both ipv4 and ipv6)

Bob.Dig

@bassopt said in Firewall rules for IPV6 track interface.:

Everything is working fine except for the fact that all the devices I have behing the lan interface are completely exposed and accessible on IPV6 address but firwalled on IPV4 execpt for the few ports i really needed to open on/nat forward on IPV4.

So how do you came up with this, how have you checked this.

bassopt

@bob-dig said in Firewall rules for IPV6 track interface.:

So how do you came up with this, how have you checked this.

Because I have a vps running on vultr and decided to ssh into the ipv6 address assigned to one of my docker VMs. And voilá… instant access. If I do it to the (global) ipv4 address it’s blocked.

Bob.Dig

@bassopt So then show your WAN rules, you have to open ports for IPv6 too, it is not open by default.

bassopt

@bob-dig

I have zero rules on the wan interface assigned for ipv6 only ipv4.
I just configured ipv6 today.

It’s as if the track interface from wan to lan, ignores completely the wan rules and only uses the lan ones. That’s why everything is exposed.

Note that my wan interface doesn’t even has have an ipv6 address ( that’s how my isp works apparently ) just a ff80: link local address ..

Bob.Dig

@bassopt said in Firewall rules for IPV6 track interface.:

That’s why everything is exposed.

No, exposed is only your missing knowledge about this. But without screens it is hard to say what is wrong with your setup.

bassopt

@bob-dig

Here.

I also have NAT

Bob.Dig

@bassopt So this looks ok.
I did a quick test from my vps and everything is closed here.

bassopt

@bob-dig

Thanks! No idea why this happening…

bassopt

@bob-dig btw are you using pfsense+ or community? I’ll try to reinstall pfsense tomorrow and restore Di figs from a backup and see if anything changes.

bassopt

Any other input in this? I’ve reinstalled pfsense+ and pfsense community edition and problem still exists.

SteveITS

@bassopt said in Firewall rules for IPV6 track interface.:

ssh into the ipv6 address assigned to one of my docker VMs. And voilá… instant access

Are you connecting from another PC on your LAN? (which wouldn't go through the router...)

In theory you can add a rule on WAN to block all IPv6 but the default block rule should be blocking everything inbound.

bassopt

@steveits no. I’m accessing from a vps outside my lan. That’s why something doesn’t add up. I know I could add a firewall rule if I wanted to ssh into vm but I don’t. Still all my lan machines are completely exposed when the get a global address from pfsense with no passing rules whatsoever.

bassopt

Found the issue.

PFBlockerNG .... uninstalled it and problem is solved. No clue what it might be doing but whatever !!!

the other

@bassopt hey there, good to know you solved it.
Just out of interest, did you use pfblockerng at all, meaning, have you configured something regarding ip whitelists or geoIP?
Some existing floating rules might then have been the issue...
Just having pfblockerng installed without any settings active and aliase or rules created shouldn't cause that...
Or Am I wrong assuming that (*looking at the more experienced people here)
:)

SteveITS

@the-other pfBlocker can set up allow or block rules, or aliases, or DNSBL. By itself, without any configuration, it basically does nothing. Any rules it creates would normally be on the LAN and/or WAN rule pages.

the other

@steveits
Hey there and thanks for your reply.
That is what I thought.
So, there must have been some rule responsible for this issue. Since the Screenshots of wan and lan did not show any such rule, I figured there must have been other rules...
Just uninstalling pfblockerng solving the problem seems strange otherwise.
Just trying to understand this issue.