guest vlan with ipv6
-
Hey all,
At the moment I have a guest network with IPv4, that's exiting via a VPN gateway. Rules are easy enough, just block all the RCF1918 ranges and select the vpn gateway.
For shits and giggles I want to add IPv6. I also want to route this via the VPN gateway (my vpn provider supports ipv6)
I was able to make an ULA subnet and NAT this via the IPv6 gateway. But now is the problem; how do I block all trafic to my other subnets? I use ULA and GUA's on my other subnets and it seems like I have to block a lot of IP ranges. Is there an easy way tot do this?
Thanks in advance!
-
Why are you using NAT? Don't you have multiple /64s available?
Here are my rules. I'm using prefix 03 for my guest WiFi.
-
Thanks for your reply!
For my normal subnets I don't use NAT, but I want to route everything from my guest network over my VPN provider, that only gave me an /128 address, so I have to use NAT to route everything.My rules look a lot like that, I have the same rule about the RFC1918 and ULA addresses, but what do you mean with "reject all IPv6 within prefix"?
-
@gwabber said in guest vlan with ipv6:
but what do you mean with "reject all IPv6 within prefix"?
That refers to my entire /56 prefix as provided by my ISP. I don't allow guests to accessn any of it.
For my normal subnets I don't use NAT, but I want to route everything from my guest network over my VPN provider, that only gave me an /128 address, so I have to use NAT to route everything.
???
Are yo referring to the WAN address? If so, it's not used for routing. It's only used for connections, such as VPN to your pfSense box. You just route your subnets as you would generally. Also, you have to specifically route all but your LAN, so those other subnets won't be routed, unless you want to. You can also use rules to further restrict what gets routed.
-
No, I don't refer to the WAN address. With my other subnets, I don't use NAT for IPv6, but I track the WAN interface. I also have an /56 from my ISP.
My VPN provider on the other hand only gave me an /128, so to use that gateway, I have to use NAT to send all trafic from my guest VLAN over that gateway.
-
No, you route the traffic, just as you do with your default gateway.