Ethernet Filtering
-
Just a general question, is anyone using the Ethernet Filtering in Advanced Options with firewall rules? Since coming over from an another Firewall platform that supported L2 rules and I see that this feature is in Plus only and Experimental I was wondering if some folks can share their experience with the feature.
I have two devices on my network that I don't want ever to allow access to the internet while still being able to talk to the local services on the VLAN's With MAC addresses being static vs. filtering on IP addresses I was thinking about turning this on.
-
@ronv42 would someone be changing the mac of the device - if not just setup a reservation so they get the IP you want, then just deny internet access in normal L3 firewall rule.
I have not found a reason to test the L2 filtering as of yet - mostly because I don't really have a need for that feature that I can think of. My iot/other vlans are limited to what they can talk to on other vlans.. So doesn't really matter what IPs they have.
I guess there could be some value to filtering at mac, I just haven't been able to think of use case for me that makes any sense.
If you can control the IP of the device(s) then L3 rules work for whatever you want to allow or block for other networks. if you can not control what IP a device might use, or worried about someone changing it, etc. Or altering the mac of the device, etc. Then just put those devices on their own vlan - and control access to other networks/internet via the vlan rules for any and all IPs, etc.
-
@johnpoz More concerned about a IPv6 host generating their own IP bypassing any IP filtering. IPv6 hosts can use the Neighbor Discovery protocol to automatically generate their own interface IDs. Neighbor Discovery automatically generates the interface ID, based on the MAC or EUI-64 address of the host's interface. This is in addition to a static IP via DHPCv6 Thus going to L2 and MAC would be beneficial.
-
@ronv42 yeah again - just put them on their own vlan then - doesn't matter what IPs they use be it IPv4 or IPv6.. Another option is just don't supply ipv6 on that vlan ;)
What resource would you need to access that you can not just access with IPv4... I have yet to find any actual "requirement" for IPv6 to access anything be it locally or on the internet. Is there some resource out on the net that you need/want that is only available via IPv6? I have yet to find even a single example of such a resource.
The only thing that comes close to having need for ipv6 is your isp only gives you cgnat IPv4, but also give you a valid gua prefix that you can use so if you wanted to host resources via IPv6 you could..
Don't get me wrong - I think the ability to filter at L2 is a nice feature to have - I just haven't gotten around to testing it is all.
-
@johnpoz Thanks, I will enable and test. You hit upon the scenario exactly thanks to CGNAT on Fiber here in my neck of the woods. IPv4 is done CGNAT and they give a block of /60 for IPv6. I should have never jumped to fiber from VDSL but the speed of fiber is great the CGNAT sucks. IPv6 is great everything works as expected just have to change the approach to net filtering and a few other things about DHCPv6 and Router Advertisements for auto config.
-
Why do you keep telling people to not use IPv6? That's where the world is moving and the sooner the better.
I agree MAC filtering would be useful and I thought so even before I was running IPv6. It's available in Linux systems using iptables. Maybe a little info about Ethernet Filtering, in pfSense, would be more useful than saying don't use IPv6,
BTW, years ago, I was at a Linux presentation and the presenter thought he could use MAC filtering to allow only his computer to access from a remote location. I quickly pointed out how he was wrong about that and the only MAC he'd see was the nearest router.
-
@JKnott said in Ethernet Filtering:
Why do you keep telling people to not use IPv6?
Because it is the "easy" solution to their problem - duh!
Still waiting for years for you to provide even 1 actual resource that would require me to have IPv6..
Sure its the future - but not enabling it if your having issues with it sure and the hell not going to slow down the snails pace to its complete adoption.
Why do you keep saying people should enable something they really have zero need of.. Would be the better question..
If you want to bug people about using IPv6 - why don't you start emailing MS, their msn.com domain doesn't even support it.. But thought MS was out of IPv4 space and had to start using IPv6 even on their internal space because rfc1918 wasn't enough - but they can't even run msn.com off IPv6?
What about twitter.com or one of the largest domains on the planet baidu.com, no IPv6 - but yeah a few users not using it because they have issues with it, or don't understand it enough to secure it.. They should run it anyway because them not doing so is going to stop the migration <rolleyes>
Lets see have users that have no understanding of the changes that come with IPv6, most likely with a shitty lack luster deployment of IPv6 from their isp in the first place try and work through issues, or click none on the pfsense IPv6 interface settings.. What is the easier solution here?
Lets see, even if I could manage to talk 1000x the user base here on pfsense to turn off IPv6 it wouldn't be a drop in the ocean in how many users isp don't even provide it.. But guess I am single handedly preventing the migration of the planet to ipv6 ;)
-
@johnpoz said in Ethernet Filtering:
Because it is the "easy" solution to their problem - duh!
Except it's not. @ronv42 said he's behind CGNAT, which means IPv4 is not an option.
Regardless, people should be encouraged to move to IPv6, as IPv4 is holding back so much.
-
@JKnott said in Ethernet Filtering:
people should be encouraged to move to IPv6
Not if they are having issues with it!
The simple solution to the problem is almost always the best solution.. Why should someone create complexity to their network when they have zero reason to..
Again still waiting for just that 1 resource that would require me to have ipv6.. Hosting your own shit because your behind a cgnat is not a public resource I would want to get to.. And even if I do host using IPv6, guess what - most of the planet wouldn't be able to get to me anyway because they don't have IPv6.
You keep promoting it, and I will continue to give the easy simple solution to their problem..
Not saying their not good things about IPv6, sure getting rid of nat would be good thing.. Not disagreeing with you at all here - but billy deciding to not use IPv6 on his network because he has no use for it at this time. And choosing not to enable it removes whatever issue he might be having, isn't doing anything to slow or hinder the overall adoption of IPv6..
Its just not - you think if I decided to not by beer anymore that any brewery anywhere would have to lay off staff or go out of business? You think if I could talk everyone here to not buy or drink beer anymore it would have effect at all on the beer industry?
-
In some parts of the world, only CGNAT is available. This means people cannot access their own network. Some countries are planning on being IPv6 only in the near future. I recently read about China's plans for that, but they're not the only one. How does sticking with IPv4 help anyone long term?
IPv4 has been broken since the day it became necessary to use NAT to get around the address shortage. Some things, like blockchain, really want to be on IPv6.
As I mentioned before, I first learned about IPv4 in early 1995 through a local college. While sitting in that class, I realized 32 bits was not enough and this was before I actually started working with it. At that time, my only exposure was my own dial up Internet connection. Even Vint Cerf says 32 bits was a mistake. Coming from a telecom background, I also knew it wasn't adequate.
Yes, there are issues with some ISPs. However, ignoring a problem does not fix it.
Is Ethernet filtering available in the CE version? If so, I might take a look at it. As I mentioned, it's in Linux and has been for many years.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
@JKnott The GUI components are Plus only. pf(4) on CE supports Ethernet filtering as that is part of FreeBSD CURRENT
-
@ronv42 I was researching with it,
Keep in mind it is experimental. If you have no backup access to the firewall with a console cable, I would not attempt it. I got locked out of the GUI and lost internet access about 5 times while testing items. Great puzzle while on summer break from studies.
https://forum.netgate.com/topic/180861/experimental-ethernet-layer-2-firewall-rules
I was able to block out ipv6, I made mapping for all my devices, I have traffic showing. I tested default blocks I have let to get that to work however. My isp only hands out ip4 so blocking it helps.
As soon as I got it working Snort had that failed ruleset from Emerging threats that caused me confusion as it was staying stateless filter in use. I thought it was my rules turns out it wasn't. I have had it working for a few days with only blocking ipv6
-
@JKnott said in Ethernet Filtering:
In some parts of the world, only CGNAT is available
How many times are you going to bring up this non sequitur -- what does that have to do with anything.
Not my problem that Billy's isp will not give him public IPv4 - it has zero to do with me needing to run IPv6 - unless billy going to provide something I wanted to access it has nothing to do with me turning on IPv6 or not. Zero!!
It is not my problem - until such time that some service I want to access is only available on IPv6 - there is zero reason for me to enable - period..
If a user wants to turn off IPv6 because he is not ready technically to support it doesn't slow down the adoption on a global scale of IPv6... Sorry but it has zero to do with anything.
-
@JonathanLee Thanks for the link to your journey with Mac address filtering. I activated the option on Monday but haven't created any rules yet. I will learn from your expertise with baby steps with using these types of rules.
-
