IPv6 questions (interface address, firewall rules for slaac hosts, GUA/ULA RA)
-
@stefj You are touching a VERY important problem here that also caused me to back off IPv6 for most of my networking needs. But to be honest I think the problem is deeper rooted than just pFsense missing a “simple” way to create ruleset for clients if they are not DHCPv6 clients, and if you are not using static IPv6 prefixes.
You are addressing a major issue with IPv6 itself as it is too fragmented and “not standardized” properly.
Some clients do not do DHCPv6, Some do not follow SLAAC properly, some uses SLAAC with the original proposal of using the MAC address in the suffix, but some of those then use privacy MAC addresses (virtual random MAC addresses). Some uses Privacy random SLAAC addresses, som uses multiple ephemeral random privacy SLAAC addresses for outbound Internet sessions, and the list goes on.
IPv6 does not offer controls to actually centrally force clients on any given network to behave EXACTLY as you want them to (fx. Use only ONE address type and register it in DNS - otherwise Firewall access is denied).This all combines to make it completely impossible to regulate internal clients on a Firewall unless there is an actual Firewall Agent running on the Client (To identify the client to firewall by other means than an IP address).
BTW: What controls do OpenWRT offer to allow you to create better IPv6 rules?
Love the no fuss of using the official appliances :-)
-
@keyser said in IPv6 questions (interface address, firewall rules for slaac hosts, GUA/ULA RA):
You are addressing a major issue with IPv6 itself as it is too fragmented and “not standardized” properly.
Some clients do not do DHCPv6, Some do not follow SLAAC properly, some uses SLAAC with the original proposal of using the MAC address in the suffix, but some of those then use privacy MAC addresses (virtual random MAC addresses). Some uses Privacy random SLAAC addresses, som uses multiple ephemeral random privacy SLAAC addresses for outbound Internet sessions, and the list goes on.
IPv6 does not offer controls to actually centrally force clients on any given network to behave EXACTLY as you want them to (fx. Use only ONE address type and register it in DNS - otherwise Firewall access is denied).This all combines to make it completely impossible to regulate internal clients on a Firewall unless there is an actual Firewall Agent running on the Client (To identify the client to firewall by other means than an IP address).
BTW: What controls do OpenWRT offer to allow you to create better IPv6 rules?
And I think that's the goal to be perfectly honest. Probably not the goal of the team designing ipv6 back when, but I'm pretty sure it's the goal for most -if not all- major players at the moment. Confuse, obfuscate, invalidate downstream moderation.
Dunno what netgate is doing, but they sure take their sweet time coming up with viable solutions for ipv6 problems. Maybe there's a conflict of interest, maybe it's indeed that hard to sort it out. Then again, that simple thing I was talking about earlier is such a red flag. It's a feature that's offered for static addresses which are typically available only in corporate installations for many parts of the world and it's withheld for no good reason for pppoe end users. It's hard to swallow as an oversight. Seems indicative of policy. Hope I'm wrong.
As for openwrt, I was talking about this thing specifically, allowing you to pick interface ip from the pd when tracking. Which they of course offer. Because why wouldn't they. Seriously, what's wrong with you netgate, why can't I set an ip for my interface? Bah.
-
@keyser said in IPv6 questions (interface address, firewall rules for slaac hosts, GUA/ULA RA):
BTW: What controls do OpenWRT offer to allow you to create better IPv6 rules?
Some (all?) Linux based firewalls support filtering on MAC addresses.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
@JKnott There is experimental support for that in 23.05 as well now - Havent tried it yet though.
-
@JKnott said in IPv6 questions (interface address, firewall rules for slaac hosts, GUA/ULA RA):
@keyser said in IPv6 questions (interface address, firewall rules for slaac hosts, GUA/ULA RA):
BTW: What controls do OpenWRT offer to allow you to create better IPv6 rules?
Some (all?) Linux based firewalls support filtering on MAC addresses.
And the good thing with mac filtering -at least for now- is that there's no excuse for clients. I'm not aware of any os that spoofs mac addresses without offering an option not to. Even android -again, for now- allows you to turn off fake macs.
Then again it's such a weak security measure against most actual threats for a firewall. There's a reason L2 is for routing behind the firewall. Many good reasons in fact.
-
@keyser said in IPv6 questions (interface address, firewall rules for slaac hosts, GUA/ULA RA):
@JKnott There is experimental support for that in 23.05 as well now - Havent tried it yet though.
This is an old thread, but wanted to say thanks for the reminder. I was trying to timed-block Internet on my son's Chromebook, but have no control over the school-managed OS, and being Android it doesn't use DHCPv6. Scheduled rule to pass, rule to block, both based on MAC.
