How to block/allow traffic send FROM one specific IPV6-computer !!??
-
@louis2 said in How to block/allow traffic send FROM one specific IPV6-computer !!??:
I would strongly prefer to use the computer its level2 mac-address as part of the firewall rule !!!!! (pfSense does not support
As mentioned by @Bob-Dig pfsense does now support mac based rules..
But yeah you have run into one of one of the things with IPv6 that can make firewall rules more complicated. Another solution is to put devices that you want to control on their own vlan, so now you control the rules not based on source. So it doesn't matter what mac or IP that is used for source.. And rules are based on destination or port, or destination and port, protocol, etc.
-
Yep I already mentioned the option of a separate vlan. However that has a lot of disadvantages, among them:
- extra vlan and rules (can be mitigated using a interface group)
- separate UTP access point, wifi is no option of course
- I did read some, IMHO rather vague things about mac filter support ....
- No Idea if that function is all ready "full blown" implemented
What ever at this moment I am using 2.7 community edition. As private user I could upgrade to the ^professional branch^, I think I all ready have that license, but I hesitate because:
- the CE-development branch used to be the most advanced / the newest branch
- and I am not 100% sure that I can go back from ^professional branch^ to ^CE-branch^ in the future
But:
- I like the boot / snapshot function
- this "mac-function^ (if it is really working yet)
- and I noticed that development seems to be switched from CE-first to ^professional branch^ first (at least that is my feeling)
Oh ja and I forgot to mention one advantage of using a mac based rule. When using the mac-address I can leave the Temporary IPV6 address as it is, which is not only easier, but also more secure and private friendly
-
@louis2 said in How to block/allow traffic send FROM one specific IPV6-computer !!??:
- this "mac-function^ (if it is really working yet)
I just tried it and can say: It does work. I blocked any MAC address other than my machine for IPv6 and it does it.
But also you can mix Layer 2 and 3 in this rules... Will have to look closer how this all works out.
-
@louis2 said in How to block/allow traffic send FROM one specific IPV6-computer !!??:
So big question is how to keep such a single ^IPV6-computer^ under control?
Since, with SLAAC, a computer can have several addresses, which change daily, about the only way is to filter on the MAC address, but pfSense doesn't support that, though I have heard it's in the works.
-
@JKnott said in How to block/allow traffic send FROM one specific IPV6-computer !!??:
though I have heard it's in the works.
Been live for a while..
-
@johnpoz said in How to block/allow traffic send FROM one specific IPV6-computer !!??:
though I have heard it's in the works.
Been live for a while..
Where is it? I just checked the firewall adding a rule and didn't see anything about MAC addresses. I'm on 2.7.0.
-
-
Tnx. I'll have to look into it.
I wonder how many will try to filter incoming traffic by MAC.
I knew one guy who thought he could, until I set him straight. He made that mistake in a presentation on firewalls, at the local Linux user group. -
To enable Ethernet rules:
Navigate to System > Advanced, Firewall & NAT tab
Locate the Advanced Options section
Check Enable Ethernet Filtering <--- This doesn't seem to be there. Is it in 2.7.0?
Click Save -
https://docs.netgate.com/pfsense/en/latest/firewall/ethernet-rules.html#ethernet-layer-2-rules
pfSense
Plus software versions 23.05 and later include support for rule-based pass/block filtering of packets based on Ethernet (Layer 2) header attributes.If you want to play with it, get the FREE + home license..
https://shop.netgate.com/products/pfsense-software-subscription
