How to block/allow traffic send FROM one specific IPV6-computer !!??
-
Now and then I want to allow or block certain traffic starting at a certain computer. In case of IPV4 that is no problem, just use its IPV4-address. However I really have no idea how to do this in case of IPV6.
As far as my knowledge goes, I can fix an IPV6 address by either defining the address on the computers NIC or using the computers DUID. In that way I fix the machines primarily IPV6-address, however NOT its temporary IPV6-address. So:
- defining a rule based on the primarily IPV6-address will not work (since the temporary address is used and
- filtering on the temporary address is not possible since that address in not known and also changing all the time
In some cases it is probably possible to define the NIC in such a way that there wil not be an Temporary IP, here a description related to windows11
https://learn.microsoft.com/en-us/answers/questions/1195611/windows-11-how-to-permanently-disable-temporary-ipHowever:
- I doubt if it is possible to do that on other computer types and ^applications^
- It is complicated
- and it is only possible if you are the manager of that computer !
- defining an extra vlan for that single computer is ... radical .... and only possible if it is connected via fixed UTP
I hope, but are not even 100% sure I covered filtering all outgoing traffic, this way (like traffic by pfSense provides services)
So:
- I would strongly prefer to use the computer its level2 mac-address as part of the firewall rule !!!!! (pfSense does not support
)
I think that:
- (V)LAN local traffic and related Link-Local is no issue, since it is .... local
- incoming traffic is no issue since traffic starting elsewhere (other VLAN or internet) will always use the ^published^ the device its primary IPV6-address as defined on the device itself or assigned using the DUID
So big question is how to keep such a single ^IPV6-computer^ under control?
Louis
-
@louis2 said in How to block/allow traffic send FROM one specific IPV6-computer !!??:
and only possible if it is connected via fixed UTP
What?
Have you looked at this? I never tried it though and it looks like a very manual process.
-
@louis2 said in How to block/allow traffic send FROM one specific IPV6-computer !!??:
I would strongly prefer to use the computer its level2 mac-address as part of the firewall rule !!!!! (pfSense does not support
As mentioned by @Bob-Dig pfsense does now support mac based rules..
But yeah you have run into one of one of the things with IPv6 that can make firewall rules more complicated. Another solution is to put devices that you want to control on their own vlan, so now you control the rules not based on source. So it doesn't matter what mac or IP that is used for source.. And rules are based on destination or port, or destination and port, protocol, etc.
-
Yep I already mentioned the option of a separate vlan. However that has a lot of disadvantages, among them:
- extra vlan and rules (can be mitigated using a interface group)
- separate UTP access point, wifi is no option of course
- I did read some, IMHO rather vague things about mac filter support ....
- No Idea if that function is all ready "full blown" implemented
What ever at this moment I am using 2.7 community edition. As private user I could upgrade to the ^professional branch^, I think I all ready have that license, but I hesitate because:
- the CE-development branch used to be the most advanced / the newest branch
- and I am not 100% sure that I can go back from ^professional branch^ to ^CE-branch^ in the future
But:
- I like the boot / snapshot function
- this "mac-function^ (if it is really working yet)
- and I noticed that development seems to be switched from CE-first to ^professional branch^ first (at least that is my feeling)
Oh ja and I forgot to mention one advantage of using a mac based rule. When using the mac-address I can leave the Temporary IPV6 address as it is, which is not only easier, but also more secure and private friendly
-
@louis2 said in How to block/allow traffic send FROM one specific IPV6-computer !!??:
- this "mac-function^ (if it is really working yet)
I just tried it and can say: It does work. I blocked any MAC address other than my machine for IPv6 and it does it.
But also you can mix Layer 2 and 3 in this rules... Will have to look closer how this all works out.
-
@louis2 said in How to block/allow traffic send FROM one specific IPV6-computer !!??:
So big question is how to keep such a single ^IPV6-computer^ under control?
Since, with SLAAC, a computer can have several addresses, which change daily, about the only way is to filter on the MAC address, but pfSense doesn't support that, though I have heard it's in the works.
-
@JKnott said in How to block/allow traffic send FROM one specific IPV6-computer !!??:
though I have heard it's in the works.
Been live for a while..
-
@johnpoz said in How to block/allow traffic send FROM one specific IPV6-computer !!??:
though I have heard it's in the works.
Been live for a while..
Where is it? I just checked the firewall adding a rule and didn't see anything about MAC addresses. I'm on 2.7.0.
-
-
Tnx. I'll have to look into it.
I wonder how many will try to filter incoming traffic by MAC.
I knew one guy who thought he could, until I set him straight. He made that mistake in a presentation on firewalls, at the local Linux user group. -
To enable Ethernet rules:
Navigate to System > Advanced, Firewall & NAT tab
Locate the Advanced Options section
Check Enable Ethernet Filtering <--- This doesn't seem to be there. Is it in 2.7.0?
Click Save -
https://docs.netgate.com/pfsense/en/latest/firewall/ethernet-rules.html#ethernet-layer-2-rules
pfSense
Plus software versions 23.05 and later include support for rule-based pass/block filtering of packets based on Ethernet (Layer 2) header attributes.If you want to play with it, get the FREE + home license..
https://shop.netgate.com/products/pfsense-software-subscription
