Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rule to block internet access for alias devices still goes through for ipv6

    Firewalling
    2
    5
    303
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aceventura
      last edited by

      It seems my ISP had enabled ipv6 and now the following rule I had set up to prevent certain devices from accessing the internet is no longer blocking all internet access. Websites which are using ipv4 are still blocked as usual but ipv6 websites such as www.yahoo.com is allow through.

      Under Firewall/Aliases: New IP Alias "Cameras" For each camera, enter IP and a description.
Under Firewall/Rules - / Lan:
    Action: Reject
    Interface: LAN
    Address Family: IPv4+IPv6
    Protocol: TCP/UDP Source: Single host or alias / Cameras apply the pfsense rules, then reboot the cameras, or flush the states in PFSense

      On my Windows 11 computer I could go into the network adapter settings and uncheck 'Internet Protocol Version 6 (TCP/IPv6)' and this would solve the issue. But how do I do this from pfSense so that devices such as camera are also blocked from accessing the internet? I believe disabling ipv6 in pfsense may create the desired effect but is there a better way?

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @aceventura
        last edited by

        @aceventura

        Cameras are devices to which you as a human, with an app, like a browser, connect to.
        If you've bought a camera that starts to "all by itself" to send it's available info, like video's to "somewhere" without your consent, you have not "IP" problem : you just made a huge failure by actually buying and using the camera : unscrew it, and throw it away - sorry : recycle it.

        Camera, optimally, should be on their own "LAN" network, like an OPT1 interface. Keep only your really trusted devices on the LAN.
        Now : your question has a one click solution :

        06cbf906-9efd-4f64-9f9e-03ba281a3fbe-image.png

        Disable IPv6 on that "camera" interface.

        Btw :
        To make Ipv6 work on your LAN(s), there is more needed as just the ISP "to activate it".
        You're - afaik - the first one on this forum that says that IPv6 "auto enabled".
        Disabling it isn't a real option, as, in the future, it will be IPv4 that simply stops .... as it is a protocol from in the past, eventually being abandoned (we still have some time ;) )

        And true, devices that use IPv6 can have more then one IPv6 so blocking isn't as easy as an IPv6 device. MAC based blocking could be an option.

        See what :

        634cf135-41d9-4e87-a024-c473cbed47a3-image.png

        can do for you.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        A 1 Reply Last reply Reply Quote 0
        • A
          aceventura @Gertjan
          last edited by

          @Gertjan
          Thanks for your response. I do not have any proof that the cameras "phone" home but it is better to be on the cautious side and block their internet access. I am looking into creating an IOT interface where all potentially vulnerable devices connect to. Currently I only have the LAN interface and use a rule to block devices based on their ipv4 addresses from accessing the internet.

          As for the ipv6 "auto enabled" I mentioned earlier it is just a theory I have. There is a Windows 11 computer I included in the blocked list for accessing the internet that I discovered was able to Windows Update last Friday. This PC was cut off from the internet and had not updated in over a year before this event.

          Initially I thought pfSense 2.7 had a bug that allowed the rule to not take effect. But as I navigated to various websites I discovered some sites were blocked but others went through. So I used the Windows Command prompt and used ping on those websites. The websites that did not connect had an ipv4 address while the sites that went through had ipv6. I assumed the Windows Update used an ipv6 address so that was how it was able to bypass the rule. When I disabled the ipv6 checkbox in the Windows 11 network adapter all internet access cease to work including Windows Update.

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @aceventura
            last edited by

            @aceventura said in Rule to block internet access for alias devices still goes through for ipv6:

            I do not have any proof that the cameras "phone" home

            Why not ?
            You can get the your proof !

            Place the camera on its own dedicated interface.
            Add these two rules :

            c133f897-ed0b-45c6-be1e-1d5f66fbb65d-image.png

            (my example shows the "LAN net", yours would be "OPT1 Net")

            As soon as the one and only device on that network start to communicate, even the slightest NTP, or DNS, or whatever, these counters :

            ae4b9dec-9165-448e-8cd7-c5c22fc132eb-image.png

            start to raise.
            That's pretty rock solid a proof.

            @aceventura said in Rule to block internet access for alias devices still goes through for ipv6:

            As for the ipv6 "auto enabled" I mentioned earlier it is just a theory I have. There is a Windows 11 computer I included in the blocked list for accessing the internet that I discovered was able to Windows Update last Friday. This PC was cut off from the internet and had not updated in over a year before this event.

            When you put a bucnh of Windows Pc's on a switch, even with pfSense not offering any IPv6 support, the "Windows Network neighborhood" will be using IPv6 to talk to its neighbors.

            Every known OS, for the last decade or so, prefers to communicate over IPv6 - and if it is not available, will fall back (this costs time !) to IPv4.
            For those who use their ISP router and no pfSense at all, IPv6 might already works for years without them even nothing it. As that is what Ipv6 is meant to be : as Ipv4 : transparent. Humans don't need to know what IP-whatever is to use the 'Internet'.
            Of course, you've chosen to use pfSense. Being 'ignorant' isn't an option anymore 😊

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            A 1 Reply Last reply Reply Quote 0
            • A
              aceventura @Gertjan
              last edited by

              @Gertjan
              Appreciate the help and all the examples with screenshots you've given so far, really learned a lot from you.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post