Is it possible to allow IPV6 for some device only?
-
If IPV6 is allowed on the network then the pfsense firewall becomes non-existant as individual devices will operate peer-to-peer and go through any device connected on the network with it's own IPV6 address retrieved from the internet.
Example - iPhone with cellular and wifi enabled will allow any device on your network to bypass all your firewall restrictions
I can only stop this behaviour by blocking ALL IPV6 traffic on the network
Blocking all IPV6 results in all Apple iCloud services being broken on the latest versions of macOS and iOS/ipadOS.
Is it possible to allow individual devices to have IPV6 on a pfsense LAN and block all other peer-to-peer IPV6 traffic?
-
@mike123 said in Is it possible to allow IPV6 for some device only?:
If IPV6 is allowed on the network then the pfsense firewall becomes non-existant as individual devices will operate peer-to-peer and go through any device connected on the network with it's own IPV6 address retrieved from the internet.
No. Explain your setup in greater detail. What version of pfSense are you using?
-
@mike123 said in Is it possible to allow IPV6 for some device only?:
will operate peer-to-peer and go through any device connected on the network with it's own IPV6 address retrieved from the internet.
Huh? If your device gets an IPv6 via pfsense, that traffic still flows through pfsense, you can block ports, you can block IPs or networks. An IPv6 address doesn't circumvent the firewall. Now if you have some other IPv6 connection via say cell connection or some other wifi connection that does flow through pfsense.
Devices on the same network don't flow through pfsense anyway be it IPv4, IPv6 - the only traffic that flows through pfsense is traffic leaving the specific network, be it IPv4 or IPv6..
What exactly is broken in icloud if no IPv6? I don't run IPv6 on my network for most of the time, I can enable it to test something, etc. I haven't noticed anything not working on my iphone or ipad..
Happy to test something.. My phone is always on my wifi without IPv6.. But then again I don't turn off cell coverage either. But if you give details what exactly is broken without IPv6 happy to test. My ipad has no cell connection, and no IPv6 and like I said I haven't noticed anything not working.
-
If I don't set up a pfsense IPV6 DHCP Server then any device on the network will take over as an IPV6 DHCP Server.
Example: new Windows 11 Pro device on network with IPV6 blocked on the device's NIC. Google Chrome installed will bypass the pfsense firewall because it uses Google DNS over https and by default the browser starts to serve IPV6 DNS to other devices on the network. Only way I can stop this behaviour is to block all IPV6 on all pfsense networks. You don't even need the browser running, google takes over in the background like it or not just like any other malware.
iOS will kindly back door your LAN DNS by pulling IPV6 DNS direct from iCloud servers. Blocking all IPV6 renders iCloud broken on all new versions of iOS because they no longer allow IPV4 fallback on he devices.
-
@mike123 said in Is it possible to allow IPV6 for some device only?:
f I don't set up a pfsense IPV6 DHCP Server then any device on the network will take over as an IPV6 DHCP Server.
Not sure where you got that idea from.. That is not not true at all.. And you don't even need dhcp for IPv6.. SLAAC is typical what is used.
Google dns has nothing to do with an IPv6 address on the client.. Sure you can resolve AAAA address, which any dns will do.. But that has nothing to do with the client actually having an IPv6 address that can talk to it with. It will have say an address that starts with FE80, this is link local and is not viable to talk to anything on the public internet with IPv6.
As to ios back dooring dns.. So what if it does, which mine can't because I block all the known doh servers and dot.. And even if dns did get some AAAA address, they don't have an IPv6 address to talk to them with.. And I block AAAA queries anyway in unbound.
private-address: ::/0 # filters out all AAAA !
So again I will ask what exactly is not working.. My ipad has no GUA IPv6 address, this is a requirement to talk to something on the internet via IPv6. And none of my firewall rules allow IPv6 anyway.. And I am not aware of anything not working..
Please provide some specific thing that is icloud related that isn't working.. And I can look into what might be failing for you.
edit: Another tidbit about IPv6 not being required.. A huge part of the planet doesn't even have IPv6 yet.. My isp does not provide IPv6.. Only way I can get IPv6 is via tunnel from Hurricane Electric.. If your saying IPv6 is required for icloud to function.. Then everyone on the planet that does not yet have IPv6 would just be out of luck? Does that make sense to you? Apple turning off access to millions and millions of people with no IPv6 access.
Here are some more numbers about what I am talking about with millions and millions of people not on IPv6 as of yet..
Top graph is from google info, bottom info is from cloudflare.. Does it look like it would make sense for apple to require IPv6 for their cloud services?
https://www.google.com/intl/en/ipv6/statistics.html
https://blog.cloudflare.com/ipv6-from-dns-povNot saying your not having some sort of issue - but going down the IPv6 rabbit hole, is likely just a red herring your chasing.
-
Red herring for sure. I should correct myself - the device wasn't acting as a "dhcp server" only as an IPV6 relay which allowed other internal devices on my network to get IPV6 via DHCP relay.
Background - I added a new Windows 11 device - by default I block all internet access to new devices. I couldn't ping the internet or resolve addresses via the device command prompt or windows updates yet the device was browsing the internet through Chrome.
ipconfig /all showed IPV4 IP with pfsense as DNS, and 6 different IPV6 DNS servers listed as connected.
Other devices on my network were getting IPV6 through the Windows 11 device.
-
@mike123 Sorry but I don't buy this.. How was windows 11 getting IPv6 if you did not provide it through pfsense? And windows 11 isn't going to share its internet connection without you enabling that feature.
Did you enable the mobile hotspot feature? I would like to see these connections you were seeing on thee other servers to IPv6 addresses.
Sure if you enabled IPv6 on this machine, or it got internet via IPv6 and you enabled mobile hotspot then yeah it could hand out IPv6 address to other clients.
None of which would have anything to do with pfsense.
network to get IPV6 via DHCP relay.
No not how it would work there would not be a dhcpv6 relay involved.
This device that your saying is browsing the internet via IPv6.. Can we see a traceroute from this device to some IPv6 address out on the internet..
If your windows 11 box is sharing its internet connection, I would disable that. And I would prob also just disable IPv6 on it if you don't want it using it either.
Its pretty simple to just not provide IPv6 to devices behind pfsense if you don't want to.
