Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rule blocking access to pfsense gui not working (IPv6 global unicast getting through)

    Scheduled Pinned Locked Moved
    Firewalling
    3
    5
    119
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      ddbnj
      last edited by

      I honestly thought I knew IPv6 enough but I was wrong.

      I have a guest network setup with the following rules:Screenshot 2024-06-02 203411.png

      PFsensePorts are the GUI ports and 22 for SSh
      DNS_ports are 53 and 853
      RCF1918 contains private IPv4 ranges and fd00::/8

      When checking states, my guest user can access the GUI via 2600:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

      I don't have a fixed IPv6 prefix, although I don't know when it changed last so I don't have any GUA specific rules. My concern is that if the address supplied by my ISP changes, the rules would no longer work and I wouldn't be aware.

      How can I block traffic from accessing the pfsense GUI via a dynamically assigned GUA?

      Thanks,

      Devan

      S dotdashD 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @ddbnj
        last edited by

        @ddbnj pfSense has a This Firewall alias which should cover all IPs on it.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        D 1 Reply Last reply Reply Quote 2
        • dotdashD
          dotdash @ddbnj
          last edited by

          This post is deleted!
          1 Reply Last reply Reply Quote 0
          • D
            ddbnj @SteveITS
            last edited by

            @SteveITS Thats a very valuable tidbit of info. Do you know where I can find a list of similar aliases?

            S 1 Reply Last reply Reply Quote 0
            • S
              SteveITS Rebel Alliance @ddbnj
              last edited by

              @ddbnj It's probably in the docs somewhere. That one shows when adding a rule. There's an alias for each pfSense network/subnet plus This Firewall.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote ๐Ÿ‘ helpful posts!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post