Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Deny outgoing traffic ipv6 for one device/phone

    Scheduled Pinned Locked Moved
    Firewalling
    4
    7
    77
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      VRoyale
      last edited by VRoyale

      pfSense 2.7.2 virtual on proxmox

      Hi all,

      I've created a Block rule in the firewall on my LAN interface for source Alias "Mobiel" to destination "SocialMedia".

      Alias "Mobiel" has the phone its ipv4 adres and ipv6 added.
      Alias "SocialMedia" has hosts like www.youtube.com, reddit.com etc in it.

      This seems to work fine for sites that are available through ipv4 only.

      My phone is still able to access sites that are available through ipv6.

      I think the Alias IPv6 adres is not working in the rule. Please advice.

      Kind regards,
      Victor Richard.

      GertjanG johnpozJ JKnottJ 3 Replies Last reply Reply Quote 0
      • GertjanG
        Gertjan @VRoyale
        last edited by Gertjan

        @VRoyale said in Deny outgoing traffic ipv6 for one device/phone:

        I think the Alias IPv6 adres is not working in the rule. Please advice

        Some one should come over and have a look ? [sorry, you were asking for it ^^]
        Suggestion : show what you have .... !

        edit :

        You've posted in NAT forum for a reason ? NAT = Incoming traffic, from WAN to a LAN network.

        Firewalling ?

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @VRoyale
          last edited by

          @VRoyale how about you just turn off IPv6 then?? Name one site that you need to get to that requires IPv6

          Love that your 2 examples of social media both have IPv6.. Curious which one doesn't?

          Blocking phones? Who says the phones not just using its cell connection to access these social media sites?

          Your going to have a hard time with these short ttls and multiple addresses and also that they are cnames.

          ;; QUESTION SECTION:
;www.youtube.com.               IN      AAAA

;; ANSWER SECTION:
www.youtube.com.        300     IN      CNAME   youtube-ui.l.google.com.
youtube-ui.l.google.com. 300    IN      AAAA    2607:f8b0:4009:808::200e
youtube-ui.l.google.com. 300    IN      AAAA    2607:f8b0:4009:809::200e
youtube-ui.l.google.com. 300    IN      AAAA    2607:f8b0:4009:80a::200e
youtube-ui.l.google.com. 300    IN      AAAA    2607:f8b0:4009:80b::200e

          See how youtube.com actually points to youtube-ui.l.google.com and has multiple responses, and with a very short ttl, 5 minutes. Aliases by default only update every 5 minutes. So its possible for a client to be going to different IP then what is in your alias.

          IPv6 also will use temporary addresses, multiples of them.. Who says the phone is even using the IPv6 address you have for it in your alias.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.03 | Lab VMs 2.7.2, 24.03

          1 Reply Last reply Reply Quote 0
          • johnpozJ johnpoz moved this topic from NAT
          • JKnottJ
            JKnott @VRoyale
            last edited by

            @VRoyale

            Since IPv6 can use temporary addresses, the proper solution is to filter on the MAC addresses, which I don't believe the CE version supports yet. Not using IPv6 is NOT the solution. Maybe the developers should get busy on MAC filtering, as other firewalls support.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @JKnott
              last edited by

              @JKnott said in Deny outgoing traffic ipv6 for one device/phone:

              Not using IPv6 is NOT the solution

              Pretty simple solution to be honest.. Especially for such a specific request. Still waiting, years now for just 1 example of an actual resource that someone would actually need/want to get to that is only IPv6 accessible.

              Until you can name even 1, then not using IPv6 is a very simple solution..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.03 | Lab VMs 2.7.2, 24.03

              JKnottJ 1 Reply Last reply Reply Quote 0
              • V
                VRoyale
                last edited by

                Thank you all for your contributions. You made me realize a firewall rule is not the way to block it, as Johnpoz pointed out, Queries to Youtube e.g. can respond with about anything.

                I've decided to disable pfblockerng and install pi-hole in an container in proxmox.

                Now I use that as DNS server and it's got more options than pfblockerng; I can specify my phone with its addresses and make an extra list of domains I want blocked on only that phone.

                Thank you all, this topic can be closed.

                Offtopic
                Disabling IPv6 is a firstworld solution! Away with the legacy! No more IPv4!

                1 Reply Last reply Reply Quote 1
                • JKnottJ
                  JKnott @johnpoz
                  last edited by

                  @johnpoz said in Deny outgoing traffic ipv6 for one device/phone:

                  then not using IPv6 is a very simple solution..

                  Not using IPv6 is a broken "solution". IPv4 has been inadequate since the day it became necessary to use NAT to get around the address shortage. The world should get off it's butt and move to IPv6, instead of the hack on hack that IPv4 requires. As for 1 application that requires IPv6, take a look at your cell phone. IPv6 is mandatory for 4G & 5G cell networks, as they use VoIP and using IPv4 and all the horseshit it requires would create an unworkable mess. Comcast also moved to IPv6 years ago, because their network was getting too large to manage with IPv4.

                  I would question the competence of any network professional that thinks IPv4 is good enough.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post