Applying a rule to a single client in a SLAAC only network?

tibere86

I cannot for the life of me figure this out. i have my IPv6 network setup as UNMANAGED (SLAAC only). I would like to apply a firewall rule to a single client. What address do I use as the SOURCE when creating the firewall rule; link-local? global?

Gertjan

@tibere86

Good question. I also would like to know that.

But, re read you own question again.
You are asking how to manage (by using a firewall rule that works with known IP address(es)) an unmanaged system.
Your - and my - question made me using a controlled, = managed ? environment where "I" decide what device gets what IPv6, so I use 'managed' and I use the DHCPv6 server.
Also because that's how things were done for the last x decades when when I was using IPv4, so why not continuing to use what is known to work well ^^

Btw :

Unmanaged : Will advertise this router with Stateless Address Auto-Configuration (SLAAC).

Does that mean the router (pfSense) auto assigns some IPv6 and informs the client devices : do whatever you want yourself / make up some IPv6 yourself ?

Well, yeah, pfSense won't know upfront what a device will chose as it's IPv6.

Anyway, maybe there are solutions, and as always, I hope to be wrong.

JKnott

@tibere86 Are you filtering incoming or outgoing connections? Outgoing connections are from privacy addresses which change daily. If you have incoming connections, such as to a server, they'd normally use the consistent address.

Yeah, it would be nice if pfSense filtered on the MAC address, but I don't think the CE version does that.

tibere86

@Gertjan - Your statements makes complete sense. I prefer the simplicity of using SLAAC. As link-local addresses are "static", would that not suffice to generate outgoing firewall rules?

tibere86

@JKnott - Filtering outgoing connections to direct traffic out certain gateways (policy-based routing). Are not link-local addresses static?

JKnott

@tibere86 said in Applying a rule to a single client in a SLAAC only network?:

Are not link-local addresses static?

Yes they are. However, they're not normally used for traffic and certainly not if going beyond a router. Depending on the client, you can choose whether or not to use those privacy addresses, so perhaps you could use the consistent address instead.

johnpoz

@tibere86 said in Applying a rule to a single client in a SLAAC only network?:

As link-local addresses are "static", would that not suffice to generate outgoing firewall rules?

While a link-local shouldn't ever change - a link-local would not be used talking to some IP out on the internet.. This would be global address.

With IPv6 since quite often you can not control the IPs, and temp IPs are used a lot the time. The simple solution would be to put device(s) you need to firewall on different prefix. And you control firewall rules via the whole prefix. Then it doesn't matter what IP a client might used to talk to something off the prefix.

If you need to control a specific host, you prob want to set it to static IP, or use dhcpv6 so it always gets the same global IP - and turn off its use of temp IPv6 addresses.

Problem with that is that could change, user might re-enable temp addresses, etc.

I am not sure if mac address filter is coming to CE, but it is currently available in the + version. So that is another option, but what I would suggest is use prefixes for specific firewalling/policy routing you might want to do.

GeorgePatches

@Gertjan said in Applying a rule to a single client in a SLAAC only network?:

o I use 'managed' and I use the DHCPv6 server.

This won't solve the problem if the ISP rotates your prefix delegation on the regular (my personal experience with Verizon FIOS residential).

The only solution to this problem that I've come up with is to setup dynamic DNS on the client I want to make a rule for, create an alias for said DDNS entry, and then use said alias in a firewall rule.

Gertjan

@GeorgePatches said in Applying a rule to a single client in a SLAAC only network?:

This won't solve the problem if the ISP rotates your prefix delegation on the regular (my personal experience with Verizon FIOS residential).

Very true.
If any of my LAN devices asks for DHCPv6 lease it will last, on a typical WIN11, 6 hours.
That is, that is what I see :

and now it's 09h44, and I just renew the lease manually with ipconfig /renew6.

If, moment later, my upstream ISP allocated me a new prefix, the DHCP6 LAN server will get restarted with the new prefix ... but my LAN devices still use their now depreciated old prefix.
I'm not sure if other IPv6 magic exists that can warn the LAN device that 'something' has changed, and that it should force renew it's IPv6 lease.
If not, then yeah, now we have a routing issue.

Yes, a prefix can change, but shouldn't change "often". And that is an RFC standard.
For example, since my pfSense is activate on my now IPv6 ISP router, about 18 months now, my prefix didn't change.
France - country where I live - they managed to create a 'law' (privacy act stuff whatever) that an "IP" should at least change ones a year. As I have a 'pro' account, I opted out for that, so my WAN IPv4 and IPv6 (prefix) are pretty rock solid.

Constantly changes prefixes, imho, is a pure pain.
The real issue is : the (IPv6) RFCs exists. And every ISP out there interprets them somewhat differently.

@GeorgePatches said in Applying a rule to a single client in a SLAAC only network?:

The only solution to this problem that I've come up with is to setup dynamic DNS on the client I want to make a rule for, create an alias for said DDNS entry, and then use said alias in a firewall rule.

That is exactly what I do
But I'm not using the classic "Services > Dynamic DNS > Dynamic DNS Clients" solution.
A DHCPv4 and DHCPv6 server can register the host name of a device that asked for a lease into a DNS server.
This already is/was possible with pfSense before, but then the host name is only known locally.
The DHCP ISC server (and kea also) can also use any other DNS server, so also my domain name server) to register the host name with the IP. That's not 'like' DDNS, it IS DDNS, and it also uses RFC2136 (which is a classic, very first DDNS method that existed out there).

As I'm using kea, and kea uses a separate process (program) for that, and pfSense has that program but isn't using it, I decide to use it.
Works great - an was pretty straight forward to implement.
And none of all this is a surprise as kea is written by the same guys who wrote "ISC DHCP", so they made it compatible.

Btw : not that I really need a LAN IPv6 (my NAS) so it can be accessed on a world Internet level, it just enables me to access my NAS over IPv4 or IPv6 anytime. It's more a "to be ready for the future" thing. And the future is here : 60+ % of all my pfSense LAN/WAN traffic is IPv6.