Hi There !
I use opnsense on my dsl connexion.
My modem is a special one provided by my ISP (it's called freebox for those who know it).
It does provide IPv6 addresses and I have setup opnsense following an howto to manage it.
As far as I understood, it uses SLAAC.
I have also read several times that android devices are not DHCPv6 friendly....but there are several way to use DHCPv6 maybe some works ?
So now: how am I supposed to handle IPv6 firewall rules with this SLAAC process ?
Is there a way to get opnsense to grab and identify the ipv6 addresses on my LAN ?
IPv6 is a security nightmare (by design...) and nearly nobody knows how to configure a firewall safely. Stay away.
Or wait 5 min then the experts will tell you the oposite here... :-)
that's very long 5min ;D
8o)
Android devices do not use dhcpv6, so you must have RADVD running in assisted mode, a pain in the bum if you want a purely managed system, however it is what it is.
Have you successfully got a global IPv6 address on your LAN?
Quote from: marjohn56 on April 15, 2020, 11:51:05 AM
Android devices do not use dhcpv6, so you must have RADVD running in assisted mode, a pain in the bum if you want a purely managed system, however it is what it is.
Have you successfully got a global IPv6 address on your LAN?
I do have successfully set ipv6 to WAN, LAN and propagating to my devices.
But except the opnsense WAN & LAN ip that are fixed, I cannot really identify from opnsense who are the ipv6 on my LAN,I use for the moment this slaac thing (as far as I understand)
I have service / router advertisement enabled with assisted mode.
Dhcpv6 is currently disabled.
I used this howto to set ipv6 on opnsense also with my specif ISP modem(but it's in French)
So I if understood correctly, I could enable Dhcpv6 that could be used by PCs, and android will do the job by themselves like currently with the RA assisted thing?
I have an other question related: it seems to be a good practice to change a device ipv6 frequently for privacy. A static ipv6, like those ipv6 build from mac address would be to easy for those guys who love to track us.
Now If I set a static ipv6 lease in dhcpv6... Isn't it a bad idea for privacy?
Envoyé de mon ONEPLUS A6013 en utilisant Tapatalk
If you don't know which client has which IPv6 addresses (yes, more than one per device, in fact multiple adresses) you can actually never control the internet services on a per-client basis. It's a complete nightmare made for surveilance and to stop you from controlling your LAN. :-)
Unless you are running a server, which obviosly should have a static address then there is no need to set fixed IPs. As chemlud has pointed out multiple addresses are used for privacy and with Windows you have to disable the privacy extensions anyway if you want to run a static v6. You can set statically assigned v6 addresses in the dhcpv6 server and the device will be given that address as one its addresses.
I have a couple of servers that are static, one is an Ubuntu web server and the other is a w10 device with privacy extensions disabled.
IPv6 is fun. :)
What exactly are you trying to do?
Agreed for servers, no problem.
But I see some situations where I would like set ipv6 rules in opensense firewall for other devices.
For example, it could be kids devices (phone, PC) where I may want to cut internet during night.
Or IOT devices where I may want to cut any unnecessary/unexpected connexion to internet (like call home messages).
I think about a possible trick I have in my pocket ;D.
My ISP provide me with 8x /64 IPv6 subnets (with those "next hop" I can set in my modem).
it might be possible that I use those subnets to define 8 "groups" I could rule in opnsense.
Let's say one subnet for server (static IPs), one for my PCs or phone, one for IOT devices, one for kids etc...
if I cannot know a device exact IPv6, This way I could apply firewall rules to its entire subnet.
What do you think ?
If you want to have separate security rules, you should separate clients by VLAN. IP address spoofing is all too easy.
This may need VLAN capable access switches and/or WiFi with separate SSID support per VLAN. TP-Link makes some cheap and cheerful kit for this (other vendors are available).
Bart...
As bart said, VLAN is the best way to do that, TP-Link EAP225s are good, I have three if them with multiple VLANs with seperate SSIDs. You could give the kids the password for one SSID and keep the other one(s) for adult only access. It also allows you to seperate out IoT devices such as Amazon Echoes, google and similar devices. It costs a bit to get it set up but they work well with D-Link 1100 series managed switches.
yes, VLAN could do it, but to be honest, I'm not comfortable with them so far...last time I tried one, it gave me headaches ;D
But I will re-think about it, I agree it's made for such filtering (and learn about VLAN is on my to do list as well as ipv6).
I do have separate wifi AP for kids (openwrt). Currently I made it ipv4 only.
They have their own subnet with a few rules (in openwrt & in opnsense) to scheduled internet access and allows access to some devices like the printer.
I'm not sure what you meant by ip spoofing? but I have blocked on openwrt AP any IP different from what I set for their devices (PC, phones).
gosh, are you suggesting I can try ipv6 + VLAN ? :o :o :o (I foresee some hard moment for myself ;D)
VLANs are pretty simple once you get your head around them. Took me a while to work out the difference between trunk, hybrid and access, and of course every switch manufacturer uses different terminology; but once you get passed that bit it's not too harsh. Setting up VLANs on Opnsense is painless too, and I'm happy to say it all works very well.
El Reg did a good article about them a few years back: https://www.theregister.co.uk/2017/06/30/vlans_at_20/
IPv6 doesn't make them any more complex, or easier for that matter ;)
Bart...
Thank you guys, I will check this and learn :)
Ahah just tried VLANs, seems working fine and pretty simple setup ;D
I made a guest AP on a openwrt device (just wifi AP bridged with eth0.11 for vlan 11).
No DHCP, no firewall rules on WRT, just an "unmanaged" interface.
Then all firewall & dhcp is managed from opnsense.
Looks much more simple than my previous IP management!
I don't have any managed switch except the openwrt device (with the port connected toward opnsense tagged vlan 11).
I have an unmanaged dumb ethernet switch in between.
Something like this (I hope my drawing is not too bad :-[)
[OPNsense LAN/VLAN]-----[unmanaged switch]-----[LAN/VLAN openwrt VLAN]-----Y wifi guest AP
[_________________] [ ] [____________________LAN]-----Y wifi private AP
[ Netgear ]
[ GS316-100PES ]
[ ]---other LAN devices
[________________]--- ....
If you are in the UK, there's a DLInk-DGS1100-05 for sale on ebay for 19.99 or CCL are selling them for £25, only 5 ports but will do the job perfectly for your needs. You can always add more switches and powerline devices later to make your network more advanced.
Might even buy myself a couple at that price to keep as spares!
Check this thread, I posted a map of my network a while back.
https://forum.opnsense.org/index.php?topic=15232.msg70211#msg70211
ahah I just discovered that I had a GS108E & GS105E (a little old) from netgear.
Both are manageable!
I never used the management before and used them as unmanaged switches (mostly because on those ones it needs a windows software and when I bought them there was no windows pc at home).
So, one or 2 days ago I "managed" them for 1st time et setup some vlan.
It works perfectly!
It's a much easier solution than my previous setup: AP side is basically an umanaged bridge of VLAN interface & wifi AP (setup ~2minutes on openwrt)...then all dhcp & firewall at same place in opnsense.
updated working setup, just in case someone would be interested:
[OPNsense LAN/VLAN]-----[ managed switch ]-----[LAN/VLAN openwrt VLAN]-----Y wifi guest AP
[_________________] [ ] [____________________LAN]-----Y wifi private AP
[ Netgear ]
[ GS108E ]
[ ]---other LAN devices
[________________]--- ....