Hi everyone
first my appologies if this is aavailable elsewhere, I've done some digging, but I haven't been able to locate a solution to this.
FYI, This is for my home network.
I've been able to setup IPv6 successfully on Opnsense, using DHCP from the ISP and tracking interface from the vlans, it was all working well, could ping cloudflare DNS on IPv6 from the gw and all client vlans recieved addresses and were able to get possitive results from https://test-ipv6.com :-)
I then started looking at fw rules and on each vlan I have a final rule that allows access to the internet and block access to internal subnets, RFC1918. I then realised that I don't have the ipv6 address in it and I assumed traffic could then pass between vlans (am I wrong here?).
So I added the first 3 parts of the ipv6 address with a ::/48 and that worked. However, because this is a dynamic ipv6 address it would need to change if/when I get a new address. Does anyone know how to solve that problem?
Lastly, I thought the solution to the above would be to request a static ipv6 address from my provider, which I did and got a /48. However, when I add that as a static entry on the WAN interface, it all breaks. I can't even ping cloudflare DNS on IPv6 from the gw and none of the vlans get ipv6 addresses.
Something that confused me was the documentation says "When the ISP offers a static address block you can assign one /64 network to your WAN interface and other /64 networks to your LANs". Does this mean I need to manually break up the /48 into /64 addresses and configure internal DHCP6 in Opnsense?
Sorry for all the questions, I'm pretty new to ipv6 but wanted to take the dive and learn
thanks again, really appreciate any help I can get.
DHCPv6, do not use it, try reading this (https://forum.opnsense.org/index.php?topic=45822.0) first.
For firewall rules with dynamic IPv6 prefixes, you can use "Dynamic IPv6 host" aliases to refer to the EUI-64 of your clients in firewall rules.
So, normally, you would allow inbound IPv6 access in floating rules instead of the WAN, because if you allow the whole internet to access any specific client, why would you block any VLAN?
I never thought about blocking VLANs from one another (like I do for IPv4) while still giving outbound internet access, because it is quite difficult to guess any EUI-64, but when I think hard enough, I am sure I would find a way - probably by using the "XXX net" aliases that are created automatically or outbound rules on the VLANs that I want to protect...
I just looked again at a possibility to block inter-VLAN IPv6 access. It is quite simple: Instead of the often suggested approach to first block destination "RFC1918" and after that, allow "any" (or just allow "!RFC1918"), I define an interface group for all local protected VLANs and then use one IPv4+IPv6 blocking rule with a target of "LOCAL_VLANS net". This would block local traffic destined for the firewall (as does using "RFC1918" there, but is restricted to IPv4), so any more specific allow rules should be placed into the floating rules or put before these blocks.
Thanks for this meyergru, I did read your article and it helped with the setup.
However, I don't think I'm ready to implement an IPv6 solution that's secure atm, I still have too much to learn.
I'm going to revert back to IPv4 which I at least understand better.
thanks for your reply
Using a default allow rule with a "!RFC1918" condition has some limitations, most obviously with dynamic IPv6 as described. With such a rule you may need to also then place explicit allow rules before it for access to DNS and other network services (except DHCP which is handled automatically by OPNsense) because those are in many cases in the RFC1918 range.
There's a way to do it differently which I found works for IPv6 inter-VLAN filtering as well:
You can continue to use a default allow rule with a "!" condition, but instead of RFC1918 ranges you would use an alias containing the network(s) you want to block access to. These can be CIDR IP blocks. Alternatively you can use explicit block rules for OPNsense interfaces (e.g. LAN net, IOT net, etc.)
default_allow_any_with_exclusion.png
or
block_with_default_allow_any.png
This approach may be a little too wide open for you, depending on your concerns. It's also difficult to manage for large numbers of interfaces or if you are frequently adding/removing interfaces.
For a simple home network with just a few VLANs, this can work well IMO.
Thanks @meyergru, that's far more useful, I've replaced all the RFC1819 rules with that. It gives some interesting options too.
thanks again for the support everyone