OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: GiantJack on December 01, 2019, 12:14:52 pm
-
Hi there!
I have an device that I wish to block internet access.
For IPv4, not problem, I just add a rule to block any traffic from 192.168.1.xx (xx is my device) to internet.
I have a static IP in DHCP for this device.
Then come IPv6...I could disable it on this device, but let's be modern and learn how to deal with it.
I do not have IPv6 DHCP...my ICP provide me a full range of IPv6 and to be honest, I followed an howto and I do not 100% understand how it works.
My modem is somewhat distributing IPV6 to my devices on LAN.
I assume I have to add an IPv6 rule to block internet access from IPv6, but how can I check if my IPv6 is static or not ?
-
You could disable the privacy extensions then the last 64 Bits should stay the same. The other option would be DHCPv6.
-
With OPNsense this can currently only be done with a static IPv6 prefix. It's not possible to create firewall rules which work with dynamic prefixes. I think this is work in progress (other firewalls can do it).
Whether your prefix is static or not, you have to ask your ISP. On a business plan it should be, on a consumer plan it usually isn't. But even if you don't officially get a static prefix, many ISPs won't change it for months or even years. You'll have to find out. Just make sure "Prevent release" is enabled in the WAN interface DHCPv6 settings.
Like fabian explained, even with a static prefix, it only works when using stateful DHCPv6 (not supported by all devices) or disabling privacy extensions on the device (also not possible on some devices).
A more robust approach would be moving the device(s) to a separate "no Internet" (V)LAN.
Cheers
Maurice