OPNsense Forum

English Forums => General Discussion => Topic started by: compunction on August 26, 2018, 08:08:20 am

Title: Firewalling SLAAC hosts
Post by: compunction on August 26, 2018, 08:08:20 am

I recently got IPv6 working.  I am using Track Interface on my LAN interface as I do not have static IP's.  I am looking at setting up squid to do things like block youtube during homework time.  I also need to do things like disable internet access at night to prevent them from sneaking and playing games etc...

I can do these things with IPv4, but I want to play with IPv6 to learn more.  Like I want to figure out how to force my IoT devices to use my secondary ISP connection (Multi-WAN), but with IPv6 and the lack of NAT, its unclear how I would do this without preventing OPNsense from responding to router advertisements coming from these devices.  This is a topic for another day :).

I was hoping to be able to write Firewall rules based on hostname, but as the SLAAC hosts are not getting addresses via DHCP, they are not in the DNS zone file.  With devices getting multiple IPv6 addresses that are not static, its unclear to me how to write a firewall rule.

Any tricks for say using the MAC address and querying the NDP table?

Title: Re: Firewalling SLAAC hosts
Post by: bartjsmit on August 26, 2018, 12:47:48 pm

Does your ISP give you a static delegation? This is strongly recommended by the internet registries, such as RIPE in EMEA: https://www.ripe.net/publications/docs/ripe-690

I configure a static IPv6 address with gateway and DNS for my servers and assign firewall rules and public DNS entries accordingly. Kids and IoT devices have separate WiFi SSID's. Ubiquiti is great for this.

Block ICMP6 to stop router advertisements. You will need to accept them from at least one ISP for interface tracking.

Bart...

Title: Re: Firewalling SLAAC hosts
Post by: compunction on August 26, 2018, 10:51:25 pm

Unfortunately no, I have Comcast and as I understand it, as long as my DUID does not change, I should keep that same prefix, but if I change the interface to static using the prefix::1, I will no longer be sending the DHCP request to get the prefix and when DHCP times out, it would be released and assigned to another customer.  To get s static prefix I would have to pay 3x more for business service.

I see a setting "Allow manual adjustment of DHCPv6 and Router Advertisements", I guess I will pay with that and see what not does :).

Title: Re: Firewalling SLAAC hosts
Post by: bartjsmit on August 27, 2018, 08:20:32 am

You can keep the WAN side unchanged and pick a /64 for your LAN subnet. Check that SLAAC works, and that you're still getting IPv6 addresses (cav6tf.org is a nice test - watch the turtle swim).

You can then assign static IP's from your LAN range to inside hosts. Oh, and keep looking for a better ISP ;-)

Bart...