Messages

So awesome theoretical discussion.

So how about solution for my question? BTW - creating VLANs and additional SSIDs is NOT a valid one.

Just reading your discussion and what we have in many solutions is an IPv4 architecture that is then repurposed to handle IPv6 or dual-stack.

While IPv4 is well-defined and well-known, IPv6 is not. I don't know what happened, but thinking that NATv6 would not be needed was not based on real-life scenarios. The same thing happened with SLAAC - in theory, this was a good idea, but when you want to control your networks with FW and more, SLAAC does not make sense. Especially with Assisted Mode in RA - my Windows computer now has (at the moment I am writing this) - 4 IPv6 addresses. One from DHCPv6, 1 - LL address, and 2 from SLAAC (including temporary IPv6 address). That alone concerns me as the 2 addresses are dynamic, and pf firewall may not be able to do what I want it to do automatically. The only way to control it is L2 (MAC address).

And yes - you can spoof MAC, you can spoof IP - you can spoof almost everything in the network if you know how to do it. There are protocols to help with this problem, but that also requires knowledge, and time, and will.

So, in the end, what we need is a solution that understands that IPv4 and IPv6 are totally different beasts and probably architecture change is needed. Also, we are in a place where no one cares. We are not simple home users (there is eero/tplink/asus for that), and we are not corporations with IT budgets (there is Cisco/Juniper/etc for that). There are some solutions for us - OPNsense, MikroTik, Ubiquiti, etc but non of those are 100% what we need. There are always some tradeoffs and in the end, what we are using is the solution that sucks the least for us.

The corporate network in my work does not even use IPv6, we are not using NAT - my VDI has a public IP address assigned, of course, everything is controlled by VLANs. switches, routers, ACLs, ADs, etc., but somehow at home, we are using IPv6 - there are services that are using IPv6 only, so we have to adopt it. And again, what we have is a network with Dynamic IPs, with SLAAC devices, with devices that are not 100% compliant with standards (i.e. Android devices at some point), etc. We want to have some control over it, but standards were not written in us in minds, more like the corporate world and unsophisticated home users. What needs to happen is for us to understand and embrace it - go outside the box and stop being ideologues of purity and accept life with greys and build solution around greys.

Out of curiousity I set up a MAC alias for my Android phone and turned on IPv6 support on my Wifi vlan and RA service with Assisted mode.
I could see my phone got a SLAAC address and the MAC alias from OPNSense's Diagnostics->Aliases also resolved to the same address.
Then I setup a block rule for that MAC alias and it seems to be working as expected.
So it looks like OPNSense can firewall by MAC address just fine, what do I miss here?

SLAAC IPv6 addresses tend to change. There are devices like i.e. my printer which has one IPv6 address based on MAC address, but iOS devices are taking 2 IPv6 addresses and then start to circulate then taking new address etc, same situation is with Windows. So other people said FBSD is working on L3 (IP level) not on L2 (MAC level). MAC addresses are resolved to IP addresses every 5 minutes. So if your IPv6 changed 1 second after OPNsense refreshed it to block, your device has 4 minutes and 59 seconds when it is not technically blocked as new IPv6 address is not blocked.

how about getting those devices a static ip(4 and/or 6) and block it on ip, or when several, making an alias with those ips and blocking it. I am using that for my kids devices to block the internet for them to support bedtime :-)

IPv4 - I setup it up as static, so it is easy to configure - No issue here

IPv6 - is using SLAAC - hence my original post about sniffing out IPv6 address. So device can use DHCPv6 but because I have some which can't I have to use RA in Assisted mode (Flags M+O+A), and many devices, including the device in question, prefer SLAAC over DHCPv6.

For kids devices I use built in Kids Mode (iOS and Amazon - did that right).

It sounds like it was easier to code on L3 rather than on L2 and we are stuck with solution witch is way sub-optimal and to workaround that we need to create so much more than it needs.
Your solution is manageable if device is connected through ethernet, but what - change of WLAN or creating additional SSIDs for WiFi for each device does not make sense. What if I have 5 devices like that and I want for 4 to use IPv6 than what? 5 VLANs? 5 WiFi networks? What about ease of use? Not to mention support or troubleshooting.

Confirmed.

I use dns.he.net

I was using 2 addresses - one A and the other AAAA.

AAAA is updating correctly, while A stopped working.

Quick question - as I am new to the OPNsense world.

Killing (temporarily) IPv6 communication for a device inside LAN. In MikroTik, I would create rules in FW to drop in/out IPv6 transmission based on the device MAC address (due to the device being SLAAC only), and I can't turn off IPv6 support in the device. Basically if device sniffs IPv6 it will go for IPv6 address and communication.

I tried to replicate it here with partial success. Some transmission is going through thou on intermittent bases.

What is the proper way in OPNsense to kill IPv6 communication for the host?

Step 5(b) for IPv6 may not work when OPNsense receives an IPv6 prefix and does not assign itself an IPv6 address on the WAN interface.

Bug #1 - OPNsense didn't implement RFC6603; hence WAN interface does not have IPv6 address
Bug #2 - WG IPv6 addressing can't be NATed via Interface address as WAN Interface does not have an IPv6 address

Therefore NPTv6 works (avoiding Bug #2) while NAT66 does not.

Where this should be sent so developers can address it?

and turn off NAT rule - right?

so how to change config to include NPTv6 in WG deployment?

So I read this article, I read RFC, but life is life.

So let me tell you a crazy story - I work for Big4 Bank (does not matter which one). I work using VDI, as a part of security systems no connections are allowed to F5 gateway from IPs that belongs to any VPN service (Global Security team is really proactive and bans all VPN networks and IPs all the time). Having said that - I need to connect from IP belonging to my ISP. I am based in the US. My ISP leases me /56 prefix but it is dynamic, I can try to prevent the release of IPv6 prefix, but it is not guaranteed. So I have to use ULA for my WG setup. This is the situation.
I do travel internationally, maybe not as I used to do it but I do. My company is not so keen about me traveling, especially that I am in a "low band" (Band 0 is CEO, I am at 5), but due to certain skills I have, my management allows me to travel at multiple conditions (travel registered with US Department of State portal, multiple ways to communicate with me, they have to know all the addresses I stay, I need to register myself additionally with the local US embassy etc, but I have to appear to the rest of the company (including dreaded Global Security) as I would be at home in the US. Please don't ask about getting official approval as this is even more complicated and legal must be involved, and if I am traveling to any country which borders any of the "hot" zones I am not allowed, also working from abroad, even thou I can work officially from multiple countries (I hold more than 1 citizenship) may create a taxable events where my company and I would be liable for paying local taxes, etc. I did that once (going official route) and since that time there is this "understanding". This is the setup of the story.
Now the life - I've been to places where I had only IPv4 connectivity - no problem for my work; I was in places where there was Dual-Stack, also no problem; but also I've been in places where the network was only IPv6 and ISP handled IPv4 traffic via NAT64 (in US i.e. T-Mobile US is doing that) - and without the ability to establish IPv6 tunnel to my home there was no way of working. Therefore I have to have a fully working dual-stack WG server at home. If you add dynamic prefix allocation ULA is the only way to setup WG tunnel, and then just NPTv6 out. NAT does not work as sometimes I have to establish few different connections to different VDIs (laptop and iPad) and same IPv6 address gets Global Security to act. That is why I need my setup.

I am new to OPNsense - I had my setup working quite OK with MikroTik, but their rigid stance on IPv6 ULA and NPTv6 development, even though I had run a workaround, pushed me here. I put some scripts together to update to the new prefix but the idea was for each tunnel:
/ipv6 firewall nat add action=src-nat chain=srcnat src-address=ULA#1/128 to-address=GUA#1/128
/ipv6 firewall nat add action=dst-nat chain=dstnat dst-address=GUA#1/128 to-address=ULA#1/128
When IPv6 prefix changed script was updating GUA in both chains making this worked like magic.

I know that with 22.8 (sometime in January as per roadmap) NPTv6 should be operational with tracking interface so hopefully it will be working somehow.

And last thing - Apple on DualStack with ULA works with IPv6 great. The only thing to be aware is addressing should start with fd00:: not with fc00::
Also I have few devices in my local network which are not DHCP enabled for obvious reasons (like CISCO Wireless Lan Controller, few core managed switches) so I have to have ULA working on LAN interface as well - and I achieved that using Virtual IPs so it started to work on LAN with NPTv6 - still I have to update if prefix changes but...

OK,

I will delete all FW rules and start with User Guide to have it working. But my overall goal is to have each of my WG clients to use their own IPv6 GUA based on their ULA - hence NPTv6. And that is not part of User Guide.

Would you be so kind and provide some steps how to achieve that?

NAT-2-setup.png

Also in

You will need an outbound NAT rule - see step 5(b)

Already in

Please see: NAT-1-setup.png

Part 2 of 2 of my setup