IPv6 - Block traffic between local interfaces

[SnejPro]

Hi,

i'm trying to learn IPv6 and have an test setup with two VLANs.
Now i try to block the IPv6-traffic between the interfaces, so only internet access is possible.

In IPv4 i solved this with an rule that passed every traffic that is not going to an private ip address. So the default deny rule blocks the local traffic.

In IPv6 every device gets an public ip address. So if i pass all traffic to 2000::/3 also the traffic between the local interfaces is allowed.

One solution would be to manually block every other IPv6 subnet, but this is much work when it comes to bigger networks and has a high risk of failures.

Has anyone a idea?

Greetings

Jens

[bartjsmit]

Hi Jens,

In IPv6 every device gets an public ip address.

Not really - you set up a mechanism to issue routable IPv6 addresses to hosts you manage. SLAAC is the most common. Have a look at router advertisements.

Why can't you simply deny all traffic between the interfaces and only allow from each VLAN to the WAN interface?

Bart...

[IsaacFL]

In your ipv6 network create a rule that for ipv6 blocks the interface net of the other network.

So if your ipv6 interface is OPT2, and you want to block LAN and OPT1,
Create 2 rules in OPT2 for blocking
reject  ipv6 OPT2 Net to LAN net
reject ipv6 OPT2 Net to OPT1 net

Add a rule to allow out:
Pass ipv6 OPT2 Net to any

You can also create a Firewall Group with your non ipv6 interfaces and then your rule would block the Group Net

[SnejPro]

You can also create a Firewall Group with your non ipv6 interfaces and then your rule would block the Group Net

Thank you. That is an acceptable way. I would prefer a rule where i can block all other interfaces automatically, without adding them to a Firewall Group, but thats not possible, isn't it?

A rule like "pass anything that does not have a interface as destination that is currently assigned to OPNSense"

[Patrick M. Hausen]

You can use such a group object and "invert destination" for a pass rule to avoid the explicit block rules.

[IsaacFL]

You can use such a group object and "invert destination" for a pass rule to avoid the explicit block rules.

The only thing about that approach is what about invalid ipv6 addresses that you probably don't want to try to route, such as ULA addresses, Link Local Addresses, Etc.

The approach I use, is to create a Firewall Group called LocalGroup with all of my local interfaces added.  This gives you an alias of "LocalGroup Net" that you can use to allow local traffic or block local traffic.  This is especially useful if you have dynamic prefix as it gets updated automatically.

[IsaacFL]

The localGroup method also works for ipv4, so I have one rule for both.

[SnejPro]

You can use such a group object and "invert destination" for a pass rule to avoid the explicit block rules.

The approach I use, is to create a Firewall Group called LocalGroup with all of my local interfaces added.  This gives you an alias of "LocalGroup Net" that you can use to allow local traffic or block local traffic.  This is especially useful if you have dynamic prefix as it gets updated automatically.

Here is a short summary what i did:
- Create a Firewall Group with both interfaces
- Create in the new Firewall Group a rule that passes all traffic, which is not going to the both local interfaces

But when i add an interface now and forget to add to the Group, it will be accessible by the networks in the group.

[IsaacFL]

That is why I don't use inverted Pass.  It is too easy to pass traffic by mistake.

Better to have a rule in each interface to Pass or Reject LocalGroup depending on the access required.

You could also create an Alias for your Top Level ipv6 prefix. (ie aaaa:bbbb:cccc:dd00::/56).
Then you have a rule that passes the local traffic that you want and anther a rule that blocks the Total Prefix.
Then after that rule that passes any.  That way you don't have any unused prefixes being routed out the WAN also.

[SnejPro]

You could also create an Alias for your Top Level ipv6 prefix. (ie aaaa:bbbb:cccc:dd00::/56).
Then you have a rule that passes the local traffic that you want and anther a rule that blocks the Total Prefix.
Then after that rule that passes any.  That way you don't have any unused prefixes being routed out the WAN also.

That's a good solution for a network with a static prefix. But in my test setup i only have a dynamic prefix.

[IsaacFL]

Then you are better with using rule to pass or reject destination "LocalGroup Net" in each interface if your dynamic prefix changes often.

What will happen to the other addresses in your prefix will not get blocked by the firewall, but since they are not part of the Local Group they will get routed out of the firewall and die from TTL.

[134]

Hmm i thought the firewall block inter-vlan traffic by default? I imagine that firewall remember the prefixes/addresses assigned to each interface and therefore can block it automatically?

I'm just wondering because i don't have same setup. My ISP only provide a single /64 thus i can only give it to a single interface. Perhaps i will encounter this problem later when i have more prefixes for more vlans.

[Greelan]

I think you are misunderstanding the discussion. The discussion here is about creating block exceptions to an allow all rule