Author Topic: how to deal with IPv6? (Read 14253 times)

defaultuserfoo · « **Reply #30 on:** May 24, 2022, 02:09:41 pm »

Quote from: pmhausen on May 24, 2022, 01:33:01 pm

And that's it, in my opinion. What do you think?

I think that's awesome and you're a genious

Does it even require the rule to deny everything from Customer net to Customer net? It says everything not explicitly passed is being blocked ...

(I made a test group earlier and then worried I might get locked out, but fortunately, I wasn't ...)

Patrick M. Hausen · « **Reply #31 on:** May 24, 2022, 02:33:03 pm »

Quote from: defaultuserfoo on May 24, 2022, 02:09:41 pm

Does it even require the rule to deny everything from Customer net to Customer net? It says everything not explicitly passed is being blocked ...

IMHO yes, because we want to keep the allow all to any rules for the individual interfaces. And block only inter-VLAN-traffic.

So the block rule is supposed to match that first. And then when the traffic is from local net X to anything else ("the Internet"), the interface rule matches.

If we leave the group ruleset empty, the firewall will just fall through to the interface rules and end up with "permit".

defaultuserfoo · « **Reply #32 on:** May 24, 2022, 07:02:55 pm »

Ah, yes, of course, you're right

avanix · « **Reply #33 on:** May 25, 2022, 08:28:41 am »

Quote from: defaultuserfoo on May 23, 2022, 01:11:39 pm

Oh. I thought your screenshot was a joke. Why do you need so many of the same blocking rules? Aren't these rules blocking stuff? Are those outbound or floating rules?

My screenshot was not a joke.
The idea was to have several VLANs and put the devices that shoud be seperated in these VLANs. E.g. my office PC and the NAS are in one VLAN, the smartphones, Apple TV and stuff like this in an other VLAN. Each VLAN has the blocking rules to block access to every other VLANs and in the end an allow all rule for Internet Acces. When I need a communication between the VLANs I add a allow rule in front like in the Screenshot for the Remote Desktop Port.
Maybe there are simpler solutions, but this one worked for me and separates devices like me office PC from the smartphones and the NAS...
The idea should also work for IPv6 because for the sole separation between the VLANs no direct IPv6 based rule is needed. And for devices without internet access the allow all rule on the end can be removed for a VLAN without Internet.

defaultuserfoo · « **Reply #34 on:** May 25, 2022, 11:46:16 am »

Ah, now I see! It's basically what I did, only you have a lot more VLANs, and you always explicitly use VLAN30 as source in all the rules (Where else could the packets come from?).

The solution Patrick (pmhausen) came up with that uses an interface group might save you all these rules. I'll try that in a couple days.

defaultuserfoo · « **Reply #35 on:** May 28, 2022, 03:03:58 pm »

The group interface doesn't seem to work right, see https://forum.opnsense.org/index.php?topic=28543.0

Author Topic: how to deal with IPv6? (Read 14253 times)

defaultuserfoo

Re: how to deal with IPv6?

Patrick M. Hausen

Re: how to deal with IPv6?

defaultuserfoo

Re: how to deal with IPv6?

avanix

Re: how to deal with IPv6?

defaultuserfoo

Re: how to deal with IPv6?

defaultuserfoo

Re: how to deal with IPv6?