Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Blocking IPV6 adresses from Internet access
« previous
next »
Print
Pages: [
1
]
Author
Topic: Blocking IPV6 adresses from Internet access (Read 1633 times)
JoK
Full Member
Posts: 108
Karma: 4
Blocking IPV6 adresses from Internet access
«
on:
December 09, 2023, 01:08:36 pm »
Hi
I got an Alias set up and LAN rules that I can add IPV4 adresses on so that they cant get access to the internet, i assign the device that I want to block, an static IPV4 address and then add that to the Alias, it works perfectly.
The problem is when the device also get an IPV6 address, can I do the same thing with IPV6...give the device an static IPV6 addres and them ad that to the alias?? Im not sure how to do that
Logged
meyergru
Hero Member
Posts: 1694
Karma: 166
IT Aficionado
Re: Blocking IPV6 adresses from Internet access
«
Reply #1 on:
December 09, 2023, 03:48:58 pm »
The problem is that there is no such thing as a single IPv6 address. You cannot keep a device from randomly using several IPv6 addresses at once, e.g. for IPv6 privacy extensions. But you can define MAC aliases and use that in firewall rules.
That way, unless your clients spoof MAC addresses (which some do), you can block internet access more directly (also for IPv4).
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
JoK
Full Member
Posts: 108
Karma: 4
Re: Blocking IPV6 adresses from Internet access
«
Reply #2 on:
December 09, 2023, 04:04:08 pm »
Thanks, it sounds like a little advanced. Is it possible to only use IPV6 local?
Logged
meyergru
Hero Member
Posts: 1694
Karma: 166
IT Aficionado
Re: Blocking IPV6 adresses from Internet access
«
Reply #3 on:
December 09, 2023, 04:29:59 pm »
How is this advanced? There is an alias type "MAC address". You would need the MAC address to assign static IPs anyway, and then you need to block those IPs, which is one unnecessary indirection.
Just create a MAC alias and use that in your blocking rule(s).
If you mean an RFC1918 equivalent for IPv6 by "IPv6 local", yes, that exists in the form of ULA. But if you limit your network to ULA only, none of your clients could access the internet by IPv6.
One you enable IPv6 GUA (globally routable adresses), any client can take up any number of these. So, you have to block those relevant IPv6s (which you do not know). So, just block based on the client's MAC. You can use the same MAC alias for IPv4 and IPv6 rules.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
JoK
Full Member
Posts: 108
Karma: 4
Re: Blocking IPV6 adresses from Internet access
«
Reply #4 on:
December 09, 2023, 05:55:28 pm »
Sounds like its easier to disable IPV6 DHCP….
Logged
meyergru
Hero Member
Posts: 1694
Karma: 166
IT Aficionado
Re: Blocking IPV6 adresses from Internet access
«
Reply #5 on:
December 09, 2023, 06:17:41 pm »
...thereby disabling all clients. I thought you wanted to block certain clients only?
If you wanted to disable IPv6 altogether, you could do so in OpnSense settings. Or block all IPv6 traffic. Disabling DHCPv6 only does not keep any client from using IPv6, since DHCPv6 is only one of three variants to get at an IPv6 - the other ones are static assignment (like with IPv4) and SLAAC.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
JoK
Full Member
Posts: 108
Karma: 4
Re: Blocking IPV6 adresses from Internet access
«
Reply #6 on:
December 09, 2023, 08:13:50 pm »
Well, im not that experienced in opnsense and IPV6, so this is way over my head….i think disabeling IPV6 maybe is the way to go.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Blocking IPV6 adresses from Internet access