Best way to set up DMZ with IPv6

Started by User074357, April 03, 2026, 12:54:13 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 03, 2026, 12:54:13 AM
Hello everyone, I recently decided to support IPv6 in my LAN network.
I have a /59 prefix from my ISP with a FritzBox and am using prefix delegation to delegate a /60 prefix for my OPNsense box.
My LAN network has its own /64 prefix now and everything works as expected.

Now I also want to add IPv6 support to my DMZ network, but I'm unsure about how to deal with the firewall rules. For IPv4 I currently have the following rules:
You cannot view this attachment.

However I'm not sure how to create such a rule for IPv6, which allows access to the internet while blocking access to LAN and also the FritzBox on the WAN interface. For IPv4 this was all covered by the RFC 1918 networks. Can I simply block access to the /59 prefix somehow? However since this prefix is dynamic by the ISP I'm not sure how to proceed.

Thanks in advance!
April 03, 2026, 03:04:40 PM #1 Last Edit: April 03, 2026, 03:07:30 PM by drosophila
This should be what "LAN net" resp "!WAN net" is for. However, with "LAN net", if you add more interfaces, you'd need to add any of these manually, which violates the "what isn't explicitly allowed, is denied" rule. You'd have to test if "!WAN net" will not also block anything outside the providers prefix.
April 03, 2026, 07:56:35 PM #2
Quote from: drosophila on April 03, 2026, 03:04:40 PMThis should be what "LAN net" resp "!WAN net" is for. However, with "LAN net", if you add more interfaces, you'd need to add any of these manually, which violates the "what isn't explicitly allowed, is denied" rule. You'd have to test if "!WAN net" will not also block anything outside the providers prefix.

Thanks! I added the following rule with an alias including my LAN, WAN and the DMZ network itself (OPT8). This seems to work as expected.
Does this look good?
You cannot view this attachment.You cannot view this attachment.

Using "Firewall: Diagnostics: Aliases" I can confirm __wan_network includes the /64 prefix of the network the opnsense is in. However it does not include any other delegated prefixes by the FritzBox. Ideally I'd want it to block the entire /59 prefix.


April 03, 2026, 10:37:24 PM #3
Quote from: User074357 on April 03, 2026, 12:54:13 AMMy LAN network has its own /64 prefix now and everything works as expected.

Now I also want to add IPv6 support to my DMZ network, but I'm unsure about how to deal with the firewall rules.

However I'm not sure how to create a rule for IPv6, which allows access to the internet
I am not sure about this part :
Quotewhile blocking access to LAN and also the FritzBox on the WAN interface.

Can I simply block access to the /59 prefix somehow?
However since this prefix is dynamic by the ISP I'm not sure how to proceed.
But I would expect the following situation :
- Your IPv6 Prefix is at least valid for a certain period if it's not completely static.
- Each of your networks get a /64 based on a ID you can assign to them : 0/1/2/3/4/etc.
- You could put all of these /64 in an Alias cut off at the ID.
- And then use this Alias in the Firewall Rule(s).

In case your IPv6 Prefix changes the amount of editing you need to do is minimal this way :)



I can't find any information about the ID that I am mentioning here @ https://docs.opnsense.org/ so I feel like I am saying something wrong here, but I am pretty sure I am not ?!
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Today at 04:05:07 AM #4
Quote from: User074357 on April 03, 2026, 07:56:35 PMUsing "Firewall: Diagnostics: Aliases" I can confirm __wan_network includes the /64 prefix of the network the opnsense is in. However it does not include any other delegated prefixes by the FritzBox. Ideally I'd want it to block the entire /59 prefix.
This was what I've been looking for, so thanks for pointing that out to me! :)

I wonder however, shouldn't the default "block any from any" last match rule catch everything already? It should, so you wouldn't need to create aliases for this, is the LAN even reachable from the OPT8 interface by default? This won't show from the OPNsense box due to the "let out anything from the firewall host itself" rule, so you'd need to test it with an actual device on OPT8. From what I see, it should work that way, but I cannot test this because I only have WAN and LAN interfaces.
Quote from: nero355 on April 03, 2026, 10:37:24 PMIn case your IPv6 Prefix changes the amount of editing you need to do is minimal this way :)
This won't do, the prefix must be expected to change any time, unless the OP pays for a static prefix, which is unlikely. Mine changes every time I reconnect (and I like it that way for privacy reasons so I enforce daily reconnects just like with IPv4).
Quote from: nero355 on April 03, 2026, 10:37:24 PMI can't find any information about the ID that I am mentioning here @ https://docs.opnsense.org/ so I feel like I am saying something wrong here, but I am pretty sure I am not ?!
What you probably have in mind will be the VLAN ID. The OP doesn't seem to utilize VLANs but the traditional topology of physically distinct subnets. Of course, you can assign a VLAN-ID-like infix to the subnet but contrary to VLANs this is optional.
Print
Go Up Pages1
User actions