Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
How to block internet access for one device vs IPv6 ?
« previous
next »
Print
Pages: [
1
]
Author
Topic: How to block internet access for one device vs IPv6 ? (Read 2987 times)
GiantJack
Jr. Member
Posts: 58
Karma: 1
How to block internet access for one device vs IPv6 ?
«
on:
December 01, 2019, 12:14:52 pm »
Hi there!
I have an device that I wish to block internet access.
For IPv4, not problem, I just add a rule to block any traffic from 192.168.1.xx (xx is my device) to internet.
I have a static IP in DHCP for this device.
Then come IPv6...I could disable it on this device, but let's be modern and learn how to deal with it.
I do not have IPv6 DHCP...my ICP provide me a full range of IPv6 and to be honest, I followed an howto and I do not 100% understand how it works.
My modem is somewhat distributing IPV6 to my devices on LAN.
I assume I have to add an IPv6 rule to block internet access from IPv6, but how can I check if my IPv6 is static or not ?
Logged
One day, I will understand all of this !
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: How to block internet access for one device vs IPv6 ?
«
Reply #1 on:
December 01, 2019, 12:41:03 pm »
You could disable the privacy extensions then the last 64 Bits should stay the same. The other option would be DHCPv6.
Logged
Maurice
Hero Member
Posts: 1213
Karma: 158
Re: How to block internet access for one device vs IPv6 ?
«
Reply #2 on:
December 01, 2019, 02:20:38 pm »
With OPNsense this can currently only be done with a static IPv6 prefix. It's not possible to create firewall rules which work with dynamic prefixes. I think this is work in progress (other firewalls can do it).
Whether your prefix is static or not, you have to ask your ISP. On a business plan it should be, on a consumer plan it usually isn't. But even if you don't officially get a static prefix, many ISPs won't change it for months or even years. You'll have to find out. Just make sure "Prevent release" is enabled in the WAN interface DHCPv6 settings.
Like fabian explained, even with a static prefix, it only works when using stateful DHCPv6 (not supported by all devices) or disabling privacy extensions on the device (also not possible on some devices).
A more robust approach would be moving the device(s) to a separate "no Internet" (V)LAN.
Cheers
Maurice
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
How to block internet access for one device vs IPv6 ?