How to know, detect or set IPv6 addresses for firewall use ?

Started by GiantJack, April 02, 2020, 08:38:40 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
April 02, 2020, 08:38:40 AM
Hi There !

I use opnsense on my dsl connexion.
My modem is a special one provided by my ISP (it's called freebox for those who know it).
It does provide IPv6 addresses and I have setup opnsense following an howto to manage it.
As far as I understood, it uses SLAAC.

I have also read several times that android devices are not DHCPv6 friendly....but there are several way to use DHCPv6 maybe some works ?

So now: how am I supposed to handle IPv6 firewall rules with this SLAAC process ?

Is there a way to get opnsense to grab and identify the ipv6 addresses on my LAN ?



One day, I will understand all of this !
April 02, 2020, 10:17:09 AM #1
IPv6 is a security nightmare (by design...) and nearly nobody knows how to configure a firewall safely. Stay away.

Or wait 5 min then the experts will tell you the oposite here... :-)
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
April 14, 2020, 02:07:43 PM #2
that's very long 5min  ;D
One day, I will understand all of this !
April 14, 2020, 02:54:58 PM #3
8o)
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
April 15, 2020, 11:51:05 AM #4
Android devices do not use dhcpv6, so you must have RADVD running in assisted mode, a pain in the bum if you want a purely managed system, however it is what it is.


Have you successfully got a global IPv6 address on your LAN?
OPNsense 25.7a - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
April 16, 2020, 10:04:01 AM #5
Quote from: marjohn56 on April 15, 2020, 11:51:05 AM
Android devices do not use dhcpv6, so you must have RADVD running in assisted mode, a pain in the bum if you want a purely managed system, however it is what it is.


Have you successfully got a global IPv6 address on your LAN?
I do have successfully set ipv6 to WAN, LAN and propagating to my devices.
But except the opnsense WAN & LAN ip that are fixed, I cannot really identify from opnsense who are the ipv6 on my LAN,I use for the moment this slaac thing (as far as I understand)
I have service / router advertisement enabled with assisted mode.

Dhcpv6 is currently disabled.

I used this howto to set ipv6 on opnsense also with my specif ISP modem(but it's in French)


So I if understood correctly, I could enable Dhcpv6 that could be used by PCs, and android will do the job  by themselves like currently with the RA assisted thing?


I have an other question related: it seems to be a good practice to change a device ipv6 frequently for privacy. A static ipv6, like those ipv6 build from mac address would be to easy for those guys who love to track us.
Now If I set a static ipv6 lease in dhcpv6... Isn't it a bad idea for privacy?



Envoyé de mon ONEPLUS A6013 en utilisant Tapatalk

One day, I will understand all of this !
April 16, 2020, 10:24:58 AM #6
If you don't know which client has which IPv6 addresses (yes, more than one per device, in fact multiple adresses) you can actually never control the internet services on a per-client basis. It's a complete nightmare made for surveilance and to stop you from controlling your LAN. :-)
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
April 16, 2020, 10:39:18 AM #7
Unless you are running a server, which obviosly should have a static address then there is no need to set fixed IPs. As chemlud has pointed out multiple addresses are used for privacy and with Windows you have to disable the privacy extensions anyway if you want to run a static v6. You can set statically assigned v6 addresses in the dhcpv6 server and the device will be given that address as one its addresses.


I have a couple of servers that are static, one is an Ubuntu web server  and the other is a w10 device with privacy extensions disabled.


IPv6 is fun. :)


What exactly are you trying to do?
OPNsense 25.7a - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
April 16, 2020, 11:01:55 AM #8
Agreed for servers, no problem.

But I see some situations where I would like set ipv6 rules in opensense firewall for other devices.
For example, it could be kids devices (phone, PC) where I may want to cut internet during night.
Or IOT devices where I may want to cut any unnecessary/unexpected connexion to internet (like call home messages).

I think about a possible trick I have in my pocket  ;D.
My ISP provide me with 8x /64 IPv6 subnets (with those "next hop" I can set in my modem).
it might be possible that I use those subnets to define 8 "groups" I could rule in opnsense.
Let's say one subnet for server (static IPs), one for my PCs or phone, one for IOT devices, one for kids etc...
if I cannot know a device exact IPv6,  This way I could apply firewall rules to its entire subnet.
What do you think ?






One day, I will understand all of this !
April 16, 2020, 11:35:12 AM #9
If you want to have separate security rules, you should separate clients by VLAN. IP address spoofing is all too easy.

This may need VLAN capable access switches and/or WiFi with separate SSID support per VLAN. TP-Link makes some cheap and cheerful kit for this (other vendors are available).

Bart...
April 16, 2020, 12:01:44 PM #10
As bart said, VLAN is the best way to do that, TP-Link EAP225s are good, I have three if them with multiple VLANs with seperate SSIDs. You could give the kids the password for one SSID and keep the other one(s) for adult only access. It also allows you to seperate out IoT devices such as Amazon Echoes, google and similar devices. It costs a bit to get it set up but they work well with D-Link 1100 series managed switches.
OPNsense 25.7a - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
April 16, 2020, 02:52:41 PM #11
yes, VLAN could do it, but to be honest, I'm not comfortable with them so far...last time I tried one, it gave me headaches  ;D
But I will re-think about it, I agree it's made for such filtering (and learn about VLAN is on my to do list as well as ipv6).


I do have separate wifi AP  for kids (openwrt). Currently I made it ipv4 only.
They have their own subnet with a few rules (in openwrt & in opnsense) to scheduled internet access and allows access to some devices like the printer.
I'm not sure what you meant by ip spoofing? but I have blocked on openwrt AP any IP different from what I set for their devices (PC, phones).

gosh, are you suggesting I can try ipv6 + VLAN ?  :o :o :o (I foresee some hard moment for myself ;D)
One day, I will understand all of this !
April 16, 2020, 05:31:58 PM #12
VLANs are pretty simple once you get your head around them. Took me a while to work out the difference between trunk, hybrid and access, and of course every switch manufacturer uses different terminology; but once you get passed that bit it's not too harsh. Setting up VLANs on Opnsense is painless too, and I'm happy to say it all works very well.
OPNsense 25.7a - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
April 16, 2020, 06:28:27 PM #13
El Reg did a good article about them a few years back: https://www.theregister.co.uk/2017/06/30/vlans_at_20/

IPv6 doesn't make them any more complex, or easier for that matter  ;)

Bart...
April 17, 2020, 03:11:46 PM #14
Thank you guys, I will check this and learn  :)
One day, I will understand all of this !
Print
Go Up Pages1 2
User actions