Why not just block all traffic except what you want to allow? I don't see how IPv6 is any different in that respect or should have a different approach.My general advice with IPv6 is to not overthink it.
The main problem people frequently face is thinking of privilege per IP address. And that does not easily carry over into the IPv6 world.I am rather old school in my thinking about firewalls and have used products that support and encourage the use of zones or "burbs" (from suburb) as Sidewinder originally called them. So you say machines in this zone may access these services in that zone. And never use IP addresses anywhere, at least not for outbound connections. When doing reverse NAT to servers in a DMZ or similar, of course you often cannot avoid explicit addresses.So my general recommendation is to put machines of like privileges all together in a separate VLAN and specify rules per interface which OPNsense easily facilitates. And do not worry about particular addresses too much. Rather assume that IP addresses can and will be forged. Always put untrustworthy devices behind a separate interface.HTH,Patrick
Don't use the (changing) address in the rule. Just state which applications (protocols, ports) are to be allowed and set the address to "any".If you have different policies for particular devices, put all devices that share a common policy behind one interface for that group.If you don't have enough interfaces, use a VLAN capable switch and VLANs.HTH,Patrick
For outgoing IPv6 access, you can usually allow any -> any, so the only question is incoming IPv6 traffic.
You do not have to allow access from a "limited" VLAN to your LAN, but that is not any different from IPv4.
For incoming access, you block everything and only explicitely allow specific device via firewall aliases like I described. There is no such thing as a privacy issue here, because the key point in allowing access to a specific device is "specific" - you have to "name" it somehow:
First off, that is something completely decoupled of if that same device has another IPv6 address which it uses to access the internet from inside out - you can well use IPv6 privacy extensions for that indepedently of how it is being access from outside. Effectively, you will have to use a dynamic DNS service of one kind or the other (otherwise you cannot know the current IPv6 prefix and thus not the full IPv6 of the device in question).
Having cleared that out of the way, the only question could be if you can guess anything from the lower 64 bits of the IPv6. The answer is yes, if you use SLAAC, because the contained MAC gives away the manufacturer of the device. But as I said, you could as well use DHCPv6 with artifical addresses.
Everything you do not explicitly allow is blocked in OPNsense. But now I better understand your problem. Yes, there is no "destination interface" in pf rules. Which would be necessary to have a true zone based firewall.But while the general advice is to filter on ingress, I think in any multi-tenant or similar scenario filtering on egress can be helpful.So you have one or multiple separate server networks (zones) and a LAN for general use and a general "permit all" rule for the LAN. Do I get that correct?
You could use an outbound rule in the "server" interface like "deny from LAN net". That should work even with a changing "LAN net". I do not have a ready-made config yet, but I am actively exploring this route, because I did replace a zone based firewall with OPNsense and in one situation I have multiple hosting tenants that should all be able to reach "the Internet", but only reach other tenants at the same services those want accessable publicly. I think that's very similar to your requirements. And I think outbound rules might be the way to go in that case.HTH,Patrick
Not excatly ... For simplicity, let's assume that I have a LAN and a guest VLAN. With IPv4, the common way to set it up is to block everything to all private networks and then allow everyhing to anywhere so that devices on the guest VLAN have internet access. That nicely protects your LAN because all devices on the LAN have IP addresses within the private networks which can not be reached from the devices on the guest VLAN.
With IPv6, that doesn't work because suddenly, all the devices on the LAN have not only addresses within private networks but also have public IP addresses; and your LAN is unprotected because the rule on the guest VLAN that allows everything to everywhere also allows access to the devices on your LAN and you can't reasonably block that, especially not when the IP addresses of the devices on the LAN keep chaning all the time.