how to deal with IPv6?

[defaultuserfoo]

Hi,

how can I deal with IPv6 addresses in firewall rules?

I have a static v4 WAN address and dynamic IPv6 addresses with a prefix length of 56.  I have several VLANs, and I am trying to make firewall rules on one of the VLANs which will:


+ allow all devices on the VLAN to access particular devices on the LAN

+ deny all devices on the VLAN all access to other VLANs

+ allow all devices on the VLAN to have internet access


The devices on the LAN and on the VLAN have known IPv4 addresses and automatically assigned global IPv6 addresses.  Since I can not know the IPv6 addresses, I'm finding myself unable to create the firewall rules I need.

That must be a common problem?  What's the best way to deal with this?

[meyergru]

It is only the higher 56 (or whatever prefix length you get) that are dynamic. You can create "Dynamic IPv6 host" firewall aliases that are automatically assigned with the prefix.

The lower part of the final adress (usually 64 bits) can be predicted either by the device's MAC if SLAAC is used or via static DHCPv6 reservations.

Thus, you can create firewall rules for aliases that reference a specific device's full IPv6 address.

[defaultuserfoo]

Thank you, it's good to know about this feature!

I'm using DHCPv6, and one of the devices has, for example, obtained a global IPv6 address like "<prefix>:8a06:20b1:cf3e:1602/64".   If this device would always get the same suffix, I would be having privacy issues.  The only static IPv6 addresses I'm using are for internal purposes only and have the "fd" prefix.  At least as long as I don't get global static IPv6 addresses (which I can't and which sucks), all global IPv6 addresses are not constant.

I have been trying to work around this by explicitly blocking access where I want it blocked, but that is a very bad approach because it means that sooner or later, I will forget to block something.  I want to have everything blocked and allow only what I want to allow, but the problem is that I must have a rule that allows everything to everywhere so that the devices can have internet access.

I don't understand yet how creating "Dynamic IPv6 Host" firewall aliases can help with this problem.  Maybe I need to re-phrase the question:

How can I make it so that all traffic going into a particular interface (VLAN) is blocked except the traffic I explicitly allow, given that the IP addresses the traffic originates from are not constant and that the devices conntected to that interface (devices in that VLAN) need to have internet access?

[BoodahsFever]

Why not just block all traffic except what you want to allow? I don't see how IPv6 is any different in that respect or should have a different approach.

My general advice with IPv6 is to not overthink it.

[Patrick M. Hausen]

The main problem people frequently face is thinking of privilege per IP address. And that does not easily carry over into the IPv6 world.

I am rather old school in my thinking about firewalls and have used products that support and encourage the use of zones or "burbs" (from suburb) as Sidewinder originally called them. So you say machines in this zone may access these services in that zone. And never use IP addresses anywhere, at least not for outbound connections. When doing reverse NAT to servers in a DMZ or similar, of course you often cannot avoid explicit addresses.

So my general recommendation is to put machines of like privileges all together in a separate VLAN and specify rules per interface which OPNsense easily facilitates. And do not worry about particular addresses too much. Rather assume that IP addresses can and will be forged. Always put untrustworthy devices behind a separate interface.

HTH,
Patrick

[defaultuserfoo]

Why not just block all traffic except what you want to allow? I don't see how IPv6 is any different in that respect or should have a different approach.

My general advice with IPv6 is to not overthink it.

It's what I'm trying to do.  How do I do that?

I would need a rule like "block everything but allow everything that needs to be allowed and allow internet" --- "internet" meaning everything on the other side of the WAN interface(s).  There are devices with global IPv6 addresses on this side of the WAN interface, and these addresses keep changing.

How do I make such a rule?

[Patrick M. Hausen]

Don't use the (changing) address in the rule. Just state which applications (protocols, ports) are to be allowed and set the address to "any".

If you have different policies for particular devices, put all devices that share a common policy behind one interface for that group.

If you don't have enough interfaces, use a VLAN capable switch and VLANs.

HTH,
Patrick

[defaultuserfoo]

The main problem people frequently face is thinking of privilege per IP address. And that does not easily carry over into the IPv6 world.

I am rather old school in my thinking about firewalls and have used products that support and encourage the use of zones or "burbs" (from suburb) as Sidewinder originally called them. So you say machines in this zone may access these services in that zone. And never use IP addresses anywhere, at least not for outbound connections. When doing reverse NAT to servers in a DMZ or similar, of course you often cannot avoid explicit addresses.

So my general recommendation is to put machines of like privileges all together in a separate VLAN and specify rules per interface which OPNsense easily facilitates. And do not worry about particular addresses too much. Rather assume that IP addresses can and will be forged. Always put untrustworthy devices behind a separate interface.

HTH,
Patrick

IIUC, you suggest to create some kind of replacement for a zone-based firewall.  That works fine with IPv4 --- letting aside how little actual IP addresses are being used in zone-based firewalls --- because the distinction between "internet" and "not internet" remains clear.  That is so because what's "not internet" has IP addresses in the private address ranges.

That doesn't work with IPv6 because devices are meant to have global addresses (besides link-local addresses and addresses in private address ranges).  So technically, there is no distinction between "internet" and "not internet".

But in practise, I still do have that distinction because the devices on my side of the WAN interface are "not internet" regardless of their addresses, and everything on the other side of the WAN interface is "internet", regardless of the addresses.

The problem is that I don't see a way to deal with the practical distinction in the firewall because there aren't any reasonable means to do that.  Or what is the solution and the means?

Using VLANs to create a distinction doesn't work, or does it?  My server is already on a different VLAN than the guest-like VLAN.  I still need to somehow block access from the guest-like VLAN to my server and allow only what I want to allow while I have to allow everything from the guest-like VLAN to anywhere so devices on that VLAN have internet access.  I can create blocking rules on the guest-like VLAN, and I can't very well create them on the VLAN the server is on because OPNsense fancies blocking in ingress and not on egress.

That leaves the problem that I may forget to block something, and that is what I want to overcome.  I shouldn't be required to block stuff; I should be able to have everything blocked by default so I can only allow what I want to allow.

[defaultuserfoo]

Don't use the (changing) address in the rule. Just state which applications (protocols, ports) are to be allowed and set the address to "any".

If you have different policies for particular devices, put all devices that share a common policy behind one interface for that group.

If you don't have enough interfaces, use a VLAN capable switch and VLANs.

HTH,
Patrick

But I don't want devices on the guest-like VLAN to be able access ports on all the devices on the LAN VLAN (where my server is).  And I still need the anything to anywhere rule for allowing internet access for devices on the guest-like VLAN, and that means I can't just allow only what I want to allow.  I first have to allow what I want to allow, then block everything I don't want to allow and then, as the last rule, I have to allow everything for allowing internet access.

It's doable, but it's a bad setup and too much prone to errors because it's too easy to forget to block something.

[meyergru]

For outgoing IPv6 access, you can usually allow any -> any, so the only question is incoming IPv6 traffic.
You do not have to allow access from a "limited" VLAN to your LAN, but that is not any different from IPv4.

For incoming access, you block everything and only explicitely allow specific device via firewall aliases like I described. There is no such thing as a privacy issue here, because the key point in allowing access to a specific device is "specific" - you have to "name" it somehow:

First off, that is something completely decoupled of if that same device has another IPv6 address which it uses to access the internet from inside out - you can well use IPv6 privacy extensions for that indepedently of how it is being access from outside. Effectively, you will have to use a dynamic DNS service of one kind or the other (otherwise you cannot know the current IPv6 prefix and thus not the full IPv6 of the device in question).

Having cleared that out of the way, the only question could be if you can guess anything from the lower 64 bits of the IPv6. The answer is yes, if you use SLAAC, because the contained MAC gives away the manufacturer of the device. But as I said, you could as well use DHCPv6 with artifical addresses.

[Patrick M. Hausen]

Everything you do not explicitly allow is blocked in OPNsense. But now I better understand your problem. Yes, there is no "destination interface" in pf rules. Which would be necessary to have a true zone based firewall.

But while the general advice is to filter on ingress, I think in any multi-tenant or similar scenario filtering on egress can be helpful.

So you have one or multiple separate server networks (zones) and a LAN for general use and a general "permit all" rule for the LAN. Do I get that correct?

You could use an outbound rule in the "server" interface like "deny from LAN net". That should work even with a changing "LAN net". I do not have a ready-made config yet, but I am actively exploring this route, because I did replace a zone based firewall with OPNsense and in one situation I have multiple hosting tenants that should all be able to reach "the Internet", but only reach other tenants at the same services those want accessable publicly. I think that's very similar to your requirements. And I think outbound rules might be the way to go in that case.

HTH,
Patrick

[defaultuserfoo]

For outgoing IPv6 access, you can usually allow any -> any, so the only question is incoming IPv6 traffic.

When I do that, the devices on the guest-like VLAN will be able to reach the devices on the LAN VLAN without restriction.  That entirely defeats the idea of allowing only what I want to allow.

You do not have to allow access from a "limited" VLAN to your LAN, but that is not any different from IPv4.

Then how, for example, are devices on the guest-like VLAN supposed to reach my SIP server or my DNS server?

For incoming access, you block everything and only explicitely allow specific device via firewall aliases like I described. There is no such thing as a privacy issue here, because the key point in allowing access to a specific device is "specific" - you have to "name" it somehow:

Somehow naming means that I do have a privacy issue.  With IPv4 and NAT, it's not visible what's going on on my LAN.  I could have 2 devices on it or 200 or 1000 or whatever.  With IPv6, I do have a privacy issue once I "name" a particular device somehow beause it suddenly becomes visible how many devices (IPv6 addresses) I have and what they might be doing (like sending DNS requests and/or contacting a VOIP provider ...).  I don't know that there would be a solution for that.

First off, that is something completely decoupled of if that same device has another IPv6 address which it uses to access the internet from inside out - you can well use IPv6 privacy extensions for that indepedently of how it is being access from outside. Effectively, you will have to use a dynamic DNS service of one kind or the other (otherwise you cannot know the current IPv6 prefix and thus not the full IPv6 of the device in question).

Currently, I do not need to reach devices on my network from the outside via IPv6.  If I had to, I would need to get a IPv6 network assigned.  I have used dynamic DNS in the past and it sucks.  (I don't understand why I can't get an IPv6 network assigned.  The ISPs keep complaining about not having enough IPv4 addresses but I got a static IPv4 address and at the same time, they deny you the IPv6 addresses which we are supposed to have instead since IPv6 is supposed to succeed IPV4.  That doesn't make any sense.  And without at least a static IPv4 address or an IPv6 net, internet is pretty much useless to me.  Dynamic DNS doesn't cut it.)

Having cleared that out of the way, the only question could be if you can guess anything from the lower 64 bits of the IPv6. The answer is yes, if you use SLAAC, because the contained MAC gives away the manufacturer of the device. But as I said, you could as well use DHCPv6 with artifical addresses.

It is easier to give permanent IPv6 addresses to the devices that need them which are in the private address range.  That's how my name server has fd53::11, for example, and that doesn't create privacy issues.

[defaultuserfoo]

Everything you do not explicitly allow is blocked in OPNsense. But now I better understand your problem. Yes, there is no "destination interface" in pf rules. Which would be necessary to have a true zone based firewall.

But while the general advice is to filter on ingress, I think in any multi-tenant or similar scenario filtering on egress can be helpful.

So you have one or multiple separate server networks (zones) and a LAN for general use and a general "permit all" rule for the LAN. Do I get that correct?

Not excatly ... For simplicity, let's assume that I have a LAN and a guest VLAN.  With IPv4, the common way to set it up is to block everything to all private networks and then allow everyhing to anywhere so that devices on the guest VLAN have internet access.  That nicely protects your LAN because all devices on the LAN have IP addresses within the private networks which can not be reached from the devices on the guest VLAN.

With IPv6, that doesn't work because suddenly, all the devices on the LAN have not only addresses within private networks but also have public IP addresses; and your LAN is unprotected because the rule on the guest VLAN that allows everything to everywhere also allows access to the devices on your LAN and you can't reasonably block that, especially not when the IP addresses of the devices on the LAN keep chaning all the time.

To work around this, everthing that shouldn't be allowed needs to be explicitly blocked, and that sucks because you have to create so many blocking rules and because you can easily forget to block something.

You could use an outbound rule in the "server" interface like "deny from LAN net". That should work even with a changing "LAN net". I do not have a ready-made config yet, but I am actively exploring this route, because I did replace a zone based firewall with OPNsense and in one situation I have multiple hosting tenants that should all be able to reach "the Internet", but only reach other tenants at the same services those want accessable publicly. I think that's very similar to your requirements. And I think outbound rules might be the way to go in that case.

HTH,
Patrick

I'm not sure what you mean.  The firewall on the server itself blocks everything that isn't allowed.  That doesn't have anything to do with devices on the guest VLAN being able to reach the server (which is on the LAN) or not.  (It doesn't matter where the server is as long as it is not on the guest VLAN.  The firewall on the server doesn't block NFS, for example, and devices on the guest VLAN must not be able to reach the NFS ports but need to be blocked before they can.)

As to a rule blocking something outbound (instead of the usual inbound) on the opensense firewall, that rule would have to be on the guest VLAN.  It would have to be a rule that blocks everthing outbound to the LAN except what I want to allow to reach the server.  Or not?

It would be better because the default would be "block all and allow" instead of "allow and and block".  But with a bunch of VLANs, that would still require such rules for all VLANs.  And that only because of the "allow everything to anywhere" which is needed for internet access.

Is there really no better way?  That "allow everthing to anywhere" rule is what's causing the problems, and it's like putting the cart before the horse.  We shouldn't have to go to lengths and have to create a bunch of blocking or allowing rules at other places just because we need a rule like that.

[avanix]

Try something like this.

[Patrick M. Hausen]

Not excatly ... For simplicity, let's assume that I have a LAN and a guest VLAN.  With IPv4, the common way to set it up is to block everything to all private networks and then allow everyhing to anywhere so that devices on the guest VLAN have internet access.  That nicely protects your LAN because all devices on the LAN have IP addresses within the private networks which can not be reached from the devices on the guest VLAN.

This is a gross oversimplification, IMHO, because e.g. I run several setups where the "internal" networks do not use private but globally routable addresses. Yes, for IPv4 ...

With IPv6, that doesn't work because suddenly, all the devices on the LAN have not only addresses within private networks but also have public IP addresses; and your LAN is unprotected because the rule on the guest VLAN that allows everything to everywhere also allows access to the devices on your LAN and you can't reasonably block that, especially not when the IP addresses of the devices on the LAN keep chaning all the time.

But I do understand your problem. If you allow "everything" that implies the guest network can reach all other directly connected networks as well as "the Internet".

I am not arguing that your requirement is not justified - there simply is no way in PF to specify "from this interface in only to that interface (WAN) out".

So let's turn back to your simplified example: I was suggesting that you create an outbound rule on the LAN interface that reads "block everything from guest network".

You can create group of all directly connected networks and place a "block everything from <group> outbound" on all of the networks, because there will never be traffic coming out of interface X with source address of net X. Unless it's generated by the firewall itself, but that is taken care of by the default "permit everything from the firewall itself" rule.

So the additional burden for blocking is reduced to 1 rule per interface and maintaining a group of all networks attached to all the interfaces. Not optimal but the best I could think of. I am going to test this in the coming weeks and if successful put it in production. Currently I have block rules with various destination networks spread "everywhere" and I am just as annoyed by that as you are, that's why I am also looking for a solution.

There will probably be things to consider with respect to rule order and the application of "quick", that's why I don't have an example ready for you.

HTH,
Patrick