Killing IPv6 communication for a device in LAN

[pawlisko]

Quick question - as I am new to the OPNsense world.

Killing (temporarily) IPv6 communication for a device inside LAN. In MikroTik, I would create rules in FW to drop in/out IPv6 transmission based on the device MAC address (due to the device being SLAAC only), and I can't turn off IPv6 support in the device. Basically if device sniffs IPv6 it will go for IPv6 address and communication.

I tried to replicate it here with partial success. Some transmission is going through thou on intermittent bases.

What is the proper way in OPNsense to kill IPv6 communication for the host?

[bartjsmit]

OPNsense is based on FreeBSD which doesn't firewall on MAC address. You can assign a separate VLAN on your managed switch to the device and disable IPv6 on that.

[pawlisko]

It sounds like it was easier to code on L3 rather than on L2 and we are stuck with solution witch is way sub-optimal and to workaround that we need to create so much more than it needs.
Your solution is manageable if device is connected through ethernet, but what - change of WLAN or creating additional SSIDs for WiFi for each device does not make sense. What if I have 5 devices like that and I want for 4 to use IPv6 than what? 5 VLANs? 5 WiFi networks? What about ease of use? Not to mention support or troubleshooting.

[RamSense]

how about getting those devices a static ip(4 and/or 6) and block it on ip, or when several, making an alias with those ips and blocking it. I am using that for my kids devices to block the internet for them to support bedtime :-)

[Patrick M. Hausen]

OPNsense does have MAC addresses as aliases in the firewall section. Can't it set up rules with these as source or destination?

[RamSense]

Those MAC addresses as aliases don't seem t work. About a year ago I tried that approach in the captive portal and got an answer back like what @bartjsmit is saying that opnsense/freebsd does not firewall mac addresses.
That is when I set up all devices on the network with static ip, not a known device, no connection, and being able to control the connection of every device.
Would be an awesome feature if the MAC addresses would be included also

[pawlisko]

how about getting those devices a static ip(4 and/or 6) and block it on ip, or when several, making an alias with those ips and blocking it. I am using that for my kids devices to block the internet for them to support bedtime :-)

IPv4 - I setup it up as static, so it is easy to configure - No issue here

IPv6 - is using SLAAC - hence my original post about sniffing out IPv6 address. So device can use DHCPv6 but because I have some which can't I have to use RA in Assisted mode (Flags M+O+A), and many devices, including the device in question, prefer SLAAC over DHCPv6.

For kids devices I use built in Kids Mode (iOS and Amazon - did that right).

[Patrick M. Hausen]

Those MAC addresses as aliases don't seem t work. About a year ago I tried that approach in the captive portal and got an answer back like what @bartjsmit is saying that opnsense/freebsd does not firewall mac addresses.
That is when I set up all devices on the network with static ip, not a known device, no connection, and being able to control the connection of every device.
Would be an awesome feature if the MAC addresses would be included also

Oops 

I was planning to use exactly these to permit only my laptop and iPad from the family VLAN into the management VLAN. Let's see - I'll report back.

[zan]

Out of curiousity I set up a MAC alias for my Android phone and turned on IPv6 support on my Wifi vlan and RA service with Assisted mode.
I could see my phone got a SLAAC address and the MAC alias from OPNSense's Diagnostics->Aliases also resolved to the same address.
Then I setup a block rule for that MAC alias and it seems to be working as expected.
So it looks like OPNSense can firewall by MAC address just fine, what do I miss here?

[pawlisko]

Out of curiousity I set up a MAC alias for my Android phone and turned on IPv6 support on my Wifi vlan and RA service with Assisted mode.
I could see my phone got a SLAAC address and the MAC alias from OPNSense's Diagnostics->Aliases also resolved to the same address.
Then I setup a block rule for that MAC alias and it seems to be working as expected.
So it looks like OPNSense can firewall by MAC address just fine, what do I miss here?

SLAAC IPv6 addresses tend to change. There are devices like i.e. my printer which has one IPv6 address based on MAC address, but iOS devices are taking 2 IPv6 addresses and then start to circulate then taking new address etc, same situation is with Windows. So other people said FBSD is working on L3 (IP level) not on L2 (MAC level). MAC addresses are resolved to IP addresses every 5 minutes. So if your IPv6 changed 1 second after OPNsense refreshed it to block, your device has 4 minutes and 59 seconds when it is not technically blocked as new IPv6 address is not blocked.

[Patrick M. Hausen]

More precisely the pf firewall in FreeBSD according to the documentation only works on layer 3 and layer 4 information. There are three different firewalls in FreeBSD and e.g. ipfw works perfectly well on MAC addresses (layer 2).

Why pfSense and consequently OPNsense picked pf over ipfw I don't know. But that's the state of affairs it seems. During the years I built FreeBSD based routers and VPN gateways from scratch I always used ipfw.

[bartjsmit]

Most, if not all commercial enterprise grade firewalls don't go below layer 3 either. MAC addresses are too easily spoofed and enforcement of layer 2 security is best done on switches through VLAN separation.

I know you can spoof IP addresses as well, but that's not much good to an attacker if they can't break out of the corresponding VLAN.

Bart...

[lilsense]

More precisely the pf firewall in FreeBSD according to the documentation only works on layer 3 and layer 4 information. There are three different firewalls in FreeBSD and e.g. ipfw works perfectly well on MAC addresses (layer 2).

Why pfSense and consequently OPNsense picked pf over ipfw I don't know. But that's the state of affairs it seems. During the years I built FreeBSD based routers and VPN gateways from scratch I always used ipfw.

I believe the reason is that, today, this problem (MAC block) is solved with dot1x on a switch. OPNsense is for firewalling and DPI/IPS. Although, you can run RADIUS and try to setup dot1x on an OPNsense, but I was unable to achieve it as there are very little documentation for setting up dot1x on OPNsense.

[Patrick M. Hausen]

Another alternative is MAC based VLAN assignment via VMPS with FreeRADIUS. I used to run that for a while. Every device not explicitly configured ends up in the guest VLAN. Or a "dead" one, depending on your policy.

Also needs support on the switch side, of course.

[lilsense]

Nice... Cisco only though...