Blocking IPV6 adresses from Internet access

Started by JoK, December 09, 2023, 01:08:36 PM

Previous topic - Next topic
Hi

I got an Alias set up and LAN rules that I can add IPV4 adresses on so that they cant get access to the internet, i assign the device that I want to block, an static IPV4 address and then add that to the Alias, it works perfectly.

The problem is when the device also get an IPV6 address, can I do the same thing with IPV6...give the device an static IPV6 addres and them ad that to the alias?? Im not sure how to do that

The problem is that there is no such thing as a single IPv6 address. You cannot keep a device from randomly using several IPv6 addresses at once, e.g. for IPv6 privacy extensions. But you can define MAC aliases and use that in firewall rules.

That way, unless your clients spoof MAC addresses (which some do), you can block internet access more directly (also for IPv4).
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+

Thanks, it sounds like a little advanced. Is it possible to only use IPV6 local?

How is this advanced? There is an alias type "MAC address". You would need the MAC address to assign static IPs anyway, and then you need to block those IPs, which is one unnecessary indirection.

Just create a MAC alias and use that in your blocking rule(s).

If you mean an RFC1918 equivalent for IPv6 by "IPv6 local", yes, that exists in the form of ULA. But if you limit your network to ULA only, none of your clients could access the internet by IPv6.

One you enable IPv6 GUA (globally routable adresses), any client can take up any number of these. So, you have to block those relevant IPv6s (which you do not know). So, just block based on the client's MAC. You can use the same MAC alias for IPv4 and IPv6 rules.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+

Sounds like its easier to disable IPV6 DHCP....

...thereby disabling all clients. I thought you wanted to block certain clients only?

If you wanted to disable IPv6 altogether, you could do so in OpnSense settings. Or block all IPv6 traffic. Disabling DHCPv6 only does not keep any client from using IPv6, since DHCPv6 is only one of three variants to get at an IPv6 - the other ones are static assignment (like with IPv4) and SLAAC.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+

Well, im not that experienced in opnsense and IPV6, so this is way over my head....i think disabeling IPV6 maybe is the way to go.