IPV6 on LAN only

[JoK]

Hi

I have some problems with blocking devices from access Internet if they use IPV6, IPV4 is no problem, just setting up an alias and add static IP adresse from the devices. As I understand, its not the same with IPV6.

My MACs has a feature to only use IPV6 on LAN, is it possible to make OpnSense to do the same…block all IPV6 traffic from LAN to WAN 🙂   That would really be helpfull, i dont want to disable IPV6 completely.

Maybe this could be a feature request…

TIA

John

[Monviech (Cedrik)]

Just change the default allow rule on LAN from "IPv4 + IPv6" to only "IPv4".

And then add a rule before that with aliases containing the IPv6 addresses that are allowed access to the internet.

Since IPv6 has Privacy Extension enabled, it can be hard to choose the exact devices since the IP adresses change multiple times a day. You might have to disable that for those devices to get one real static GUA per device. (Of course this can also be set up as block list, but allow lists give you even more control since new devices are blocked per default)

[JoK]

Thanks, that sounds complex 😜 I dont want any IPV6 traffic from LAN to WAN, IPV6 for LAN only. A feature like MAC with tick a box with, “IPV6 for LAN only” would be so much easier….wish thinking probably 😜

[Monviech (Cedrik)]

But you will have IPv6 for LAN only if you remove it from the standard allow rule in the LAN. (Turn IPv4/IPv6 into IPv4)

The devices communicate directly with each other, the firewall doesn't block that traffic. But it will block all traffic going to the WAN that way.

[Patrick M. Hausen]

Block IPv6 to any on your LAN interface. Traffic between devices on the same network does not pass through OPNsense.

[JoK]

But you will have IPv6 for LAN only if you remove it from the standard allow rule in the LAN. (Turn IPv4/IPv6 into IPv4)

The devices communicate directly with each other, the firewall doesn't block that traffic. But it will block all traffic going to the WAN that way.

Hmmm….is that enough to just remove IPV6? Will that do the trick?
Where exactly do i do that

[Patrick M. Hausen]

What do your LAN rules look like?

[JoK]

Sorry, cant get my screenshot to get below max size for posting, using ipad at the moment. My settings are standard.

[Patrick M. Hausen]

If all your LAN rules are for IPv4 only, then IPv6 is categorically blocked and no IPv6 connections will leave your LAN towards the Internet.

I wonder why anyone would want such a setup, but you do you.

Hint: IPv6 is the Internet. IPv4 is "that legacy protocol".

[JoK]

Well, I got some homer surveillance that records to a Mac server, and I dont want any of these to access the Internet, I got there IPV4 blocked by an Alias and the Mac set up to only allow IPV6 to LAN only. I know its not that easy to block IPV6 adreess...a MAC block would problaly solve this issue...dont know.

 

[JoK]

Kinda late to post a screenshot, i disabled IPV6 on LAN rules in Firewall, is this OK, will it block all IPV6 traffic from LAN to WAN??

Is it that easy? 🙂

The “Direction” in the rule, should I leave that to “in”? The only thing I have done, is to change the “Action” to “Block” in stead of “Allow”

[Patrick M. Hausen]

You do not need to block anything explicitly. If there is no allow rule for IPv6 access will be blocked. Just remove everything IPv6 related from your rules on LAN.

[JoK]

Thanks, the Block rule, is my "Block internet acces for specific IPv4 adresses" its restrict Internet access for some devices on my network, it works perfectly. My problem was, if these devices also support IPV6, they are not blocked anymore, they just pop over to IPV6....and since I cant block specific IPV6 adresses, my blocks are useless.

I just modified the rule to only "IPV4" and not "IPV4+IPV6"...didnt work for IPV6 anyway 🙂

This seems to block all IPV6 traffic from LAN to WAN, perfect...thanks