Best way to set up DMZ with IPv6

Started by User074357, April 03, 2026, 12:54:13 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 03, 2026, 12:54:13 AM
Hello everyone, I recently decided to support IPv6 in my LAN network.
I have a /59 prefix from my ISP with a FritzBox and am using prefix delegation to delegate a /60 prefix for my OPNsense box.
My LAN network has its own /64 prefix now and everything works as expected.

Now I also want to add IPv6 support to my DMZ network, but I'm unsure about how to deal with the firewall rules. For IPv4 I currently have the following rules:
You cannot view this attachment.

However I'm not sure how to create such a rule for IPv6, which allows access to the internet while blocking access to LAN and also the FritzBox on the WAN interface. For IPv4 this was all covered by the RFC 1918 networks. Can I simply block access to the /59 prefix somehow? However since this prefix is dynamic by the ISP I'm not sure how to proceed.

Thanks in advance!
April 03, 2026, 03:04:40 PM #1 Last Edit: April 03, 2026, 03:07:30 PM by drosophila
This should be what "LAN net" resp "!WAN net" is for. However, with "LAN net", if you add more interfaces, you'd need to add any of these manually, which violates the "what isn't explicitly allowed, is denied" rule. You'd have to test if "!WAN net" will not also block anything outside the providers prefix.
April 03, 2026, 07:56:35 PM #2
Quote from: drosophila on April 03, 2026, 03:04:40 PMThis should be what "LAN net" resp "!WAN net" is for. However, with "LAN net", if you add more interfaces, you'd need to add any of these manually, which violates the "what isn't explicitly allowed, is denied" rule. You'd have to test if "!WAN net" will not also block anything outside the providers prefix.

Thanks! I added the following rule with an alias including my LAN, WAN and the DMZ network itself (OPT8). This seems to work as expected.
Does this look good?
You cannot view this attachment.You cannot view this attachment.

Using "Firewall: Diagnostics: Aliases" I can confirm __wan_network includes the /64 prefix of the network the opnsense is in. However it does not include any other delegated prefixes by the FritzBox. Ideally I'd want it to block the entire /59 prefix.


April 03, 2026, 10:37:24 PM #3
Quote from: User074357 on April 03, 2026, 12:54:13 AMMy LAN network has its own /64 prefix now and everything works as expected.

Now I also want to add IPv6 support to my DMZ network, but I'm unsure about how to deal with the firewall rules.

However I'm not sure how to create a rule for IPv6, which allows access to the internet
I am not sure about this part :
Quotewhile blocking access to LAN and also the FritzBox on the WAN interface.

Can I simply block access to the /59 prefix somehow?
However since this prefix is dynamic by the ISP I'm not sure how to proceed.
But I would expect the following situation :
- Your IPv6 Prefix is at least valid for a certain period if it's not completely static.
- Each of your networks get a /64 based on a ID you can assign to them : 0/1/2/3/4/etc.
- You could put all of these /64 in an Alias cut off at the ID.
- And then use this Alias in the Firewall Rule(s).

In case your IPv6 Prefix changes the amount of editing you need to do is minimal this way :)



I can't find any information about the ID that I am mentioning here @ https://docs.opnsense.org/ so I feel like I am saying something wrong here, but I am pretty sure I am not ?!
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Print
Go Up Pages1
User actions