Best way to set up DMZ with IPv6

[User074357]

Hello everyone, I recently decided to support IPv6 in my LAN network.
I have a /59 prefix from my ISP with a FritzBox and am using prefix delegation to delegate a /60 prefix for my OPNsense box.
My LAN network has its own /64 prefix now and everything works as expected.

Now I also want to add IPv6 support to my DMZ network, but I'm unsure about how to deal with the firewall rules. For IPv4 I currently have the following rules:
You cannot view this attachment.

However I'm not sure how to create such a rule for IPv6, which allows access to the internet while blocking access to LAN and also the FritzBox on the WAN interface. For IPv4 this was all covered by the RFC 1918 networks. Can I simply block access to the /59 prefix somehow? However since this prefix is dynamic by the ISP I'm not sure how to proceed.

Thanks in advance!

[drosophila]

This should be what "LAN net" resp "!WAN net" is for. However, with "LAN net", if you add more interfaces, you'd need to add any of these manually, which violates the "what isn't explicitly allowed, is denied" rule. You'd have to test if "!WAN net" will not also block anything outside the providers prefix.

[User074357]

This should be what "LAN net" resp "!WAN net" is for. However, with "LAN net", if you add more interfaces, you'd need to add any of these manually, which violates the "what isn't explicitly allowed, is denied" rule. You'd have to test if "!WAN net" will not also block anything outside the providers prefix.

Thanks! I added the following rule with an alias including my LAN, WAN and the DMZ network itself (OPT8). This seems to work as expected.
Does this look good?
You cannot view this attachment.You cannot view this attachment.

Using "Firewall: Diagnostics: Aliases" I can confirm __wan_network includes the /64 prefix of the network the opnsense is in. However it does not include any other delegated prefixes by the FritzBox. Ideally I'd want it to block the entire /59 prefix.

[nero355]

My LAN network has its own /64 prefix now and everything works as expected.

Now I also want to add IPv6 support to my DMZ network, but I'm unsure about how to deal with the firewall rules.

However I'm not sure how to create a rule for IPv6, which allows access to the internet

I am not sure about this part :

while blocking access to LAN and also the FritzBox on the WAN interface.

Can I simply block access to the /59 prefix somehow?
However since this prefix is dynamic by the ISP I'm not sure how to proceed.

But I would expect the following situation :
- Your IPv6 Prefix is at least valid for a certain period if it's not completely static.
- Each of your networks get a /64 based on a ID you can assign to them : 0/1/2/3/4/etc.
- You could put all of these /64 in an Alias cut off at the ID.
- And then use this Alias in the Firewall Rule(s).

In case your IPv6 Prefix changes the amount of editing you need to do is minimal this way :)



_{I can't find any information about the ID that I am mentioning here @ https://docs.opnsense.org/ so I feel like I am saying something wrong here, but I am pretty sure I am not ?!}

[drosophila]

Using "Firewall: Diagnostics: Aliases" I can confirm __wan_network includes the /64 prefix of the network the opnsense is in. However it does not include any other delegated prefixes by the FritzBox. Ideally I'd want it to block the entire /59 prefix.

This was what I've been looking for, so thanks for pointing that out to me! :)

I wonder however, shouldn't the default "block any from any" last match rule catch everything already? It should, so you wouldn't need to create aliases for this, is the LAN even reachable from the OPT8 interface by default? This won't show from the OPNsense box due to the "let out anything from the firewall host itself" rule, so you'd need to test it with an actual device on OPT8. From what I see, it should work that way, but I cannot test this because I only have WAN and LAN interfaces.

In case your IPv6 Prefix changes the amount of editing you need to do is minimal this way :)

This won't do, the prefix must be expected to change any time, unless the OP pays for a static prefix, which is unlikely. Mine changes every time I reconnect (and I like it that way for privacy reasons so I enforce daily reconnects just like with IPv4).

_{I can't find any information about the ID that I am mentioning here @ https://docs.opnsense.org/ so I feel like I am saying something wrong here, but I am pretty sure I am not ?!}

What you probably have in mind will be the VLAN ID. The OP doesn't seem to utilize VLANs but the traditional topology of physically distinct subnets. Of course, you can assign a VLAN-ID-like infix to the subnet but contrary to VLANs this is optional.

[JamesFrisch]

I have a /59 prefix from my ISP with a FritzBox and am using prefix delegation to delegate a /60 prefix for my OPNsense box

You sure it is /59?
That is pretty odd. And not following RIPE recommendations. What is the name of that ISP?

Is it at least static? Or does your ISP there also not follow RIPE recommendations?

@drosophila IP based tracking? Isn't that something from the yearli 2000ens and long gone?

[nero355]

This won't do, the prefix must be expected to change any time, unless the OP pays for a static prefix, which is unlikely.

It's recommended to assign all customers a Static IPv6 Prefix unlike the whole Dynamic IP Addresses stuff that was going on with IPv4 so basically if your ISP does not do it then they are doing it wrong...

Mine changes every time I reconnect (and I like it that way for privacy reasons so I enforce daily reconnects just like with IPv4).

I would never do that and since there is the whole Privacy Extension thing for IPv6 there should be no need to do so either.

What you probably have in mind will be the VLAN ID. The OP doesn't seem to utilize VLANs but the traditional topology of physically distinct subnets. Of course, you can assign a VLAN-ID-like infix to the subnet but contrary to VLANs this is optional.

IIRC it can be assigned to both regular Interfaces and VLAN Interfaces so I think that's not it, but again : I can't exactly remember the whole thing either so I could be wrong!

@drosophila IP based tracking? Isn't that something from the yearli 2000ens and long gone?

IMHO it's still being done, but there are soo many other ways to track people that you have probably noticed it less and less by now...

[User074357]

In case your IPv6 Prefix changes the amount of editing you need to do is minimal this way :)

Unfortunately this won't do as my ISP assigns me a new IPv6 prefix every time the router reconnects.

I wonder however, shouldn't the default "block any from any" last match rule catch everything already? It should, so you wouldn't need to create aliases for this, is the LAN even reachable from the OPT8 interface by default? This won't show from the OPNsense box due to the "let out anything from the firewall host itself" rule, so you'd need to test it with an actual device on OPT8. From what I see, it should work that way, but I cannot test this because I only have WAN and LAN interfaces.

The default rule does indeed block everything. However it also blocks access to external networks such as ping -6 google.com gets caught in the "default state violation" rule. I followed the "Allow access to all external networks and block all internal networks for local network isolation" rule from here: https://homenetworkguy.com/how-to/create-basic-dmz-network-opnsense/
This makes it possible to access the internet while preventing access to private networks. Is there a better approach to do this?

You sure it is /59?
That is pretty odd. And not following RIPE recommendations. What is the name of that ISP?

Is it at least static? Or does your ISP there also not follow RIPE recommendations?

It shows up as /59 in the FritzBox:
You cannot view this attachment.

The ISP is Vodafone Germany providing cable internet here.

The prefix is not static and I get assigned a new prefix if the FritzBox reconnects.