I just setup a friends home there they received a beautiful Spectrum Fiber connection with clean access to the ONT and internet. Spectrum by default is using IPv6 on new installs with IPv4 dual stack support as fallback via CGNAT. I installed the latest version of pfSense+ on a FW4C protectli box.
I was able to get their PC Network, IoT Network, and Guest network running with IPv6 using prefix delegation (They got a /60 so 8 internal networks supported). The issue I am seeing is that if I want to create a block rule for their Kids to lose access overnight to internet things “slip” though the time based rules. I used DHCPv6 to assign static IP’s to the kids devices but when I look the config are three addresses assigned to a Windows device:
I put the IPv6 address from DHCPv6 in the block group but the computer doesn’t seem to block the connection consistently. What is the proper way to write a firewall rule to block a single computer with IPv6. Windows is really interesting seeing three “Preferred” addresses two which are dynamically assigned.
Thanks, I am going to have to try a few things in my home lab for this. As much as I like IPv6’s concepts by removing NAT etc. All these dynamic configurations of the network to support the client takes a while to come up with good practices. I do have the timed restrict rule above the “general” access rule. Just need to do some packet tracing.
A conceptual difference between IPv4 and IPv6 you should know about is that it is perfectly normal for an interface to have multiple IPv6 addresses (this can of course also be the case for IPv4 but is less common). For example, you will most certainly find a link-local address (starting with fe80) on any IPv6-enabled interface. Other addresses might be of type Global Unicast Address (GUA, in your example starting with 2600).
In IPv6, DHCP serves a different role as in IPv4. For the most part, hosts use Stateless Address Auto-configuration (SLAAC) to obtain the network prefix as well as DNS server and gateway addresses. Each host then generates a full IP address for itself using the prefix and by sort of “filling in the rest”. For most basic home networks, DHCPv6 is not required.
In networks where both SLAAC and DHCPv6 are enabled, hosts will obtain addresses through both protocols. In your example, 2600:xxxx:xxxx:b06d::ff3d would have been obtained through DHCP and 2600:xxxx:xxxx:b06d:498b:fcb9:c668:8230 would have been obtained through SLAAC.
However, and this is another difference to IPv4, in a user device these addresses would typically only be used for incoming connections or perhaps (on this point I’m actually not sure) for outgoing connections to the local network. To somewhat mitigate the fear that IP addresses can be used to track users across the web, devices will generate random temporary addresses that expire after a certain time and use those for outgoing connections to the internet. In your example that would be 2600:xxxx:xxxx:b06d:f00f:3115:a091:3316.
Which brings us to the point: Blocking the addresses assigned by DHCPv6 from accessing the internet is pointless, since the end device doesn’t use them for outgoing connections anyway.
I have been reading a lot of articles about IPv6 packet filtering today and I am in the camp that states that you filter on the prefix of IPv6 but not the host because the host can generate any number of host values. This puts the packet filtering techniques we used for IPv4 at the host/DHCP assigned in the trash can. I guess I have to just abandon IPv6 and fall back on IPv4 to keep the old packet filtering model.
Yeah, it might seem like this is more of an issue with IPv6 than it is with IPv4. But I would argue this is not the case because individually blocking certain source IP addresses for outgoing connections on its own was already providing basically no security at all for IPv4.