Reply
Emerging Member
Posts: 56
Registered: ‎12-11-2014
Kudos: 5
Solutions: 1
Accepted Solution

How to isolate vlans for IPv6

i have a few vlans that are isolated from the other lans, and everything works fine on IPv4.  i use a simple rule set such as this:

name VLAN20_IN {
        default-action accept
        description "WiFi Isolated"
        rule 1 {
            action accept
            description "Allow vlan router access"
            destination {
                address 192.168.20.1
                group {
                }
            }
            log disable
            protocol all
        }
        rule 3 {
            action drop
            description "Block access to other networks"
            destination {
                group {
                    network-group BLOCKED_NETS
                }
            }
            log enable
            protocol all

where blocked nets are the other vlan etc subnets as well as the default lan:

 

network-group BLOCKED_NETS {
            network 192.168.1.0/24
            network 192.168.2.0/24
            network 192.168.10.0/24
            network 192.168.20.0/24
            network 192.168.21.0/24

But on IPv6 there are no private subnets to block, as every node gets its own address.

 

The only thing that seems different is the prefix id on the slaac dhcpv6-pd.

 

So how do i do the same thing (isolate nodes from other nodes on the same or other vlan) on IPv6?

 

thanks for any guidance.

 

mark


Accepted Solutions
Regular Member
Posts: 337
Registered: ‎06-08-2013
Kudos: 167
Solutions: 19

Re: How to isolate vlans for IPv6

Ok, firstly, I you can't do this with groups, it fails validation.

 

The IPv6 config allows you to assign the subnets in a known manner, so where your IPv4 config has:

  • 192.168.1.0/24
  • 192.168.2.0/24
  • 192.168.10.0/24
  • 192.168.20.0/24
  • 192.168.21.0/24

For IPv6 you can now have:

  • ::01/64
  • ::02/64
  • ::10/64
  • ::20/64
  • ::21/64

So if your assgined /56 is 2a00:1234:5678:9a::/56 these would map to:

  • 2a00:1234:5678:9a01/64
  • 2a00:1234:5678:9a02/64
  • 2a00:1234:5678:9a10/64
  • 2a00:1234:5678:9a20/64
  • 2a00:1234:5678:9a21/64

 So to make these blocked in firewall rules you could do:

set firewall ipv6-name IPv6-Block rule 101 action drop
set firewall ipv6-name IPv6-Block rule 101 destination address ::01:0:0:0:0/::ff:0:0:0:0
set firewall ipv6-name IPv6-Block rule 101 protocol all

set firewall ipv6-name IPv6-Block rule 102 action drop
set firewall ipv6-name IPv6-Block rule 102 destination address ::02:0:0:0:0/::ff:0:0:0:0
set firewall ipv6-name IPv6-Block rule 102 protocol all

set firewall ipv6-name IPv6-Block rule 110 action drop
set firewall ipv6-name IPv6-Block rule 110 destination address ::10:0:0:0:0/::ff:0:0:0:0
set firewall ipv6-name IPv6-Block rule 110 protocol all

set firewall ipv6-name IPv6-Block rule 120 action drop
set firewall ipv6-name IPv6-Block rule 120 destination address ::20:0:0:0:0/::ff:0:0:0:0
set firewall ipv6-name IPv6-Block rule 120 protocol all

set firewall ipv6-name IPv6-Block rule 121 action drop
set firewall ipv6-name IPv6-Block rule 121 destination address ::21:0:0:0:0/::ff:0:0:0:0
set firewall ipv6-name IPv6-Block rule 121 protocol all

The key point here is you only want the router to pay attention to the bits that differentiate the local subnet.

The 'ff' in the mask tells the router to only pay attention to this part of the address and the numbers (01, 02, 10, 20 and 21) in the address tells the router what it should block on.

View solution in original post


All Replies
Regular Member
Posts: 337
Registered: ‎06-08-2013
Kudos: 167
Solutions: 19

Re: How to isolate vlans for IPv6

Ok firstly, I have no idea if this will work.

 

I've got a firewall rule that works with changing prefixes, pointing at the EUI64 address of a server:

set firewall ipv6-name IPv6-In rule 4 destination address ::f925:d9ff:fec4:70dd/::ffff:ffff:ffff:ffff

Which I got from here: http://blog.dupondje.be/?p=17

It's basically saying that ip6tables should ignore the network portion of the address and focus on the host portion.

 

If you're getting a /56 (for example) and assigning ::01/64 to one subnet and ::02/64 to another then you could, in theory, use:

set firewall ipv6-name IPv6-In rule 4 destination address ::01:0:0:0:0/::ff:0:0:0:0

Assuming that any packets hitting this ACL wil be destined for your subnet and therefore the first 56 bits will always be correct, the final 64 bits will always be the devices in that subnet, so you only actually care about the 8 extra bits that are assigned to you to provide different subnets.

 

Again, I have no idea if this will work.

 

 

Emerging Member
Posts: 56
Registered: ‎12-11-2014
Kudos: 5
Solutions: 1

Re: How to isolate vlans for IPv6

Thanks for that.

 

it certainly seems logical, but im not sure i know enough about ipv6 to figure out how to write the rules

 

and trying a calculator didnt help, as it didnt allow the initial ::

 

 

 

 

Regular Member
Posts: 337
Registered: ‎06-08-2013
Kudos: 167
Solutions: 19

Re: How to isolate vlans for IPv6

Ok, firstly, I you can't do this with groups, it fails validation.

 

The IPv6 config allows you to assign the subnets in a known manner, so where your IPv4 config has:

  • 192.168.1.0/24
  • 192.168.2.0/24
  • 192.168.10.0/24
  • 192.168.20.0/24
  • 192.168.21.0/24

For IPv6 you can now have:

  • ::01/64
  • ::02/64
  • ::10/64
  • ::20/64
  • ::21/64

So if your assgined /56 is 2a00:1234:5678:9a::/56 these would map to:

  • 2a00:1234:5678:9a01/64
  • 2a00:1234:5678:9a02/64
  • 2a00:1234:5678:9a10/64
  • 2a00:1234:5678:9a20/64
  • 2a00:1234:5678:9a21/64

 So to make these blocked in firewall rules you could do:

set firewall ipv6-name IPv6-Block rule 101 action drop
set firewall ipv6-name IPv6-Block rule 101 destination address ::01:0:0:0:0/::ff:0:0:0:0
set firewall ipv6-name IPv6-Block rule 101 protocol all

set firewall ipv6-name IPv6-Block rule 102 action drop
set firewall ipv6-name IPv6-Block rule 102 destination address ::02:0:0:0:0/::ff:0:0:0:0
set firewall ipv6-name IPv6-Block rule 102 protocol all

set firewall ipv6-name IPv6-Block rule 110 action drop
set firewall ipv6-name IPv6-Block rule 110 destination address ::10:0:0:0:0/::ff:0:0:0:0
set firewall ipv6-name IPv6-Block rule 110 protocol all

set firewall ipv6-name IPv6-Block rule 120 action drop
set firewall ipv6-name IPv6-Block rule 120 destination address ::20:0:0:0:0/::ff:0:0:0:0
set firewall ipv6-name IPv6-Block rule 120 protocol all

set firewall ipv6-name IPv6-Block rule 121 action drop
set firewall ipv6-name IPv6-Block rule 121 destination address ::21:0:0:0:0/::ff:0:0:0:0
set firewall ipv6-name IPv6-Block rule 121 protocol all

The key point here is you only want the router to pay attention to the bits that differentiate the local subnet.

The 'ff' in the mask tells the router to only pay attention to this part of the address and the numbers (01, 02, 10, 20 and 21) in the address tells the router what it should block on.

Emerging Member
Posts: 56
Registered: ‎12-11-2014
Kudos: 5
Solutions: 1

Re: How to isolate vlans for IPv6

ok, makes total sense now.

 

Question on the part you wrote:

For IPv6 you can now have:

  • ::01/64
  • ::02/64
  • ::10/64
  • ::20/64
  • ::21/64

are the prefixes set by slaac or some other variable?  i captured some addresses and it 'seems' like it is the slaac prefex id, which is what i thought it might be initially but wasnt sure.

 

if thats the case, with your info, i should be able to get this to work.  i had used slaac prefix ids 0,1,2,3,4 so that should work ok with /60 (i have home, not business service). 

 

thanks!

 

mark

Regular Member
Posts: 337
Registered: ‎06-08-2013
Kudos: 167
Solutions: 19

Re: How to isolate vlans for IPv6

In my case, the prefixes are set by DHCPv6-PD, and my config might be a little different to yours as it's served over a PPPoE connection:

ethernet eth0 {
     address 172.16.100.1/24
     duplex auto
     mtu 1508
     pppoe 0 {
         default-route auto
         dhcpv6-pd {
             pd 0 {
                 interface eth2 {
                     host-address ::1
                     prefix-id :0
                     service slaac
                 }
                 prefix-length /56
             }
             prefix-only
             rapid-commit enable
         }
         firewall {
             in {
                 ipv6-name IPv6-In
             }
             local {
                 name DirectToRouter
             }
         }
         ipv6 {
             address {
                 autoconf
             }
             dup-addr-detect-transmits 1
             enable {
             }
         }
         mtu 1500
         name-server auto
         password password
         traffic-policy {
             out OutgoingLink
         }
         user-id spoons@btbroadband.com
     }
     speed auto
 }

So it says for prefix delegation recieved on pppoe0 it'll be a /56 and eth2 will have :0/64.

I believe there is a similar config for DHCPv6-PD over ethernet services, but I've not looked into those.

 

Matt

Emerging Member
Posts: 56
Registered: ‎12-11-2014
Kudos: 5
Solutions: 1

Re: How to isolate vlans for IPv6

looks similar to mine:

 

interfaces {
    ethernet eth0 {
        address dhcp
        description WAN-ISP-COMCAST
        dhcpv6-pd {
            pd 0 {
                interface eth1 {
                    host-address ::1
                    prefix-id :1
                    service slaac
                }
                interface switch0 {
                    host-address ::1
                    prefix-id :0
                    service slaac
                }
                interface switch0.10 {
                    host-address ::1
                    prefix-id :2
                    service slaac
                }
                interface switch0.20 {
                    host-address ::1
                    prefix-id :3
                    service slaac
                }
                interface switch0.21 {
                    host-address ::1
                    prefix-id :4
                    service slaac
                }
                prefix-length 60
            }
            rapid-commit enable
        }
        duplex auto
        firewall {
            in {

 

so i think that should work.  ill post if i have any issues, but that should work.

 

thanks!

 

mark

Regular Member
Posts: 337
Registered: ‎06-08-2013
Kudos: 167
Solutions: 19

Re: How to isolate vlans for IPv6

That looks good. :-)

 

As I said in my first post, I've never seen the ACL config work like this as I've only used to to mask the network prefix, but it should do it in theory.

 

So I'd be really interested to know if this works. If it does I think we should ask the devs to make it work with firewall groups, as I'm guessing (hoping) it's only a command validation issue rather than a change to the underlying IPtables.

 

Matt

New Member
Posts: 13
Registered: ‎02-02-2016
Kudos: 1

Re: How to isolate vlans for IPv6

Do you know if this really worked out? I need the same functionality. Separate the (v)LANS on ipv6.
Veteran Member
Posts: 7,789
Registered: ‎03-24-2016
Kudos: 2028
Solutions: 892

Re: How to isolate vlans for IPv6

I doubt this "solution" will work as intended.  

If a rule with mask like below does work.....it has one problem:

Spoiler

set firewall ipv6-name IPv6-Block rule 110 destination address ::10:0:0:0:0/::ff:0:0:0:0

It will also block access to host on the IPv6 internet matching ::10:0:0:0:0/::ff:0:0:0:0  

 

Alternative:

Use firewall modify rules on LAN interfaces to mark incoming IPv6  traffic.  

On LAN_OUT firewall ruleset , drop packets having that mark

New Member
Posts: 13
Registered: ‎02-02-2016
Kudos: 1

Re: How to isolate vlans for IPv6

[ Edited ]

I'm afraid your right.

I noticed the solution of the marked packets here, but this seems a bit of a workaround as well.

 

In IPv4 I can block packets with destination, let's say NETv4_swith0.100, representing the subnet on the switch0.100 interface. But I believe this doesn't exist for ipv6? Why not?

 

Of course hardcoding the ipv6 subnets is a solution, but if the ISP decides to change the delegated prefix, it stops working.

Veteran Member
Posts: 7,789
Registered: ‎03-24-2016
Kudos: 2028
Solutions: 892

Re: How to isolate vlans for IPv6

Alternatively, this might work too:

 

Use on each LAN interface a LAN6_OUT ruleset  , default action=drop, and an established/related rule allowing traffic

New Member
Posts: 13
Registered: ‎02-02-2016
Kudos: 1

Re: How to isolate vlans for IPv6

Let me clarify that: You mean only allow outgoing established and related traffic on for example switch0.100. So a new connction from switch0.101 will not pass? That might do the trick.

 

However, if I want to allow new connections from switch0 to switch0.100, but not from switch0.101 to switch0.100, it won't work. Your suggestion blocks it all, because it's on the outgoing interface. I would like to differentiate on the source of the traffic.

Veteran Member
Posts: 7,789
Registered: ‎03-24-2016
Kudos: 2028
Solutions: 892

Re: How to isolate vlans for IPv6

If you're on ERX, don't assign to switch0 , use switch0.1 instead

 

You can follow the suggested established/related rule on  with another rule , allowing traffic in from other VLANs:

Spoiler

set firewall ipv6-name IPv6-VLAN100_OUT rule 110 source address ::20:0:0:0:0/::ff:0:0:0:0

This will give access from VLAN20  source IPs , this time without blocking outgoing access to internet addresses.

 

It doesn't affect WAN->LAN access, as IPv6WAN_IN takes care of that

Reply