0

I have taken upon myself the configuration of an ipv6 network in an enterprise lan. There is a single VLAN for all the hosts in the LAN. I am using pfsense 2.3.4 software.

I now have to figure out the address distribution in the LAN. The addresses should not allow identifying any of the hosts from the global network, so there are 2 options. NATv6 with local addresses or global addresses with address rotating, but I`ve read about NATv6 being a bad choice. I could just set up address rotating with global addresses, but that would keep me from creating IP address based firewall rules, since the addresses would change all the time.

Is there a way I could assign an IPv6 address range to each of the hosts to rotate their addresses within that range, so I could still write firewall rules for each of these ranges (instead of static addresses) and hide (to some extent) the public addresses of hosts from global viewers? And is this doable in pfsense?

I could also have just made a VLAN for each different role in the office and rotate global addresses on a per role basis and create firewall rules on a per role basis, but that is not an option.

Girtsd
  • 23
  • 7

1 Answers1

1

I`ve done some more tweaking and tinkering and have gotten to a good spot in the last couple of days.

So I will write up a summary of what I got to work.

To refresh the topic: I wanted to create a network behind a single (LAN) interface of my pfsense box. The requirements for the network was to provide workstations in the network with working ipv6 addresses. The network shouldn`t allow the global network to identify devices on this network, but should provide an option to write firewall rules based on addresses in this network. I want all hosts in this network to be able to "anonymously" browse the web and stay unidentified, and I want all hosts in this network to have access restrictions for other networks that are directly attached to my pfsense box. So I need to identify each of the hosts and write per host (or per employee role) firewall rules that restrict some access to inside resources.

To my knowledge there were 3 ways to achieve this.

  1. Use ULAs (Unique Local Addresses) for inside communications and have access restrictions on the static ULAs, but use NAT66 for global communications, protecting the identity of hosts. This is agreed to be bad.

  2. Have multiple per employee role (access level) VLANs in the network. That way the firewall rules can be written based on VLANs ignoring the addresses and every host could have GUAs (Global Unique Addresses) for both global and local communications. There could be temporary privacy addresses to help protecting the identities from the global network. This was not an option, since I want to do this with a single VLAN.

  3. Still keep having a single VLAN with GUAs, but assign a specific address range for each host in which it can rotate its addresses. This way I can write firewall rules based on these ranges and protect identities with the rotating addresses. This is what I wanted to achieve, but found is impossible in pfsense (opposed to some commercial solutions).

Now I have found a fourth way to achieve this.

  1. Each host in the LAN has 2 different network addresses: one ULA and one GUA. There can actually be multiple GUAs, since GUAs are autogenerated. I could have the the Router Advertisements taking care of GUAs by advertising the global prefix to hosts in the network. These GUAs would then be used for reaching the global network and hosts could use privacy (rotating) addresses so that they stay unidentifiable from the global network. As for the ULAs: the DHCPv6 server would take care of these addresses providing a statitc per DUID LUA for each host. These addresses could be used for the mentioned inside communications and have firewall rules written based on them. To make this work I need each host to only have a single address in this local network, so I have to disable RAs (Router Advertisements) for this prefix. By default pfsense generates the /var/etc/radvd.conf configuration file with all the RA listed prefixes and always adds the DHCPv6 prefix to RA as well. This way all the hosts get multiple addresses which would cause them using privacy addresses as source and my firewall rules would be of no use, so I commented out the part that generates the DHCPv6 prefix clause for the radvd.conf file from /etc/inc/services/inc file, and the DHCP network no longer gets advertised with Router Advertisements. This way each host only has a single address within this local prefix. In addition to that I have to make sure that hosts will always use the ULA to reach inside resources and GUA for global resources, which happens thanks to the 2nd rule in source address selection protocol per RFC6724 (https://www.rfc-editor.org/rfc/rfc6724), which says that a source address with the same scope (global, local, link local) as the destination will be preffered. Thanks to this and inside resources having local addresses as well I have everything working the way I want it to. The only hack is to change the /etc/inc/services.inc file to comment out that one part. Furthermore I also have to set up an IP Alias type Virtual IP for the LAN interface with an address from the second prefix of the network. So one address gets set to the interface (in my case the local one) and the other (global address) gets set to the virtual IP.

So this fourth way is working as expected and hasn`t required more VLANs or NAT66 or a feature pfsense does not offer.

Community
  • 1
Girtsd
  • 23
  • 7
  • I don't quite understand the problem with number 2. Most host OSes use privacy extensions and random addressing that protects your host privacy on the same VLAN as the VLAN where it has its global address. I don't see why this requires multiple VLANs. For example, my PC has a global IPv6 address and six temporary IPv6 addresses (five of which are deprecated, proving it changes on a regular basis), and all these addresses are in the same IPv6 network and VLAN. – Ron Maupin Jul 17 '17 at 16:04
  • Multiple VLANs would be needed because temporary addresses are almost always selected as the source address, which would mean changing addresses that render my firewall rules useless. If I have multiple VLANs then the firewall rules can be written based on prefixes which would solve the temporary source address problem. – Girtsd Jul 17 '17 at 16:42
  • Your firewall should default to block all inbound connections, and it should have a state table that tracks outbound connections and allow responses to those connections. This works with privacy extensions and random addressing with global addresses. As far as internal communications go, then simply use ULA addressing for internal communication. This simply works. I believe you are overthinking this. Also, there is no standard for NAT66 the way there is for NAT44, so you really do want to stay away from this. – Ron Maupin Jul 17 '17 at 16:50
  • The firewall is doing just that, but if someone was to attack the intra net users, then this someone could investigate the outgoing connections and hitchhike one of the already made connections that are allowed through. There are other ways to hack the network too. As for inside communications: that is exactly what I`m doing. ULAs for intranet and GUAs for global network. Source address selection protocol makes sure that address from the appropriate scope is used. – Girtsd Jul 18 '17 at 08:38
  • The only real problem with ULA addressing is the requirement for the 40 random bits, and that you are not allowed to pick consecutive networks. It is harder to make sense of the networks, but with global addressing you can add a lot of information into the addressing in the network part, at the very least, just a site code, but also something like a VLAN, network device type, function, address type, device number, etc. – Ron Maupin Jul 18 '17 at 12:59