Home / server / Questions / 858336
Accepted
Girtsd
Asked: 2017-06-29 04:54:12 +0800 CST

Host specific ipv6 address range for address rotating in pfsense dhcpv6

  • 772

I have taken upon myself the configuration of an ipv6 network in an enterprise lan. There is a single VLAN for all the hosts in the LAN. I am using pfsense 2.3.4 software.

I now have to figure out the address distribution in the LAN. The addresses should not allow identifying any of the hosts from the global network, so there are 2 options. NATv6 with local addresses or global addresses with address rotating, but I`ve read about NATv6 being a bad choice. I could just set up address rotating with global addresses, but that would keep me from creating IP address based firewall rules, since the addresses would change all the time.

Is there a way I could assign an IPv6 address range to each of the hosts to rotate their addresses within that range, so I could still write firewall rules for each of these ranges (instead of static addresses) and hide (to some extent) the public addresses of hosts from global viewers? And is this doable in pfsense?

I could also have just made a VLAN for each different role in the office and rotate global addresses on a per role basis and create firewall rules on a per role basis, but that is not an option.

dhcp

1 Answers

  1. Best Answer

    I`ve done some more tweaking and tinkering and have gotten to a good spot in the last couple of days.

    So I will write up a summary of what I got to work.

    To refresh the topic: I wanted to create a network behind a single (LAN) interface of my pfsense box. The requirements for the network was to provide workstations in the network with working ipv6 addresses. The network shouldn`t allow the global network to identify devices on this network, but should provide an option to write firewall rules based on addresses in this network. I want all hosts in this network to be able to "anonymously" browse the web and stay unidentified, and I want all hosts in this network to have access restrictions for other networks that are directly attached to my pfsense box. So I need to identify each of the hosts and write per host (or per employee role) firewall rules that restrict some access to inside resources.

    To my knowledge there were 3 ways to achieve this.

    1. Use ULAs (Unique Local Addresses) for inside communications and have access restrictions on the static ULAs, but use NAT66 for global communications, protecting the identity of hosts. This is agreed to be bad.

    2. Have multiple per employee role (access level) VLANs in the network. That way the firewall rules can be written based on VLANs ignoring the addresses and every host could have GUAs (Global Unique Addresses) for both global and local communications. There could be temporary privacy addresses to help protecting the identities from the global network. This was not an option, since I want to do this with a single VLAN.

    3. Still keep having a single VLAN with GUAs, but assign a specific address range for each host in which it can rotate its addresses. This way I can write firewall rules based on these ranges and protect identities with the rotating addresses. This is what I wanted to achieve, but found is impossible in pfsense (opposed to some commercial solutions).

    Now I have found a fourth way to achieve this.

    1. Each host in the LAN has 2 different network addresses: one ULA and one GUA. There can actually be multiple GUAs, since GUAs are autogenerated. I could have the the Router Advertisements taking care of GUAs by advertising the global prefix to hosts in the network. These GUAs would then be used for reaching the global network and hosts could use privacy (rotating) addresses so that they stay unidentifiable from the global network. As for the ULAs: the DHCPv6 server would take care of these addresses providing a statitc per DUID LUA for each host. These addresses could be used for the mentioned inside communications and have firewall rules written based on them. To make this work I need each host to only have a single address in this local network, so I have to disable RAs (Router Advertisements) for this prefix. By default pfsense generates the /var/etc/radvd.conf configuration file with all the RA listed prefixes and always adds the DHCPv6 prefix to RA as well. This way all the hosts get multiple addresses which would cause them using privacy addresses as source and my firewall rules would be of no use, so I commented out the part that generates the DHCPv6 prefix clause for the radvd.conf file from /etc/inc/services/inc file, and the DHCP network no longer gets advertised with Router Advertisements. This way each host only has a single address within this local prefix. In addition to that I have to make sure that hosts will always use the ULA to reach inside resources and GUA for global resources, which happens thanks to the 2nd rule in source address selection protocol per RFC6724 (https://www.rfc-editor.org/rfc/rfc6724), which says that a source address with the same scope (global, local, link local) as the destination will be preffered. Thanks to this and inside resources having local addresses as well I have everything working the way I want it to. The only hack is to change the /etc/inc/services.inc file to comment out that one part. Furthermore I also have to set up an IP Alias type Virtual IP for the LAN interface with an address from the second prefix of the network. So one address gets set to the interface (in my case the local one) and the other (global address) gets set to the virtual IP.

    So this fourth way is working as expected and hasn`t required more VLANs or NAT66 or a feature pfsense does not offer.

    • 1