IPv6 and Firewalls

Lazybones · December 15, 2018, 11:41:29 AM

I had to turn IPv6 back off after realizing it let my kids bypass my internet time rules. Not broken I just need to learn how to do this the IPv6 way on my firewall.

Tom · December 16, 2018, 09:01:57 AM

Quote from: Lazybones on December 15, 2018, 11:41:29 AM
I had to turn IPv6 back off after realizing it let my kids bypass my internet time rules. Not broken I just need to learn how to do this the IPv6 way on my firewall.

If its pfsense its just more rules I think. IPv4 and Ipv6 count as entirely separate things iirc.

Lazybones · December 16, 2018, 11:03:52 AM

Quote from: Tom on December 16, 2018, 09:01:57 AM
Quote from: Lazybones on December 15, 2018, 11:41:29 AM
I had to turn IPv6 back off after realizing it let my kids bypass my internet time rules. Not broken I just need to learn how to do this the IPv6 way on my firewall.
If its pfsense its just more rules I think. IPv4 and Ipv6 count as entirely separate things iirc.

Ubiquiti edgerouter. It is completely separate rules however no GUI for IPv6.

I know ?how? in general however IPv4 and IPv6 work fundamentally different with the way the first and last half of an address are assigned. There aren?t many guides on the topic.

There is no NAT which makes things easier in one respect but the first half of the address is dynamic and the second part is generated by the client .

When constructing client specific allow / deny rules I believe you only use the last half of the address etc .

Tom · December 16, 2018, 11:05:03 AM

Huh, I'm surprised the ubiquity stuff wouldn't have an ipv6 ui. Maybe theres a single setting some place to enable ipv6 and that'll make a bunch of stuff show up?

Lazybones · December 16, 2018, 11:08:10 AM

Quote from: Tom on December 16, 2018, 11:05:03 AM
Huh, I'm surprised the ubiquity stuff wouldn't have an ipv6 ui. Maybe theres a single setting some place to enable ipv6 and that'll make a bunch of stuff show up?

Nope, it is however in there UNMS management platform roadmap.

The lack of GUI really isn?t the problem.

Tom · December 16, 2018, 01:59:51 PM

Quote from: Lazybones on December 16, 2018, 11:08:10 AM
Quote from: Tom on December 16, 2018, 11:05:03 AM
Huh, I'm surprised the ubiquity stuff wouldn't have an ipv6 ui. Maybe theres a single setting some place to enable ipv6 and that'll make a bunch of stuff show up?

Nope, it is however in there UNMS management platform roadmap.

The lack of GUI really isn?t the problem.

I don't buy a product like that to manage things with a cli tool. sorry but nope. Heck, I used to run a debian install with a self written shorewall config. Got kinda tired of messing with that even if it is more powerful than pfsense.

The hardware and probably low level firmware likely has support for ipv6 no problem. so the problem is the lack of a gui

Lazybones · December 16, 2018, 02:08:48 PM

Correct it has had IPv6 support for s long time.

Keep in mind I did not purchase it for its IPv6 capability.

If I was going to purchase something today I might make that a bigger factor.

However the platform has very long support cycles.

Going over IPv6 still tends to be a lot slower than IPv4 because fewer hops support it.

I am interested in playing with it however as it might open up some interesting point to point options as well as some benefits on mobile since a lot of cell networks now are IPv6 native.