Network setup to support IPv6 in combination with OpnSense / routing via multiple wan interfaces

Installing and Using OpenWrt
1

Hi all,

I'am just rebuilding and rethinking my home network (includes some neighbours as well) and came to a point being a little lost what maybe the best approach.

Background: in the past (IPv4 only), I've created firewall rules based on the source of the packet / subnets (NAT disabled on the router). Ingress on the firewall was via a single (lan) interface without vlans. For the new setup I want to have (or at least design to support in near future) full IPv6 support. I get a respective /56 prefix at the wan side of the firewall from my provider. Everything is quite clear on the internal side of the router with delegating prefixes from the firewall to the router feeding clients with IPs.

Rough setup:
Internal devices / APs / Switches (spread over >10 vlans) <-> router (OpenWrt) -> firewall (OPNsense)

My problem is the way between the router and firewall. My firewall rules must be different based on the subnet they come from which is now a IPv6 one with changing prefix. And even further, the firewall is not "knowing" the prefixes of the downstream vlans (maybe /64 ones) behind the router, only the first delegated bigger subnet (e.g. a /57) from firewall to router.

Are there any best practices how to solve this or is there someone out there having a similar setup and solved this already?

My first thought, and maybe a working one, was making the way between router and firewall to a kind of a trunk port. Specific to map every vlan on the internal router side to one on the wire between it and the firewall while mapping every vlan there to a specific interface. With that, I could easily create firewall rules based in the ingress interface (kind of zone based then).

But I am struggling regarding:

  • is this a good way to go?
  • how the hell can I configure this. For tagging the egress packets on the router wan I have a idea. But how can I define a route linking a internal source vlan / interface with a specific outgoing interface on the wan side of the router?

I hope my direction is clear with the above and it is not to much. If something is unclear just point me in the direction where I missed details.

Thanks beforehand for any help
Robert

2

Investigated a little more and found the routing rules part in luci (see below).

May this be a good / working solution for my above described problem (performance / maintenance / complexity wise)?

image
image904×624 57.4 KB

3

For IPv6 routing rules OpenWrt supports negative masks, to mask the prefix.
My WG server inside my network has a static IPv6 address: prefix64::6

to allow traffic to this server I use the negative mask to filter the prefix, if the prefix changes it still will work:

config rule
	option name 'wg-server6-6'
	list proto 'udp'
	option src 'wan'
	option dest 'lan'
	option dest_port '51810'
	option target 'ACCEPT'
	list src_ip '::6/-64'      <<< -64 is the negative mask to filter out the /64 prefix

Maybe something like this with negative netmask is what you also can use

4

Hi @egc,

thanks for the hint! That's a pretry nice functionality I wasn't aware of until now.

Nevertheless, while I may have some firewall rules at the router level, the majority should be in the firewall (OPNsense). So I kind of need to get the traffic in a way to it which enables it to filter based on the source without the need of "knowing" source IPs (independent from IPv4 or 6).

At least this was my thought with the described "lan-vlan to wan-vlan" mapping. But this needs kind of rule based routing. Like that:

  • vlan 1 tagged ingress at lan interface 1 -> vlan 1 tagged egress at wan interface 1
  • vlan 2 tagged ingress at lan interface 2-> vlan 2 tagged egress at wan interface 2
  • ...
  • vlan N tagged ingress at lan interface N -> vlan N tagged egress at wan interface N

(simplified and vlan ids must not be equal between lan and wan in I think)

But for this I need a source based routing. Is this possible with above mentioned rules?

And in general: is it a good idea or is there a better approach fullfilling the requirements as well?

Thanks and best regards
Robert