Howdy! Is there a way to firewall traffic based on the ASN?
The underlying reason is that we've recently enabled HE's tunnelbroker which, for the most part, works great.
However we've run into certain services *cough*Netflix*cough* which reject traffic sent through a HE tunnel. I'd like to reject this traffic from the tunnel, which will force the client to fallback on IPv4 connections.
I've experimented with simply rejecting all IPv6 traffic from the device, or watching what connections it makes and blocking the appropriate IPv6 allocations, but with widely distributed networks the client often jumps to a different block of IPs and it would be a lot less work to block an ASN at a time rather than a specific range at a time.
For the two services I'm using for testing, both seem like they could be blocked by ASN fairly easily.
If there is no better way, I might try to write a HTTPS service which parses ARIN's WHOIS and returns a list of ranges allocated to a particular ASN, but it seems like there could be a better way.
_______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
