@GeorgePatches said in Applying a rule to a single client in a SLAAC only network?:
This won't solve the problem if the ISP rotates your prefix delegation on the regular (my personal experience with Verizon FIOS residential).
Very true.
If any of my LAN devices asks for DHCPv6 lease it will last, on a typical WIN11, 6 hours.
That is, that is what I see :
81557cd4-196e-4b55-adce-9077422a7604-image.png
and now it's 09h44, and I just renew the lease manually with ipconfig /renew6.
If, moment later, my upstream ISP allocated me a new prefix, the DHCP6 LAN server will get restarted with the new prefix ... but my LAN devices still use their now depreciated old prefix.
I'm not sure if other IPv6 magic exists that can warn the LAN device that 'something' has changed, and that it should force renew it's IPv6 lease.
If not, then yeah, now we have a routing issue.
Yes, a prefix can change, but shouldn't change "often". And that is an RFC standard.
For example, since my pfSense is activate on my now IPv6 ISP router, about 18 months now, my prefix didn't change.
France - country where I live - they managed to create a 'law' (privacy act stuff whatever) that an "IP" should at least change ones a year. As I have a 'pro' account, I opted out for that, so my WAN IPv4 and IPv6 (prefix) are pretty rock solid.
Constantly changes prefixes, imho, is a pure pain.
The real issue is : the (IPv6) RFCs exists. And every ISP out there interprets them somewhat differently.
@GeorgePatches said in Applying a rule to a single client in a SLAAC only network?:
The only solution to this problem that I've come up with is to setup dynamic DNS on the client I want to make a rule for, create an alias for said DDNS entry, and then use said alias in a firewall rule.
That is exactly what I do 😊
But I'm not using the classic "Services > Dynamic DNS > Dynamic DNS Clients" solution.
A DHCPv4 and DHCPv6 server can register the host name of a device that asked for a lease into a DNS server.
This already is/was possible with pfSense before, but then the host name is only known locally.
The DHCP ISC server (and kea also) can also use any other DNS server, so also my domain name server) to register the host name with the IP. That's not 'like' DDNS, it IS DDNS, and it also uses RFC2136 (which is a classic, very first DDNS method that existed out there).
As I'm using kea, and kea uses a separate process (program) for that, and pfSense has that program but isn't using it, I decide to use it.
Works great - an was pretty straight forward to implement.
And none of all this is a surprise as kea is written by the same guys who wrote "ISC DHCP", so they made it compatible.
Btw : not that I really need a LAN IPv6 (my NAS) so it can be accessed on a world Internet level, it just enables me to access my NAS over IPv4 or IPv6 anytime. It's more a "to be ready for the future" thing. And the future is here : 60+ % of all my pfSense LAN/WAN traffic is IPv6.