@Sevi said in Delegated prefix in firewall rules?:

patch should also be included in upcoming releases

ref: https://docs.netgate.com/pfsense/en/latest/releases/24-03.html#aliases-tables

@Sevi said in Delegated prefix in firewall rules?:

address ::123

Hmm, thanks, will try that. Our IPv6 prefix at home changed recently and my main client (wife) was annoyed for a while without telling me.

@johnpoz said in Delegated prefix in firewall rules?:

free Hurricane Electric tunnel

We did that once because of a specific setup...it functions, but the throughput is throttled, about 35 Mbps as I recall. And there are sites that consider HE IPs like a VPN and block access, for instance sites that can only show video or sports content to certain regions due to licensing.

@Bob-Dig I will definitely take a peek at that, thank you bringing it to my attention

@Bob-Dig said in Interface groups and IPv6 GUA subnets:

Interesting that it does work for you without problems.

A difference might be that I'm only testing VLANs right now, no physical interfaces? I can try it later on the 4100, but for now I was testing on an 1100 with the switched ports.

(I did have to use the ol' Save&Apply on the WAN interface to trigger the prefix delegation for any new interface though... but I also had to do that before the patch.)

Hello,

I've just done a test with a virtual machine running Debian GNU/Linux, with its unique vNIC attached to the same virtual bridge (vmbr0) facing the Internet, and it works well:

# grep static -A2 /etc/network/interfaces iface ens18 inet6 static address 2001:abc:abc:abc::1000/64 # ip -6 r | grep default default via fe80::d2e0:42ff:fe3c:607 dev ens18 proto ra metric 1024 expires 14sec hoplimit 64 pref medium

Could someone tell me how to configure pfSense to set a static IPv6 on its WAN interface and get a default gateway dynamically? Thank you in advance.

Regards,

Christophe

For years instead of the comcast router for gateway up detection I use their v6 DNS server.
2001:558:feed::2 or 2001:558:feed::1

As I had to set IPv6 to DNS server for monitoring...I also use their IPv4 DNS servers for the same. System - Routing - Gateways - Edit ... 75.75.76.76 and the 2001:558:feed::2 have worked swimingly. I don't use those servers for actual DNS...but it proves that my local routers and equipment are up and that I can reach the core of their public services ok.

(edited for clarity)

SOLVED:

The issue has been solved by checking "Do not wait for a RA" option in WAN interface.

To close this out...

Apparently a firewall rule has to be manually added to allow IPv6 traffic to pass
between the LAN and the WAN. And I completely missed that requirement in my
"research".

Having added said rule, things are working swimmingly.

Thanks for your patience and sorry for the noise.

Been working on a patch for dhcp6c. I have gotten to the point where I can collect all the information needed in one place and easily parsable by a script:

grep "prefix allocated" /var/log/dhcpd.log Mar 23 17:04:09 pfSense dhcp6c[70335]: prefix allocated 2001:db8:4000::/64 iaid=0 ifname=vmx2 Mar 23 17:04:09 pfSense dhcp6c[70335]: prefix allocated 2001:db8:4001::/64 iaid=1 floating=true Mar 23 17:04:09 pfSense dhcp6c[70335]: prefix allocated 2001:db8:4002::/64 iaid=2 floating=true Mar 23 17:04:09 pfSense dhcp6c[70335]: prefix allocated 2001:db8:4003::/64 iaid=3 floating=true Mar 23 17:04:09 pfSense dhcp6c[70335]: prefix allocated 2001:db8:4005::/64 iaid=4 floating=true Mar 23 17:04:09 pfSense dhcp6c[70335]: prefix allocated 2001:db8:4006::/64 iaid=5 floating=true Mar 23 17:04:09 pfSense dhcp6c[70335]: prefix allocated 2001:db8:4007::/64 iaid=6 floating=true

Patch is below. Pretty sure it can be optimized further. If any expert in C happens to know why I can't seem to use struct ia *ia's copy of ia->conf->iaid that would save me having to pass the dhcp6_ia struct. I get: prefixconf.c:231:6: error: incomplete definition of type 'struct ia'

diff --git a/dhcp6c_ia.c b/dhcp6c_ia.c index 9f9ca84..473fc58 100644 --- a/dhcp6c_ia.c +++ b/dhcp6c_ia.c @@ -152,7 +152,7 @@ update_ia(iatype, ialist, ifp, serverid, authparam) case DHCP6_LISTVAL_PREFIX6: /* add or update the prefix */ iapdc = (struct iapd_conf *)iac; - if (update_prefix(ia, &siav->val_prefix6, + if (update_prefix(ia, &iav->val_ia, &siav->val_prefix6, &iapdc->iapd_pif_list, ifp, &ia->ctl, callback)) { d_printf(LOG_NOTICE, FNAME, diff --git a/prefixconf.c b/prefixconf.c index bbb4d6e..582f192 100644 --- a/prefixconf.c +++ b/prefixconf.c @@ -119,8 +119,9 @@ extern struct dhcp6_timer *client6_timo __P((void *)); static int pd_ifaddrconf __P((ifaddrconf_cmd_t, struct dhcp6_ifprefix *ifpfx)); int -update_prefix(ia, pinfo, pifc, dhcpifp, ctlp, callback) +update_prefix(ia, iinfo, pinfo, pifc, dhcpifp, ctlp, callback) struct ia *ia; + struct dhcp6_ia *iinfo; struct dhcp6_prefix *pinfo; struct pifc_list *pifc; struct dhcp6_if *dhcpifp; @@ -197,6 +198,7 @@ update_prefix(ia, pinfo, pifc, dhcpifp, ctlp, callback) in6addr2str(&pinfo->addr, 0), pinfo->plen, pinfo->pltime, pinfo->vltime); + int allocated = 0; /* update prefix interfaces if necessary */ if (sp->prefix.vltime != 0 && spcreate) { for (pif = TAILQ_FIRST(iac_pd->pifc_head); pif; @@ -215,10 +217,21 @@ update_prefix(ia, pinfo, pifc, dhcpifp, ctlp, callback) continue; } + allocated = 1; + d_printf(LOG_INFO, FNAME, "prefix allocated %s/%d iaid=%u ifname=%s", + in6addr2str(&pinfo->addr, 0), pinfo->plen, + iinfo->iaid, + pif->ifname); add_ifprefix(sp, pinfo, pif); } } + if (allocated == 0) { + d_printf(LOG_INFO, FNAME, "prefix allocated %s/%d iaid=%u floating=true", + in6addr2str(&pinfo->addr, 0), pinfo->plen, + iinfo->iaid); + } + /* * If the new vltime is 0, this prefix immediately expires. * Otherwise, set up or update the associated timer. diff --git a/prefixconf.h b/prefixconf.h index dcff695..3dd5986 100644 --- a/prefixconf.h +++ b/prefixconf.h @@ -32,7 +32,7 @@ typedef enum { PREFIX6S_ACTIVE, PREFIX6S_RENEW, PREFIX6S_REBIND} prefix6state_t; -extern int update_prefix __P((struct ia *, struct dhcp6_prefix *, +extern int update_prefix __P((struct ia *, struct dhcp6_ia *, struct dhcp6_prefix *, struct pifc_list *, struct dhcp6_if *, struct iactl **, void (*)__P((struct ia *)))); extern int prefix6_add __P((struct dhcp6_if *, struct dhcp6_prefix *,

Next steps for me will be looking at adding a custom DHCPv6 server configuration file field to the UI, like can be done for the interface DHCPv6 client configuration.

@gwabber allright. Girlfriend went to bed. I went behind my pc.

I set, for testpurposes, the gateway on "Disable Gateway Monitoring Action". I pulled the plug. My GUA's were gone again.

I visited one of my servers with the ULA. I could reach it... same for my pi and stuff. One weird thing. My pings to those servers became slower and timed out once in a while.... What that's about... I don't know.

So it works, like most of it, but not what it's supposed to be I think...

EDIT
never mind... it was a fluke. It broke down again. I don't get it anymore

EDIT2:
With the fake gateways it works! I still have the feeling that it should be easier then creating a fake gateway per LAN, but it works for now :)

@gwabber hey all,

I was having problems with my ULA routing when my track interface goes down, for example when my internetconnection has an error. Since you guys helped me with setting up ULA routing in the first place, I refer you to this New topic I started.

Maybe you experience the same problem. @NightlyShark helps me with the issue in this topic:

https://forum.netgate.com/topic/186787/ula-routing-stops-when-trackinterface-is-down?_=1710756586659

I am still having this issue, does anyone have any other ideas ? I really don't want to be forced back to my slow ASA 5512's ha!

@MHall-0 double NAT will cause problems. I have held off with IPv6 with both ISPs I am with. The Smarthub I have doesn’t have Bridge mode support. Can you get IPv6 working if you use a Windows or Linux ? That would be something to test.

@JKnott

The local firewall address ends up being different on each interface, and subsequently is not easily identifiable in packet traces.

It's not an unreasonable thing to want this in a managed network. It is achievable for all hosts in the network except the firewall itself.

@Bob-Dig said in ISP Delegates /64 Multiple Times But No /56 or /60:

Someone has to test this.

I just did and I can reach ULA from GUA. I tested from my VPN, which only has GUA to my desktop computer and it's ULA address.

I added a static Virtual IPv6 /64 to the WAN Interfcae, but that static IPv6 will not be recognized by the DHCPv6 Service.
It still display the error:

The DHCPv6 Server can only be enabled on interfaces configured with a static IPv6 address. This system has none.

@Bob-Dig Thank you for the quick response.

Not much you can do about it other than running some script via cron for fixing this.

So, is this behavior normal? What causes it? Is it known whether the problem will be fixed?

That is news to me.

So, should the problem occur here as well? At least I haven't observed it so far. I will take a closer look when I get the chance...

Thank you for the explanation! Then I don't need this patch :-)

With ifconfig on the console I see all addresses :-)

Yes, I still have the problem with the dynamic IPv6 prefix. To "work around" this, I tried to "route" the incoming IPv6 connections with the HA proxy to the appropriate ULA address based on the URL called:

https://forum.netgate.com/topic/186422/provider-prefix-delegation-prefix-changes-ha-proxy/3

which unfortunately does not work :-(

In the LAN, I use fixed ULA addresses on the server VMs in addition to the public IPv6 addresses that come from the provider

An example. My media server has the following IP configuration:

2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether xx:xx:xx:f7:e3:ee brd ff:ff:ff:ff:ff:ff altname enp6s18 inet 192.168.83.10/24 brd 192.168.83.255 scope global dynamic ens18 valid_lft 41630sec preferred_lft 41630sec inet6 xxxx:xxxx:2180:8e1c:5c20:3aff:fef7:e3ee/64 scope global dynamic mngtmpaddr valid_lft 86188sec preferred_lft 14188sec inet6 fdd0:a044:f4c::a/64 scope global valid_lft forever preferred_lft forever inet6 fe80::5c20:3aff:fef7:e3ee/64 scope link valid_lft forever preferred_lft forever

A corresponding AAAA record is set in the subdomain at the domain host. I now create the firewall rule:

bd68baf2-35c9-4f66-a956-44d5eab8fe7f-grafik.png

Everything works. It is unfortunate that when the provider changes the PD, I have to adjust the firewall rules every time :-(

I wanted to get the HA proxy to listen on the WAN interface (as I did with IPv4) and accept the HTTPS requests.

If the requested URL matches the host, it is forwarded to its ULA address;

6d60347e-9dd0-4fb0-a953-ad52ef32d61a-grafik.png

6a9dd3c6-bd40-42f0-98bc-f22222930ca2-grafik.png

1eab4595-f341-4e7d-b3d9-0ff9738e2549-grafik.png

ea61d6b8-f80b-4369-bab9-e0bb20e64978-grafik.png

fe2df45f-7740-4eaa-b3da-e09cdc70d080-grafik.png

but I do not have access to it. Does it even work in the HA proxy to accept an incoming connection on the public IPv6 address and forward it to a host based on its ULA address?

In the diagnostics, I can ping the target host in the LAN under its public IPv6, its ULA address and with its host name.

@haraldinho have no idea why they would setup a rule for fe80/10, also pfsense by default setups up hidden rules for all things needed for IPv6 to work..

# IPv6 ICMP is not auxiliary, it is required for operation # See man icmp6(4) # 1 unreach Destination unreachable # 2 toobig Packet too big # 128 echoreq Echo service request # 129 echorep Echo service reply # 133 routersol Router solicitation # 134 routeradv Router advertisement # 135 neighbrsol Neighbor solicitation # 136 neighbradv Neighbor advertisement pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} ridentifier 1000000107 keep state # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} ridentifier 1000000108 keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} ridentifier 1000000109 keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier 1000000110 keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier 1000000111 keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier 1000000112 keep state pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier 1000000113 keep state

But there nothing saying that some rando IPv6 address out on the public net needs to be able to ping you.. Allowing that would be up to you - say if you want to get a 20 on your test ;) They also want your IP to resolve for PTR if you want a 20, most of the time that would be out of the users control..

edit:
I take it this is the 20/20 score your shooting for ;)

test.jpg

Since I am using HE for my IPv6, they allow for setting up PTRs - which allows for that hostname part of the test to work.. And if you allow ping on your pfsense to whatever IPv6 your testing from behind pfsense, and it answers ping as well.. Some host firewalls might also block that you should be rocking your 20/20