Default deny rule IPv6 (1000000105) despite firewall rule

lifespeed

@bob-dig said in Default deny rule IPv6 (1000000105) despite firewall rule:

@lifespeed said in Default deny rule IPv6 (1000000105) despite firewall rule:

I think what I want is an alias that has the local IPv4 and the global IPv6.

@lifespeed That is what I do. For that to work you have to use the DHCPv6 Server in pfSense with RA managed. With that, the DHCPv6 Server can serve a static mapping to a host and also registering that hostname. From that hostname you can update your alias automatically.
For this to work your pfSense must be the only router, it will not work in a router cascade now.

I am using DHCPv6 server, and I only have one router on my network. But I still don't understand how to proceed.

lifespeed

@bob-dig said in Default deny rule IPv6 (1000000105) despite firewall rule:

I have to pass, I am not into writing scrips or using APIs in the first place.

I'm not surprised. I only have such a script because I found it on the internet and modified it to my specific setup. But it was a script written for Godaddy API, so I got lucky by virtue of using a popular registrar.

Bob.Dig

@lifespeed You can make a static mapping, almost the same like with IPv4.

Find your host in >Status >DHCPv6 Leases and then create the mapping there. Maybe you have to reboot that host afterwards and pfSense too, but it will work eventually but it is not as smooth to get it working like it is with IPv4.

lifespeed

@bob-dig said in Default deny rule IPv6 (1000000105) despite firewall rule:

@lifespeed You can make a static mapping, almost the same like with IPv4.

Find your host in >Status >DHCPv6 Leases and then create the mapping there. Maybe you have to reboot that host afterwards and pfSense too, but it will work eventually but it is not as smooth to get it working like it is with IPv4.

Why would I want a static DHCPv6 lease? That is the part that works correctly using the FQDN in the alias. And, because the FQDN is DDNS'd, it works when the IPv6 changes.

What I need is an alias with the IPv6 from the FQDN, with the IPv4 static pointing to the local IPv4. Which, oddly enough, one of my aliases has now. But I don't know how it got there, and suspect it may be a holdover that hasn't been cleared and refreshed yet.

Edit: OK, if I put in myhost.mydomain.com, the alias pulls the local IPv4. If I put in mydomain.com the alias pulls the IPv6 and the WAN IPv4. I do have a static map in DHCPv4 for myhost to the static LAN IP, which is what myhost.mydomain.com in the alias retrieves. But no IPv6 is retrieved this way.

Bob.Dig

@lifespeed Your right, I am just copying everything I did with IPv4 to IPv6 so that pfSense could do all I want it to do in the future but that might be different to you.

So maybe just use two aliases then. The above would work but maybe it is to complicated in the first place.

Bob.Dig

So going back to the beginning, why is the IPv6-address missing in an alias created from an FQDN containg the IPv6-address...

pfSense updates FQDN every 5 minutes, maybe it is just that?

lifespeed

@bob-dig said in Default deny rule IPv6 (1000000105) despite firewall rule:

So going back to the beginning, why is the IPv6-address missing in an alias created from an FQDN containg the IPv6-address...

pfSense updates FQDN every 5 minutes, maybe it is just that?

That is the question. I have not been waiting 5 minutes before checking, so maybe you're right. The static IPv4 might not need 5 minutes? I had thought the "myhost" subdomain was just directing it to the static IPv4 mapping and not looking further.

Edit: No, it isn't the 5 minute wait. myhost.mydomain.com only pulls the IPv4 that is static-mapped in DHCP. No IPv6, even after 10 minutes.

By the way, really appreciate the effort you're putting into trying to help me sort this out. It isn't clear to me many pFsense users try to implement both IPv4 and IPv6 with automatically-updating DDNS for hosts behind pFsense.

Bob.Dig

@lifespeed said in Default deny rule IPv6 (1000000105) despite firewall rule:

Edit: No, it isn't the 5 minute wait. myhost.mydomain.com only pulls the IPv4 that is static-mapped in DHCP. No IPv6, even after 10 minutes.

That is how it should look like:

Spoiler

Btw: Found a ps script for CF, will try it.
PPS: To bad, it will only do IPv4 :(

lifespeed

I didn't know you could put more than one host in an alias, so this is what I did.

Here is what the alias retrieves after processing mydomain.com, including the IPv4 WAN which is wrong for IPv4 firewalling a host on the LAN. Then it gets myhost, which has a static IPv4 mapping and pulls that local address (even when myhost prepends mydomain.com).

Then I use the delete button to the right of the WAN IPv4 address, retrieved with mydomain.com in the alias, and I have what I need. Don't know if the delete button is remembered, or it will pull the IPv4 WAN address again.

lifespeed

Btw: Found a ps script for CF, will try it.
PPS: To bad, it will only do IPv4 :(

@Bob-Dig it would definitely be easier to hand the task of updating host's DDNS off to pFsense, but today you have to get the host to do it. Is there a way I can upvote your bug/feature request?

As to the the value of implementing a full IPv4/6 network all the way through the firewall, I have on several occasions seen a dramatic performance increase with IPv6, sometimes a factor of 2X from 12Mb to 25Mb doing an FTP upload from my 1Gb/40Mb Comcast hybrid-fiber-coax connection to an AT&T fiber-to-the curb computer across town. In theory the protocol doesn't matter, in practice, if there is translation, it matters.

lifespeed

@bob-dig said in Default deny rule IPv6 (1000000105) despite firewall rule:

So going back to the beginning, why is the IPv6-address missing in an alias created from an FQDN containg the IPv6-address...

Because when myhost prepends the FQDN mydomain.com, pFsense DNS forwarder uses the DHCPv4 static mappings. And I am not sure that is incorrect for my use case, but it sure messes with the use of aliases and DDNS until you work around it.