Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 Firewall rules with dynamic prefixes

    Scheduled Pinned Locked Moved
    IPv6
    2
    4
    667
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • mlohrM
      mlohr
      last edited by

      Hi,

      most probably this is a stupid question, but since I couldn'd find any explicit documentation about that maybe it's worth asking.

      In the release notes of 2.5.2 (https://docs.netgate.com/pfsense/en/latest/releases/2-5-2.html), it states "Added: Support for IPv6 firewall entries with dynamic delegated prefix and static host address". This links to a redmine issue, which itself links to a (non-accessible) merge request (https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/134).

      For me, this raises the question: How is such a firewall rule actually entered? Playing a bit around, I couldn't find any (explicit) option to add this. The screenshot in an old forum post (https://forum.netgate.com/topic/164764/support-for-ipv6-firewall-entries-with-dynamic-delegated-prefix-and-static-host-address) just shows an IP address with a lot of zeros at the beginning, such as ::eeee:ffff:gggg:hhhh, where the last 64 bits of the IPv6 address are provided and the first 64 bits are set to zero. Is this the way to go? What am I missing?

      Thanks for your effort for clarification!

      Best regards
      Matthias

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @mlohr
        last edited by

        @mlohr said in IPv6 Firewall rules with dynamic prefixes:

        Is this the way to go?

        Yes, but it doesn't do much, it will only work on the same interface.

        I think the better solution is to use the DHCPv6 server like I have outlined in that one thread you already found.

        mlohrM 1 Reply Last reply Reply Quote 1
        • mlohrM
          mlohr @Bob.Dig
          last edited by

          @bob-dig Thanks for your reply!

          What I do not understand: What do you mean with "will only work on the same interface"? In my case, I have a NAS at home which should be accessible via IPv6 from the outside world and my ISP provides me with a dynamic prefix.

          In my understanding, my NAS will always be at "the same interface" from the perspective of pfSense, e.g., an interface configured to be the LAN port or DMZ. My NAS is rarely moving around. Do I still need DHCPv6 or is the "it doesn't do much" enough for my case?

          Sorry for asking all these questions, I'm still in the process to learn how IPv6 in all its details and especially in combination with pfSense works.

          Bob.DigB 1 Reply Last reply Reply Quote 0
          • Bob.DigB
            Bob.Dig LAYER 8 @mlohr
            last edited by

            @mlohr said in IPv6 Firewall rules with dynamic prefixes:

            In my understanding, my NAS will always be at "the same interface" from the perspective of pfSense, e.g., an interface configured to be the LAN port or DMZ.

            The "problem" is that your NAS is not on your WAN, so that will not work for your WAN rule that you need because pfSense doesn't know to which interface this host address belongs (as far as I have understand this, try it for yourself)

            But what does work is to make a DHCP static mapping on your prefix delegated "LAN" and to create an alias for that hostname you define there.
            Now every time the prefix changes, the alias will be changed too.

            In theory. There are still problems when the prefix actually changes but they can be mitigated by doing this at night times and rebooting pfSense via cron and so on.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post