IPv6 Firewall rules with dynamic prefixes

mlohr · Mar 16, 2023, 1:14 PM

Hi,

most probably this is a stupid question, but since I couldn'd find any explicit documentation about that maybe it's worth asking.

In the release notes of 2.5.2 (https://docs.netgate.com/pfsense/en/latest/releases/2-5-2.html), it states "Added: Support for IPv6 firewall entries with dynamic delegated prefix and static host address". This links to a redmine issue, which itself links to a (non-accessible) merge request (https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/134).

For me, this raises the question: How is such a firewall rule actually entered? Playing a bit around, I couldn't find any (explicit) option to add this. The screenshot in an old forum post (https://forum.netgate.com/topic/164764/support-for-ipv6-firewall-entries-with-dynamic-delegated-prefix-and-static-host-address) just shows an IP address with a lot of zeros at the beginning, such as ::eeee:ffff:gggg:hhhh, where the last 64 bits of the IPv6 address are provided and the first 64 bits are set to zero. Is this the way to go? What am I missing?

Thanks for your effort for clarification!

Best regards
Matthias

Bob.Dig · Mar 16, 2023, 2:00 PM

@mlohr said in IPv6 Firewall rules with dynamic prefixes:

Is this the way to go?

Yes, but it doesn't do much, it will only work on the same interface.

I think the better solution is to use the DHCPv6 server like I have outlined in that one thread you already found.

mlohr · Mar 16, 2023, 2:05 PM

@bob-dig Thanks for your reply!

What I do not understand: What do you mean with "will only work on the same interface"? In my case, I have a NAS at home which should be accessible via IPv6 from the outside world and my ISP provides me with a dynamic prefix.

In my understanding, my NAS will always be at "the same interface" from the perspective of pfSense, e.g., an interface configured to be the LAN port or DMZ. My NAS is rarely moving around. Do I still need DHCPv6 or is the "it doesn't do much" enough for my case?

Sorry for asking all these questions, I'm still in the process to learn how IPv6 in all its details and especially in combination with pfSense works.

Bob.Dig · Mar 16, 2023, 2:14 PM

@mlohr said in IPv6 Firewall rules with dynamic prefixes:

In my understanding, my NAS will always be at "the same interface" from the perspective of pfSense, e.g., an interface configured to be the LAN port or DMZ.

The "problem" is that your NAS is not on your WAN, so that will not work for your WAN rule that you need because pfSense doesn't know to which interface this host address belongs (as far as I have understand this, try it for yourself)

But what does work is to make a DHCP static mapping on your prefix delegated "LAN" and to create an alias for that hostname you define there.
Now every time the prefix changes, the alias will be changed too.

In theory. There are still problems when the prefix actually changes but they can be mitigated by doing this at night times and rebooting pfSense via cron and so on.