IPv6 Firewall Rules, Multiple Dynamic Prefixes

marcg

First time poster, please bear with me ...

My ISP delegates up to eight /64s (ATT in the US with BGW320 gateway). I'd like to (a) assign the prefixes to different VLANs and (b) have inter-VLAN firewall rules that remain up-to-date if/when the delegated prefixes change. I found the answer to (a) here thanks to @ ttmcmurray. Now looking for an answer to (b).

I need to use SLAAC for address assignment as I have Android clients in the mix. That and MAC randomization seem to rule out the approaches I've seen mentioned of either a static host part for the address or using DHCP for address assignment on the VLANs.

I'm currently using another vendor's products that can't do this. If it's possible with pfSense that'd be a strong motivation to switch. Thanks in advance.

Bob.Dig

@marcg said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

have inter-VLAN firewall rules that remain up-to-date if/when the delegated prefixes change

These rules will stay current if you use those *_net for every (V)LAN. The bigger hurdle is to get this prefix change working correctly right when it is happening. I gave up on this so my advise is, don't use IPv6 on your (V)LANs with dynamic IPv6 if you don't have to.

JKnott

@marcg

If your prefixes are changing, you may want to use ULA on your LAN, for accessing local devices and local DNS.

Bob.Dig

@jknott said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

If your prefixes are changing, you may want to use ULA on your LAN, for accessing local devices and local DNS.

And then NAT it out on your WAN-address.

marcg

Thanks for the responses! ULA internally, NPt'ed for the WAN sounds like a good approach.

That still leaves the issue of updating the NPt config if/when the delegated prefix from the ISP changes. Is there a way to trigger a script to update that config when the prefix changes? I've seen some posts mentioning tail'ing the DHCP logs to trigger a script when the prefix changes, but that seems ... inelegant :)

Bob.Dig

@marcg As far as I know you can create one VLAN with track interface for the one /64 and then don't use that vlan, just have it sitting there for doing NPt. It will get updated automatically.

the other

@marcg hey there,
could be I am totally wrong here with understanding the problem...if so: sorry.
Here I got IPv4 & 6 running in some VLANs. My ISP is offering dynamic prefixes as well.
That's why I too use fd:...(ULAs) intern and 200x:... (GUAs) extern.

I never had to touch any NPt, there are no entries at all.
Still, everyhting works.
My devices get those prefix changes, Internet is reachable. Intern clients get via SLAAC their ULA and that works fine as well...

But, as mentioned earlier, I might be totally off... :)

marcg

@bob-dig Ah, OK. I misunderstood your earlier comment about *_net to refer to ACLs among internal networks. Thanks.

I guess if I had multiple dynamic /64s, I'd need a VLAN for each for NPTs. Would be much easier if my ISP handed out a single /61 that could be subnetted instead of eight /64s ... but they don't.

the other

@marcg hey there,
okay, I am sorry indeed: missed that point about the multiple given /64s. Here I get an /56 so sudividing that is indeed different.
Sorry for wasting everyone's time.
:)

Bob.Dig

@bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

@marcg As far as I know you can create one VLAN with track interface for the one /64 and then don't use that vlan, just have it sitting there for doing NPt. It will get updated automatically.

Sorry, I was wrong and with my thoughts in another thread.

I wouldn't use ULA and dynamic prefixes, that is to much hassle. It is not well supported in pfSense, although maybe you can make it work with just one /64 ... but the ULA thing was brought up by jknott, not by me.
My first answer still stands.

marcg

@the-other No worries. If I didn't have the requirement for SLAAC on the LAN side, I could live with a single /64 plus non-overlapping DHCP ranges on my VLANs. I could write inter-VLAN ACLs for those. But, my ISP has decided to do something non-standard.

the other

@marcg

@marcg said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

But, my ISP has decided to do something non-standard.

Yeah, I read that one before many times here and in other forums...
Even those prefix changes here (static ones are available for business at business prices) are IMHO as redundant as those privacy extensions...
And don't even start with that epic battle between MS and Google about DHCP_IPv6 or SLAAC or how to write those IPs. It's kinda sad how those players "break" IPv6 before it even really got started.
jm2c
;)

marcg

@bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:
I wouldn't use ULA and dynamic prefixes, that is to much hassle. It is not well supported in pfSense,
My first answer still stands.

My understanding up to this point was

• Use non-routeable fd00::/8 ULAs internally. For example, if I had 8 internal subnets, I might use ULA prefixes fd01::/16 - fd08::/16. These would be static prefixes and I could write inter-subnet ACLs for them.

• NPt the ULA prefixes to the dynamic prefixes from my ISP for host Internet access.

Would that work if the NPt rules were somehow able to track the dynamic prefixes?

Bob.Dig

@marcg Sure, in theory. But again, you can use the *_net in your rules to separate those subnets, so no need for ULAs, at least if separation by subnet is enough and you don't need it by hosts.

JKnott

@bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

And then NAT it out on your WAN-address.

No need for that. You will still have global addresses available to reach the rest of the world.

JKnott

@marcg said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

NPt'ed for the WAN sounds like a good approach.

No it doesn't. You use both ULA and global addresses. IPv6 is designed to have multiple addresses on an interface. After my computer has been up for a week, I'll have 17 addresses, 8 global, 8 ULA and 1 link local.

JKnott

@bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

I wouldn't use ULA and dynamic prefixes, that is to much hassle. It is not well supported in pfSense

When my cable modem is in gateway mode, it provides a /64 global address and a /64 ULA. Nothing wrong at all with having both. PfSense handles it very well.

JKnott

@marcg said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

NPt the ULA prefixes to the dynamic prefixes from my ISP for host Internet access.

Please forget that nonsense. You run both global and ULA on the same LAN, just as the network gods intended.

marcg

@jknott said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

You use both ULA and global addresses. IPv6 is designed to have multiple addresses on an interface. After my computer has been up for a week, I'll have 17 addresses, 8 global, 8 ULA and 1 link local.

OK. I had been thinking that, with ULA, I'd NAT the local prefixes to global ones for off-net access. Seems like that's the wrong approach.

I could use ULAs for internal comms and GUAs for external ones. The dynamic prefix issue would be handled automagically in this case via Track Interface.

Appreciate everyone's patience here. New to pfSense and don't (yet) have an actual box to experiment with.

Bob.Dig

@jknott said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

@bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

I wouldn't use ULA and dynamic prefixes, that is to much hassle. It is not well supported in pfSense

When my cable modem is in gateway mode, it provides a /64 global address and a /64 ULA. Nothing wrong at all with having both. PfSense handles it very well.

OP had concerns about rules with dynamic prefixes, your solution was to use ULAs instead. Now you want to use both, which will do nothing about the concerns mentioned at first. Unless you describe your solution in greater detail, maybe something with split-DNS? I really would like to know.