IPv6 Firewall Rules, Multiple Dynamic Prefixes

Bob.Dig

@jknott said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

If your prefixes are changing, you may want to use ULA on your LAN, for accessing local devices and local DNS.

And then NAT it out on your WAN-address.

marcg

Thanks for the responses! ULA internally, NPt'ed for the WAN sounds like a good approach.

That still leaves the issue of updating the NPt config if/when the delegated prefix from the ISP changes. Is there a way to trigger a script to update that config when the prefix changes? I've seen some posts mentioning tail'ing the DHCP logs to trigger a script when the prefix changes, but that seems ... inelegant :)

Bob.Dig

@marcg As far as I know you can create one VLAN with track interface for the one /64 and then don't use that vlan, just have it sitting there for doing NPt. It will get updated automatically.

the other

@marcg hey there,
could be I am totally wrong here with understanding the problem...if so: sorry.
Here I got IPv4 & 6 running in some VLANs. My ISP is offering dynamic prefixes as well.
That's why I too use fd:...(ULAs) intern and 200x:... (GUAs) extern.

I never had to touch any NPt, there are no entries at all.
Still, everyhting works.
My devices get those prefix changes, Internet is reachable. Intern clients get via SLAAC their ULA and that works fine as well...

But, as mentioned earlier, I might be totally off... :)

marcg

@bob-dig Ah, OK. I misunderstood your earlier comment about *_net to refer to ACLs among internal networks. Thanks.

I guess if I had multiple dynamic /64s, I'd need a VLAN for each for NPTs. Would be much easier if my ISP handed out a single /61 that could be subnetted instead of eight /64s ... but they don't.

the other

@marcg hey there,
okay, I am sorry indeed: missed that point about the multiple given /64s. Here I get an /56 so sudividing that is indeed different.
Sorry for wasting everyone's time.
:)

Bob.Dig

@bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

@marcg As far as I know you can create one VLAN with track interface for the one /64 and then don't use that vlan, just have it sitting there for doing NPt. It will get updated automatically.

Sorry, I was wrong and with my thoughts in another thread.

I wouldn't use ULA and dynamic prefixes, that is to much hassle. It is not well supported in pfSense, although maybe you can make it work with just one /64 ... but the ULA thing was brought up by jknott, not by me.
My first answer still stands.

marcg

@the-other No worries. If I didn't have the requirement for SLAAC on the LAN side, I could live with a single /64 plus non-overlapping DHCP ranges on my VLANs. I could write inter-VLAN ACLs for those. But, my ISP has decided to do something non-standard.

the other

@marcg

@marcg said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

But, my ISP has decided to do something non-standard.

Yeah, I read that one before many times here and in other forums...
Even those prefix changes here (static ones are available for business at business prices) are IMHO as redundant as those privacy extensions...
And don't even start with that epic battle between MS and Google about DHCP_IPv6 or SLAAC or how to write those IPs. It's kinda sad how those players "break" IPv6 before it even really got started.
jm2c
;)

marcg

@bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:
I wouldn't use ULA and dynamic prefixes, that is to much hassle. It is not well supported in pfSense,
My first answer still stands.

My understanding up to this point was

• Use non-routeable fd00::/8 ULAs internally. For example, if I had 8 internal subnets, I might use ULA prefixes fd01::/16 - fd08::/16. These would be static prefixes and I could write inter-subnet ACLs for them.

• NPt the ULA prefixes to the dynamic prefixes from my ISP for host Internet access.

Would that work if the NPt rules were somehow able to track the dynamic prefixes?

Bob.Dig

@marcg Sure, in theory. But again, you can use the *_net in your rules to separate those subnets, so no need for ULAs, at least if separation by subnet is enough and you don't need it by hosts.

JKnott

@bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

And then NAT it out on your WAN-address.

No need for that. You will still have global addresses available to reach the rest of the world.

JKnott

@marcg said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

NPt'ed for the WAN sounds like a good approach.

No it doesn't. You use both ULA and global addresses. IPv6 is designed to have multiple addresses on an interface. After my computer has been up for a week, I'll have 17 addresses, 8 global, 8 ULA and 1 link local.

JKnott

@bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

I wouldn't use ULA and dynamic prefixes, that is to much hassle. It is not well supported in pfSense

When my cable modem is in gateway mode, it provides a /64 global address and a /64 ULA. Nothing wrong at all with having both. PfSense handles it very well.

JKnott

@marcg said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

NPt the ULA prefixes to the dynamic prefixes from my ISP for host Internet access.

Please forget that nonsense. You run both global and ULA on the same LAN, just as the network gods intended.

marcg

@jknott said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

You use both ULA and global addresses. IPv6 is designed to have multiple addresses on an interface. After my computer has been up for a week, I'll have 17 addresses, 8 global, 8 ULA and 1 link local.

OK. I had been thinking that, with ULA, I'd NAT the local prefixes to global ones for off-net access. Seems like that's the wrong approach.

I could use ULAs for internal comms and GUAs for external ones. The dynamic prefix issue would be handled automagically in this case via Track Interface.

Appreciate everyone's patience here. New to pfSense and don't (yet) have an actual box to experiment with.

Bob.Dig

@jknott said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

@bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

I wouldn't use ULA and dynamic prefixes, that is to much hassle. It is not well supported in pfSense

When my cable modem is in gateway mode, it provides a /64 global address and a /64 ULA. Nothing wrong at all with having both. PfSense handles it very well.

OP had concerns about rules with dynamic prefixes, your solution was to use ULAs instead. Now you want to use both, which will do nothing about the concerns mentioned at first. Unless you describe your solution in greater detail, maybe something with split-DNS? I really would like to know.

JKnott

@bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

OP had concerns about rules with dynamic prefixes, your solution was to use ULAs instead

Why is he concerned about changing prefixes? Is it because he wants remote access? Or he wants to use DNS for host names on his LAN? It it the latter that having both ULA and global addresses is for. The ULA gives him consistent addresses. He still has global addresses for accessing the Internet, without using NAT, etc..

In some ways, IPv6 requires an entirely different way of thinking about things. For example, while it was possible to have multiple IP addresses on an interface with IPv4, it wasn't often done. With IPv6, it's expected. In fact, you can even have 2 or 3 routers on a LAN, with priority, in addition to ULA. I believe his issue about rules could be handled with aliases, where the rule is for the network, rather than any specific addresses.

marcg

@JKnott , @Bob-Dig , circling back to thank you two for this discussion and the ULA guide.

Running 23.05 on a commodity box with per-subnet prefixes for ULAs and GUAs. The latter prefixes are dynamic. Addresses obtained by SLAAC for both, plus static ULAs for machines that need local DNS entries. No NPt or NAT. It works well.