• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IPv6 Firewall Rules, Multiple Dynamic Prefixes

Firewalling
4
22
2.5k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    marcg @the other
    last edited by Apr 29, 2023, 4:11 PM

    @the-other No worries. If I didn't have the requirement for SLAAC on the LAN side, I could live with a single /64 plus non-overlapping DHCP ranges on my VLANs. I could write inter-VLAN ACLs for those. But, my ISP has decided to do something non-standard.

    T 1 Reply Last reply Apr 29, 2023, 4:16 PM Reply Quote 0
    • T
      the other @marcg
      last edited by Apr 29, 2023, 4:16 PM

      @marcg

      @marcg said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

      But, my ISP has decided to do something non-standard.

      Yeah, I read that one before many times here and in other forums...
      Even those prefix changes here (static ones are available for business at business prices) are IMHO as redundant as those privacy extensions...
      And don't even start with that epic battle between MS and Google about DHCP_IPv6 or SLAAC or how to write those IPs. It's kinda sad how those players "break" IPv6 before it even really got started.
      jm2c
      ;)

      the other

      pure amateur home user, no business or professional background
      please excuse poor english skills and typpoz :)

      1 Reply Last reply Reply Quote 0
      • M
        marcg @Bob.Dig
        last edited by marcg Apr 29, 2023, 4:44 PM Apr 29, 2023, 4:41 PM

        @bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:
        I wouldn't use ULA and dynamic prefixes, that is to much hassle. It is not well supported in pfSense,
        My first answer still stands.

        My understanding up to this point was

        • Use non-routeable fd00::/8 ULAs internally. For example, if I had 8 internal subnets, I might use ULA prefixes fd01::/16 - fd08::/16. These would be static prefixes and I could write inter-subnet ACLs for them.

        • NPt the ULA prefixes to the dynamic prefixes from my ISP for host Internet access.

        Would that work if the NPt rules were somehow able to track the dynamic prefixes?

        B J 2 Replies Last reply Apr 29, 2023, 4:46 PM Reply Quote 0
        • B
          Bob.Dig LAYER 8 @marcg
          last edited by Apr 29, 2023, 4:46 PM

          @marcg Sure, in theory. But again, you can use the *_net in your rules to separate those subnets, so no need for ULAs, at least if separation by subnet is enough and you don't need it by hosts.

          1 Reply Last reply Reply Quote 1
          • J
            JKnott @Bob.Dig
            last edited by Apr 29, 2023, 8:37 PM

            @bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

            And then NAT it out on your WAN-address.

            No need for that. You will still have global addresses available to reach the rest of the world.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • J
              JKnott @marcg
              last edited by Apr 29, 2023, 8:39 PM

              @marcg said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

              NPt'ed for the WAN sounds like a good approach.

              No it doesn't. You use both ULA and global addresses. IPv6 is designed to have multiple addresses on an interface. After my computer has been up for a week, I'll have 17 addresses, 8 global, 8 ULA and 1 link local.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              M 1 Reply Last reply Apr 29, 2023, 8:54 PM Reply Quote 1
              • J
                JKnott @Bob.Dig
                last edited by JKnott Apr 29, 2023, 8:42 PM Apr 29, 2023, 8:41 PM

                @bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

                I wouldn't use ULA and dynamic prefixes, that is to much hassle. It is not well supported in pfSense

                When my cable modem is in gateway mode, it provides a /64 global address and a /64 ULA. Nothing wrong at all with having both. PfSense handles it very well.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                B 1 Reply Last reply Apr 30, 2023, 7:58 AM Reply Quote 0
                • J
                  JKnott @marcg
                  last edited by Apr 29, 2023, 8:44 PM

                  @marcg said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

                  NPt the ULA prefixes to the dynamic prefixes from my ISP for host Internet access.

                  Please forget that nonsense. You run both global and ULA on the same LAN, just as the network gods intended. 😉

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • M
                    marcg @JKnott
                    last edited by Apr 29, 2023, 8:54 PM

                    @jknott said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

                    You use both ULA and global addresses. IPv6 is designed to have multiple addresses on an interface. After my computer has been up for a week, I'll have 17 addresses, 8 global, 8 ULA and 1 link local.

                    OK. I had been thinking that, with ULA, I'd NAT the local prefixes to global ones for off-net access. Seems like that's the wrong approach.

                    I could use ULAs for internal comms and GUAs for external ones. The dynamic prefix issue would be handled automagically in this case via Track Interface.

                    Appreciate everyone's patience here. New to pfSense and don't (yet) have an actual box to experiment with.

                    1 Reply Last reply Reply Quote 0
                    • B
                      Bob.Dig LAYER 8 @JKnott
                      last edited by Apr 30, 2023, 7:58 AM

                      @jknott said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

                      @bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

                      I wouldn't use ULA and dynamic prefixes, that is to much hassle. It is not well supported in pfSense

                      When my cable modem is in gateway mode, it provides a /64 global address and a /64 ULA. Nothing wrong at all with having both. PfSense handles it very well.

                      OP had concerns about rules with dynamic prefixes, your solution was to use ULAs instead. Now you want to use both, which will do nothing about the concerns mentioned at first. Unless you describe your solution in greater detail, maybe something with split-DNS? I really would like to know.

                      J 1 Reply Last reply Apr 30, 2023, 12:34 PM Reply Quote 0
                      • J
                        JKnott @Bob.Dig
                        last edited by JKnott Apr 30, 2023, 12:35 PM Apr 30, 2023, 12:34 PM

                        @bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

                        OP had concerns about rules with dynamic prefixes, your solution was to use ULAs instead

                        Why is he concerned about changing prefixes? Is it because he wants remote access? Or he wants to use DNS for host names on his LAN? It it the latter that having both ULA and global addresses is for. The ULA gives him consistent addresses. He still has global addresses for accessing the Internet, without using NAT, etc..

                        In some ways, IPv6 requires an entirely different way of thinking about things. For example, while it was possible to have multiple IP addresses on an interface with IPv4, it wasn't often done. With IPv6, it's expected. In fact, you can even have 2 or 3 routers on a LAN, with priority, in addition to ULA. I believe his issue about rules could be handled with aliases, where the rule is for the network, rather than any specific addresses.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        M 1 Reply Last reply May 27, 2023, 6:13 PM Reply Quote 0
                        • M
                          marcg @JKnott
                          last edited by marcg May 27, 2023, 6:19 PM May 27, 2023, 6:13 PM

                          @JKnott , @Bob-Dig , circling back to thank you two for this discussion and the ULA guide.

                          Running 23.05 on a commodity box with per-subnet prefixes for ULAs and GUAs. The latter prefixes are dynamic. Addresses obtained by SLAAC for both, plus static ULAs for machines that need local DNS entries. No NPt or NAT. It works well.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.