IPv6 Firewall Rules, Multiple Dynamic Prefixes

marcg · Apr 29, 2023, 4:11 PM

@the-other No worries. If I didn't have the requirement for SLAAC on the LAN side, I could live with a single /64 plus non-overlapping DHCP ranges on my VLANs. I could write inter-VLAN ACLs for those. But, my ISP has decided to do something non-standard.

the other · Apr 29, 2023, 4:16 PM

@marcg

@marcg said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

But, my ISP has decided to do something non-standard.

Yeah, I read that one before many times here and in other forums...
Even those prefix changes here (static ones are available for business at business prices) are IMHO as redundant as those privacy extensions...
And don't even start with that epic battle between MS and Google about DHCP_IPv6 or SLAAC or how to write those IPs. It's kinda sad how those players "break" IPv6 before it even really got started.
jm2c
;)

marcg · Apr 29, 2023, 4:44 PM

@bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:
I wouldn't use ULA and dynamic prefixes, that is to much hassle. It is not well supported in pfSense,
My first answer still stands.

My understanding up to this point was

Use non-routeable fd00::/8 ULAs internally. For example, if I had 8 internal subnets, I might use ULA prefixes fd01::/16 - fd08::/16. These would be static prefixes and I could write inter-subnet ACLs for them.
NPt the ULA prefixes to the dynamic prefixes from my ISP for host Internet access.

Would that work if the NPt rules were somehow able to track the dynamic prefixes?

Bob.Dig · Apr 29, 2023, 4:46 PM

@marcg Sure, in theory. But again, you can use the *_net in your rules to separate those subnets, so no need for ULAs, at least if separation by subnet is enough and you don't need it by hosts.

JKnott · Apr 29, 2023, 8:37 PM

@bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

And then NAT it out on your WAN-address.

No need for that. You will still have global addresses available to reach the rest of the world.

JKnott · Apr 29, 2023, 8:39 PM

@marcg said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

NPt'ed for the WAN sounds like a good approach.

No it doesn't. You use both ULA and global addresses. IPv6 is designed to have multiple addresses on an interface. After my computer has been up for a week, I'll have 17 addresses, 8 global, 8 ULA and 1 link local.

JKnott · Apr 29, 2023, 8:42 PM

@bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

I wouldn't use ULA and dynamic prefixes, that is to much hassle. It is not well supported in pfSense

When my cable modem is in gateway mode, it provides a /64 global address and a /64 ULA. Nothing wrong at all with having both. PfSense handles it very well.

JKnott · Apr 29, 2023, 8:44 PM

@marcg said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

NPt the ULA prefixes to the dynamic prefixes from my ISP for host Internet access.

Please forget that nonsense. You run both global and ULA on the same LAN, just as the network gods intended.

marcg · Apr 29, 2023, 8:54 PM

@jknott said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

You use both ULA and global addresses. IPv6 is designed to have multiple addresses on an interface. After my computer has been up for a week, I'll have 17 addresses, 8 global, 8 ULA and 1 link local.

OK. I had been thinking that, with ULA, I'd NAT the local prefixes to global ones for off-net access. Seems like that's the wrong approach.

I could use ULAs for internal comms and GUAs for external ones. The dynamic prefix issue would be handled automagically in this case via Track Interface.

Appreciate everyone's patience here. New to pfSense and don't (yet) have an actual box to experiment with.

Bob.Dig · Apr 30, 2023, 7:58 AM

@jknott said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

@bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

I wouldn't use ULA and dynamic prefixes, that is to much hassle. It is not well supported in pfSense

When my cable modem is in gateway mode, it provides a /64 global address and a /64 ULA. Nothing wrong at all with having both. PfSense handles it very well.

OP had concerns about rules with dynamic prefixes, your solution was to use ULAs instead. Now you want to use both, which will do nothing about the concerns mentioned at first. Unless you describe your solution in greater detail, maybe something with split-DNS? I really would like to know.

JKnott · May 27, 2023, 6:13 PM

@bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

OP had concerns about rules with dynamic prefixes, your solution was to use ULAs instead

Why is he concerned about changing prefixes? Is it because he wants remote access? Or he wants to use DNS for host names on his LAN? It it the latter that having both ULA and global addresses is for. The ULA gives him consistent addresses. He still has global addresses for accessing the Internet, without using NAT, etc..

In some ways, IPv6 requires an entirely different way of thinking about things. For example, while it was possible to have multiple IP addresses on an interface with IPv4, it wasn't often done. With IPv6, it's expected. In fact, you can even have 2 or 3 routers on a LAN, with priority, in addition to ULA. I believe his issue about rules could be handled with aliases, where the rule is for the network, rather than any specific addresses.

marcg · May 27, 2023, 6:19 PM

@JKnott , @Bob-Dig , circling back to thank you two for this discussion and the ULA guide.

Running 23.05 on a commodity box with per-subnet prefixes for ULAs and GUAs. The latter prefixes are dynamic. Addresses obtained by SLAAC for both, plus static ULAs for machines that need local DNS entries. No NPt or NAT. It works well.