IPv6 rules for dynamic prefixes (Redmine Ticket 6626)

KluthR

I already searched for a solution but did not find anything. Either ist too obvious or its not working as expected:

pfSense is cabable of rules for dynamic prefixes (https://redmine.pfsense.org/issues/6626).
So, I created a rule:

pass in quick on pppoe0 reply-to (pppoe0 fe80::9ecc:83ff:fe89:eb31) inet6 proto tcp from any to xxxx:0:ff:fe00:10 port = http flags S/SA keep state label "USER_RULE" label "id:1713254789" ridentifier 1713254789 (where xxxx includes my prefix)

which shows up in the UI (Rules -> WAN) as:

But if I try to access the IPv6 on that port, I see the packet blocked by the default Ipv6 deny rule. Why?

All rules on WAN currently:

Thanks in advance!

EDIT: If I create an easy pass rule from the blockage, its working. But this easy rule contains the prefix itself and that part is dynamic.

KluthR

Okay, got a bit further

pfSense adds my WAN prefix when typing that kind of rule (host portion). But the target device lives in LAN and has another prefix (?) and because of that its not working. I still dont know how to use the host-portion-feature for v6 rules.

KluthR

BTW the Redmine mentioned PR (https://redmine.pfsense.org/issues/6626) is also available at github at https://github.com/pfsense/pfsense/commit/7c4b3d3c8d2d15b1e59d1d262cc295a848434355

So, the :: feature expands the $rule['interface']'s prefix to the host portion. Useless in my case.

Okay, lets make my target v6 a complete one: it works!
Assuming the Do not allow PD/Address release is being ignored and I get a new prefix, then all my rules are dead.

Correct me if Iam wrong, but pfSense misses a dropdown for that :: case, allowing me to select the target interface for auto-prefix-determination at https://github.com/pfsense/pfsense/blob/9fd4cb962ad28b0e03c8c755a80b20ad7c867d9e/src/etc/inc/filter.inc#L3247