IPv6 firewall rule dynamic IP

JKnott

Instead of specifying a specific host, you can specify the network as the destination.  You can then use any computer, with any IPv6 address.

SoulChild

Euhm… this question is solved :)

Thank you!

MikeV7896

Just be aware that you've allowed access to the port(s) on ALL computers/devices on your network. Of course if they don't have something listening, or have their own firewall that will ensure that they're at least somewhat secure.

As far as your original post goes… the firewall rule is unfortunately not yet possible with a dynamic prefix. I created a feature request a couple of months ago regarding this, asking for an option to select something like "LAN Prefix" (which could be updated if the prefix changes) while allowing the host portion of the rule to be static.

BTW, you're not the first to ask for this… I know there's at least one other thread asking for the same capability, which is what drew me to create the feature request.

Unfortunately, now it's a waiting game to have this capability implemented.

JKnott

One other thing, are you sure your ISP is changing your IPv6 address?  With IPv6, addresses are commonly configured using SLAAC.  There are 2 types of SLAAC address.  The first is based on the MAC address and does not change.  The other is called a privacy address which is based on a random number and changes periodically.  When you set up a DNS record, you must use the MAC based one.  It's easy to spot, as the right part is identical to the right part of your link local address.  On other factor is some versions of Windows use a non-changing random number for the permanent address.  In that case, that's the one you use for the DNS.

SoulChild

Hi JKnott,

yes, I am fully aware this this solution is essentially allowing all traffic incoming on this port for all IPv6 listening hosts in my network. I know this isn't exactly ideal, but as far as quick fixes go, it works. And it doesn't require me to manually check the rule every now and then to see if it still being used.

I also found that I'm not the first one to ask this, but it's not  yet implemented indeed. This problem seems to sometimes also comes in the form that people sometimes ask for "IPv6 port forwarding"… Bit of a contradiction, that one :). Goes to illustrate that even IT people don't realise that port forwarding is both nat AND a firewall change.

And my internet provider is using DHCPv6 on my pfsense external IP, but is delegating a  /56 for my internal use, indeed the internal is SLAAC, but the prefix is dynamically allocated from my provider.

I'm not 100% sure what the rules are as of yet, but yes, they do change my internal prefix periodically. My static rule allowing the port towards my internal IP becomes obsolete after my internal IP changes.

Not sure yet how often this happens, though. But this will fix it untill a more granular solution is implemented for us IPv6 Delegation users :)

PigLover

@virgiliomi:

…I created a feature request a couple of months ago regarding this, asking for an option to select something like "LAN Prefix" (which could be updated if the prefix changes) while allowing the host portion of the rule to be static. …

This - please.  Any idea how we could get this feature request prioritized?  Would be a brilliant solution.

SoulChild

Ofcourse, this would require that you use SLAAC as standardized, with your mac address visible in the IP address. Some implementations consider this a security issue and will randomly generate a host-portion afterwards. Windows does this by default, surely some linux distros as well. Usually you can see this in a ipconfig, with the "temporary ip address" listed under the adapter.

So unless you change this behaviour in your OS and having your MAC address visible and easily identifiable in the IP address(the glaring "FFFE" in the middle…), this isn't as easy as it sounds. Is this really an issue? Not really, but it's lazy, imo...

Maybe a more secure option would be to track the IPv6 address based on the mac address of the end host? Regardless of the actual IPv6 address generated? That way you have the obscufation of the random assigned IP address, and more importantly: a implementation that works without getting messy in the windows register or linux settings to disable randomly generated IPv6 host portions.

PigLover

Its not really all that hard - once you know what the client will use in the "suffix" you can just enter it.  With the exception of random rotating address selection used by Windows the suffix is completely predictable.

In fact, you can even set this with Windows.  You can, with the right powershell incantations, force it to use an EIU64 translation of your mac address or even a fixed address (like ::1).

The really hard part, the part that you can only fix with inside PFSense, is what prefix is used for the interface.

SoulChild

My point wasn't that it was so hard or impossible to do, it's that I do feel there is merit in not having a static host portion in ipv6. For ipv4 private IP's, this is almost always irrelevant since Source nat hides your internals anyway.

However, having thought about it, having the internal host portion static isn't a half-bad idea actually. It's the equivalent of setting up a static private IP, with a public IP… That way the implementation in PFSense would be to simply have the prefix in a dynamicly adjusting list, while adding your internal bits it and the port you want to open.

JKnott

^^^^
The normal practice is to use the MAC based address for incoming connections, so that DNS can point to it and use the random number addresses for privacy on outgoing connections.

ddffnn

I found a solution. I created an alias for the lan host that I want to be accessible. Then in the actual firewall rule I specify that alias as the single alias in the destination field.

I tested that other ipv6 addresses get blocked, but the one I wanted to use does get through.

Apparently this feature is often used to collapse several external hosts or ips into a single entry to keep the list of rules shorter, but it also works for this purpose because the fqdn will be resolved periodically.

aledesma

@ddffnn:

I found a solution. I created an alias for the lan host that I want to be accessible. Then in the actual firewall rule I specify that alias as the single alias in the destination field.

I tested that other ipv6 addresses get blocked, but the one I wanted to use does get through.

Apparently this feature is often used to collapse several external hosts or ips into a single entry to keep the list of rules shorter, but it also works for this purpose because the fqdn will be resolved periodically.

Hi, I have been pondering this for a while as well. I am unclear on how to create port forwards with my IPV6 set up from comcast.  I can connect to all the IPV6 sites and pass all the tests, but I don't know how to make rules. I thought that with IPV6 it was like having a public IP for all of my LAN hosts.

What did you do? Did you have to set up and internal DHCP6 server and Router advertisements on pfsense or did you just create a rule in the wan interface to point to the alias that you created with the IPV6 addressed handed out by your ISP?

Super confused,

Alex

MikeV7896

@aledesma:

Hi, I have been pondering this for a while as well. I am unclear on how to create port forwards with my IPV6 set up from comcast.  I can connect to all the IPV6 sites and pass all the tests, but I don't know how to make rules. I thought that with IPV6 it was like having a public IP for all of my LAN hosts.

What did you do? Did you have to set up and internal DHCP6 server and Router advertisements on pfsense or did you just create a rule in the wan interface to point to the alias that you created with the IPV6 addressed handed out by your ISP?

With IPv6, it's not a port forward you're creating. You're creating a firewall rule on the WAN to allow an incoming connection to your host using its global IPv6 address. No NAT… no forwards... just a firewall rule.

From what it sounds like...

• A static DHCPv6 entry was created for the host. This allows a hostname to be associated with the IPv6 address.

• An alias was created, pointing to the hostname. pfSense will occasionally re-resolve the hostname in case the IP address changes (really just the prefix, since the host portion is the same based on the DHCPv6 static entry).

• A firewall rule was created on the WAN interface, allowing traffic with a destination of the alias and the desired port(s) through the firewall.

I personally consider an alias to be a workaround to this problem (what if I don't want to set an internal hostname?), but it certainly does work. I still would like to see this feature request implemented to provide a more direct solution to the issue though.

Not to mention that there are potential races with an alias… the prefix changes, firewall rules reload, but DHCPv6 hasn't yet updated the host/lease with the new prefix, causing the alias to still resolve to the old address. Seconds later, DHCPv6 updates the lease, but now you have a period of time until the next alias DNS resolution where the host is not accessible.

flstaats

I have this issue also.  I've added my own notes to the feature request https://redmine.pfsense.org/issues/6626

I'm using firewall aliases manually configured to cover the whole prefix delegation and ipv4 NAT address space as my work around.  This can cause issues when the delegation automatically changes, but allows me to create rules chains that allow whitelisted connections / deny all other internal connections (with my firewall alias) / then allow all external connections which are simple to read (important) and maintain.

pfadmin

Yes I'm sure to post to this topic.

I ran into the same problem. Dynamic IPv6 and a lot of interfaces / VLANs. So my clients on this different LAN's should be able to use IPv6 for browsing the internet but not for connecting clients in other LAN's on my homesite. At this time, I use a rule with an alias to block this LAN's for incoming IPv6 with given prefix/56. It is an IP Alias with something like 2003ef12:aa00 and /56 what I pulled from ISP. If the prefix changes, I have to change the alias manualy.

So, it is really that difficult to code a script what's probe the existing prefix with the alias and if different, change the alias?  :o I think, this is the first thing we need.
Don't ask, I'm not the right man to code this  ???

pfadmin

JKnott

@pfadmin:

Yes I'm sure to post to this topic.

I ran into the same problem. Dynamic IPv6 and a lot of interfaces / VLANs. So my clients on this different LAN's should be able to use IPv6 for browsing the internet but not for connecting clients in other LAN's on my homesite. At this time, I use a rule with an alias to block this LAN's for incoming IPv6 with given prefix/56. It is an IP Alias with something like 2003ef12:aa00 and /56 what I pulled from ISP. If the prefix changes, I have to change the alias manualy.

So, it is really that difficult to code a script what's probe the existing prefix with the alias and if different, change the alias?  :o I think, this is the first thing we need.
Don't ask, I'm not the right man to code this  ???

pfadmin

One thing you can do for your local network is to use Unique Local Addresses (ULA) for local connections.  I set that up as an experiment on my network, but it would solve that part of your problem.  With ULA, you create a /48 prefix that starts with fd, to which you add a 40 random number.  PfSense will advertise that prefix and it works just as well as a global address for use on the local network.  You'd still have global addresses for accessing the Internet.

pfadmin

I could use ULA for connecting between LAN's, but clients who wants to connect the internet via IPv6 need global unicast adresses. This adresses come with the prefix to all clients in my different vlans (divided in subnets with the bits between /56 and /64). But now I have to allow all IPv6 traffic to everywhere. I don't want allow IPv6 traffic between vlans so I need to block it first. Telekom_prefix is manualy 2003:ca:abcd:d300/56 and RFC_1918 is 192.168.0.0/24 172.16.0.0/12 10.0.0.0/8 and fc00::/7
So I need a script which is automaticaly changing the Telekom_prefix alias if it changes.

The example is not what the rule picture shows

WAN / Internet
            :
            : DialUp-/PPPoE-/Cable-/whatever-Provider
            :
            |
      .–---+-----.  vlan10                                  .------------.
      |  pfSense  +---------------------------------+ client10|
      '-----+-----' 2003:ca:abcd:f310::/64        '------------'
            |
            |
      vlan20 | 2003:ca:abcd:f320::/64
            |

JKnott

I could use ULA for connecting between LAN's, but clients who wants to connect the internet via IPv6 need global unicast adresses.

Enabling ULA does not mean losing global addresses.  With IPv6, multiple addresses are normal.  In fact, if you can reach the Internet, you have at least 2, the global address and link local.  Currently, on this computer, I have 17.  Link local, 1 MAC based global, 1 MAC based ULA and 7 each private ULA and GLOBAL.  The Windows 10 virtual machine has another 17.  So, just enable ULA and your computers will have both ULA and global addresses.

Derelict

If you are sending the proper DUID every time and getting a different prefix delegation, your ISP is broken and they should be told to fix it or they should lose your business.

JKnott

@Derelict:

If you are sending the proper DUID every time and getting a different prefix delegation, your ISP is broken and they should be told to fix it or they should lose your business.

Also, ensure "Do not allow PD/Address release" on the WAN tab is selected.  If it isn't, something as simple as disconnecting/reconnecting the Ethernet cable can cause a change of prefix.