Allowing access to internal servers with IPv6 DHCPv6 tracking

junicast

There are different possibilities. I assume that your WAN connection does not have a static prefix. I also assume what for you is important that you can somehow reach your server.

1. You could disable privacy extensions for your server. This way his interface identifier always will be the same. Only the prefix will change.
2. You could use DHCPv6 in order to assign your server a specific IP all the time he requests for one. As a matter of fact I was not able to achieve this in practice. Maybe not the best way to go.
3. You could ignore which IP the host gets as good as possible. Use DNS names only instead. It is possible that pfSense updates your DNS Server every time a client gets a new address. That way you could make your server addressable through a DNS name that gets update the moment the IP changes. I'd prefer that way.

pfbolt

Without DHCPv6, which I assume would mean using SLAAC instead, how would pfSense know about the hostname?

MikeV7896

If you're not going to use DHCPv6, but don't want to set a static IPv6 address on the system in case the prefix changes in the future, the only way to do it would be to disable IPv6 SLAAC privacy extensions in the operating system. By disabling the SLAAC privacy extensions, the computer will use a SLAAC IPv6 address that is based on the MAC address of the interface. There's also a bit-flip involved for one bit when converting the MAC address.

• If the MAC address were 00cd:98:76:54…

• Split the MAC into its vendor and host sections… 00cd  and  98:76:54

• Flip the 7th bit of the vendor section to turn the 00 into 02…

• Add ff:fe between the two portions, and your IPv6 address becomes…

Unfortunately, there's still no way to create a firewall rule that will automatically adjust itself in the future should your prefix change. I submitted a feature request (#6626) about this last year, but no action has been taken on it yet.

pfbolt

With or without DHCPv6, there's still the issue of prefix changes. Guess I'll have to wait for that task to be resolved.

hda

@pfbolt:

With or without DHCPv6, there's still the issue of prefix changes. Guess I'll have to wait for that task to be resolved.

I consider automated adjustment of changing prefix (incl. Track Interface) a security concern, an intrusion risk I would not take.
YOU have to manage your premises, not your ISP or … So go fight your ISP for silly prefix delegations  :P
Do you think servers get numbers on SLAAC or DHCP i.s.o. fixed addresses ?

pfbolt

How would a changed prefix leave your machines vulnerable to attack?

severach

@hda:

YOU have to manage your premises, not your ISP

So the solution is to use NATv6 and a FD00 address, exactly what I've done to eliminate all these problems. It's what works with the current infrastructure. ipv6-PD is an alpha quality service.

hda

@pfbolt:

How would a changed prefix leave your machines vulnerable to attack?

Attack: ISP plugs you where they want and you have no standing…
Intrusion: ISP changes your prefix and your line is not down but has another address... Duh.
Security: your customers lose secure connectivity, secure in the sense of trust & reliability for managed connections.

I understood that your idea is to have firewall-rules auto-changed based upon change of prefix.
Then you rely extra on your (and pfSense's) perfection to manage. This vulnerability would be all not necessary or superfluous.

I have a /48 by DHCP6-PD and it is quasi-static in that it is already more than 5 years the same number-set.
Ofcourse my ISP reserves the right to change (contract). But if change then my line will drop. And that is good for reason of cause control.
I take the prefix delegation as my domain. So I make my choice for static LAN numbering and use DHCP6-Server on that or set static serverhosts.
No SLAAC, sure no privacy extensions bullshit either.

kpa

@hda:

@pfbolt:

How would a changed prefix leave your machines vulnerable to attack?

Attack: ISP plugs you where they want and you have no standing…
Intrusion: ISP changes your prefix and your line is not down but has another address... Duh.

You have to do a lot better than that to convince anyone that there is even a remote chance of an intrusion. Right now it sounds like you don't understand what the default deny policy implies in such situations.

junicast

@pfbolt:

Without DHCPv6, which I assume would mean using SLAAC instead, how would pfSense know about the hostname?

You are right. My first suggestion was not quite right.
So your prefix might change. Then I'd suggest to give DHCPv6 a try with dynamic updates to your or someone elses DNS server. I got such a setup running for v4 but it took me some time, especially when it comes to the ACL who may write what into DNS… I don't know if and how it works with v6 but it should work.