IPV6 alias' and scheduling

Daveflynn

Hi all

Looking for some help in schedules.

So I am a recent pfsense convert and have found that it is fantastic, using the guest captive portal and clans works fab.

I have a home setup with the main network as LAN.  IPv4 Subnet is 192.168.1.0/24

I have a number of devices using IPv4 static addresses that is have an alias for and schedule rules for them.  This is designed to limit the children's internet access at times.

This was working fine.  However I recently implemented IPv6 and am having some difficulty getting my head around this.  I have IPv6 set up working fine with dhcpv6.

My problem is that the kids IPv4 access is cut off according to the schedule but not the IPv6

The firewall rules for the alias is set to both IPv4 and IPv6 but the alias is only IPv4 addresses.

Tried to set a static address for one device on dhcpv6 but didn't seem to work.

Any help would be greatly appreciated.

Thanks

NogBadTheBad

Are you using the IP addresses in the DHCPv6 scope in your firewall rules ?

Could be that the children's devices are getting SLAAC addresses, Andriod is SLAAC only

Never set up schedules myself. Seems to work for me with my iDevices.

Daveflynn

The devices are IOS and MS XBOX1.

I hadn't put the IPV6 addresses into the rules (via Alias), only the IPV4 ones but with a protocol that was IPV4 +IPV6 in the rule.  I expect this is why its not working.

Time to figure out IPV6 static addressing!

Thanks

NogBadTheBad

1. Create a DHCPv4 & DHCPv6 static mapping in the DHCP service, gave my iPad the hostname ipad for both DHCPv4 & DHCPv6.

2. Create an alias, called mine h_ipad and used the FQDN in the IP or FQDN field.

3. Create a firewall rule at the TOP of your LAN interface and use alias as the source and add the schedule.

I found it easier letting the device get an IPv6 address, then go into Status -> DHCPv6 Leases and add a static map from there.

Daveflynn

OK

So i also created a static address from DHCPv6 lease screen.

This doesn't give a ipv6 address like I have for the IPV4 ones.

Does the static address look correct?

Just checking from my example attached with the hostname freyaipadv6 can i just add this as the FQDN (router is pfsense.Flynn.home) to it would be freyaipadv6.Flynn.home

So if I use the same hostname for IPV4 and IPV6 statics (ie ipad) i can just use ipad.Flynn.home in the alias to block?

Thanks for the help and patience.

NogBadTheBad

You can use the same hostname for IPv4 & IPv6, one would be an A record the other an AAAA record, so when you looked up freyaipad.flynn.home it would return an IPv4 and an IPv4 address and also the alias you created would contain an both addresses.

If you were to ssh to your router, open up a shell and type in host freyaipad.flynn.home it should come back with an IPv4 and an IPv6 address.

I'd also use the hostname as an alias for your firewall rules.

I use h_hostname for hostname aliases, n_network for network aliases, etc …

I'm writing this from my iPad and its a little tricky looking at the screen shot, I tend to concert the last octet in my IPv4 addresses to hex and use that as the last portion of my IPv6 address.

I'll try and do a few screen shots tomorrow.

NogBadTheBad

Looks like you've not assigned an IPv6 address looking at that screenshot, your IPv6 address will be dynamic, you need to fix it.

If an IPv6 address is entered, the address must be outside of the pool.
If no IPv6 address is given, one will be dynamically allocated from the pool.

Daveflynn

I thought that it would add it from the pool as a static address(dhcpv6 lease page), so not really a 'static' but the same leased address each time.  This is what I am used to from asus home equipment I have been using previously)

When I set up the ipv4 I did this manually so didn't spot that it didn't do this.

Now i really need to get my head around the IPV6 addressing!

Thanks

NogBadTheBad

@Daveflynn:

I thought that it would add it from the pool as a static address(dhcpv6 lease page), so not really a 'static' but the same leased address each time.  This is what I am used to from asus home equipment I have been using previously)

When I set up the ipv4 I did this manually so didn't spot that it didn't do this.

Now i really need to get my head around the IPV6 addressing!

Thanks

It's easy really, if you want to block stuff going out you need to make sure the devices get the same IPv4 & IPv6 address each time via DHCP.

My iPad  gets 172.16.2.41 & 2a02:XXXX:XXXX:2::29  ( 41 dec = 29 hex ) via DHCP reservation.

subnet    host

mac-pro:~ andy$ host ipad
ipad.xxxx.net has address 172.16.2.41
ipad.xxxx.net has IPv6 address 2a02:XXXX:XXXX:2::29
mac-pro:~ andy$

What subnet mask are you using, I use /64 that gives me from 2a02:XXXX:XXXX:2:: to 2a02:XXXX:XXXX:2:ffff:ffff:ffff:ffff ?

Have a play with this :-

http://www.subnetonline.com/pages/subnet-calculators/ipv6-subnet-calculator.php

Daveflynn

That makes it look much easier

I have now fixed it.

I am very pleased,the kids not so much!

Thank you so much for the help!