Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 hosting website

    Scheduled Pinned Locked Moved IPv6
    22 Posts 5 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bigtfromaz
      last edited by

      I have a similar situation. I want to allow inbound traffic to a specific IPv6 host on my LAN.  I read this post and it all made sense to me but there are some things I don't understand.

      Here is some background:

      • My ISP does not provide a static delegated prefix, I receive it dynamically by "Tracking" the WAN from the LAN.  At least one of my target hosts will only use auto configuration and I can't change it.

      • For dynamic DNS, I wrote a PowerShell script that runs on the hosts. It updates my web-facing DNS server whenever the host's addresses change.  That was the easy part for me.

      • The pfSense firewall is configured to block all inbound IPv6 connections by default.

      Is there a way to write a firewall rule allowing inbound connections to pass through to a specific host when dynamic prefix delegation is in play?  What happens when my ISP changes the prefix for whatever reason?  Will pfSense alter the rules accordingly when the prefix changes?

      As a Gold supporter, I have access to The pfSense Book.  Hopefully this isn't a RTFM question but please feel free to point me to the right pages in book.

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        ISPs generally don't provide static prefixes, but with DHCPv6-PD and DUID, you will likely always get the same prefix.  It's similar to what happens on IPv4, where you can request a previous address and get it if it's available.  With an almost static prefix, you don't need a dynamic DNS, as a regular one will work fine.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • B
          bigtfromaz
          last edited by

          Thanks for the reply.  I understand what you say but my ISP (Cox) has changed mine, and I wasn't around to make adjustments.

          Are you saying that I pfSense has no to do this without manual intervention?

          1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott
            last edited by

            @bigtfromaz:

            Thanks for the reply.  I understand what you say but my ISP (Cox) has changed mine, and I wasn't around to make adjustments.

            Are you saying that I pfSense has no to do this without manual intervention?

            When I first started using pfSense, my prefix would change for something as little as disconnecting & reconnecting the Ethernet cable.  Then an option "Do not allow PD/Address release", on the WAN tab, was added.  With that selected, my prefix does not change.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • B
              bigtfromaz
              last edited by

              Already did that but still got a new prefix on a reboot.  No idea why but it's their address and they can do what they want.

              Note that I am not looking for ways to avoid the change.  I am looking for ways to manage or accomodate the change without manual intervention.  This way any outage, no matter how rare, could be managed without manual intervention.

              I was hoping that pfSense would have an ability to define a firewall rule Destination something like this: "PD::aaaa:bbbb:cccc:dddd" where "PD" is a variable whose value is the prefix.  This would be similar to the way they prepend the delegated prefix to the host range in the DHCPv6 server.

              I would like to avoid writing a dynamic prefix change detection script.  I am not a UNIX expert, nor do I have any experience managing firewall rules from a script.  The learning curve would be substantial.

              1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott
                last edited by

                I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • B
                  bigtfromaz
                  last edited by

                  @JKnott:

                  I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.

                  It would be a nice feature though wouldn't it?

                  1 Reply Last reply Reply Quote 0
                  • B
                    bimmerdriver
                    last edited by

                    @Exocomp:

                    IPv6 has something called "privacy addresses", which change regularly.

                    I saw those and disabled them, :)

                    Why disable privacy addresses?

                    1 Reply Last reply Reply Quote 0
                    • B
                      bimmerdriver
                      last edited by

                      @bigtfromaz:

                      @JKnott:

                      I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.

                      It would be a nice feature though wouldn't it?

                      This feature has been requested numerous times.

                      1 Reply Last reply Reply Quote 0
                      • JKnottJ
                        JKnott
                        last edited by

                        Why disable privacy addresses?

                        No need for them on a server, where you'd normally use the MAC based address.  However, I also don't see the need to delete them.  They're not hurting anything.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 0
                        • B
                          bigtfromaz
                          last edited by

                          OK.  If the feature has been requested numerous times, can anyone tell me if there are facilities for managing the firewall from script?  If so, I guess I would need documentation.  This would appear to be a simple matter of detecting a change to the prefix from a given interface, then changing and applying rules having the old prefix to refer to the new prefix.  It is not a fix, but a work around.

                          For now I am going to turn IPv6 off on my WAN interface and set up an opt/gif tunnel using Hurricane Electric.  I have one running in a sandbox and I must be really close to the Phoenix entry point.  It seems to be adding only about 10 ms to my ping times.  It's a shame that Cox, with billions of subnets at their disposal, won't supply a static one to the account.  HE is doing it for free.

                          @bimmerdriver:

                          @bigtfromaz:

                          @JKnott:

                          I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.

                          It would be a nice feature though wouldn't it?

                          This feature has been requested numerous times.

                          1 Reply Last reply Reply Quote 0
                          • MikeV7896M
                            MikeV7896
                            last edited by

                            @bigtfromaz:

                            I was hoping that pfSense would have an ability to define a firewall rule Destination something like this: "PD::aaaa:bbbb:cccc:dddd" where "PD" is a variable whose value is the prefix.  This would be similar to the way they prepend the delegated prefix to the host range in the DHCPv6 server.

                            Funny you mention this… I asked for this functionality over a year ago. See this: Allow IPv6 firewall entries with dynamic PD prefix + static host address

                            The S in IOT stands for Security

                            1 Reply Last reply Reply Quote 0
                            • B
                              bimmerdriver
                              last edited by

                              @bigtfromaz:

                              It's a shame that Cox, with billions of subnets at their disposal, won't supply a static one to the account.  HE is doing it for free.

                              Cox is a typical ISP. HE is not a typical ISP. If HE offered residential internet service, I would pay more for it.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.