IPv6 hosting website
-
Thanks for the reply. I understand what you say but my ISP (Cox) has changed mine, and I wasn't around to make adjustments.
Are you saying that I pfSense has no to do this without manual intervention?
-
Thanks for the reply. I understand what you say but my ISP (Cox) has changed mine, and I wasn't around to make adjustments.
Are you saying that I pfSense has no to do this without manual intervention?
When I first started using pfSense, my prefix would change for something as little as disconnecting & reconnecting the Ethernet cable. Then an option "Do not allow PD/Address release", on the WAN tab, was added. With that selected, my prefix does not change.
-
Already did that but still got a new prefix on a reboot. No idea why but it's their address and they can do what they want.
Note that I am not looking for ways to avoid the change. I am looking for ways to manage or accomodate the change without manual intervention. This way any outage, no matter how rare, could be managed without manual intervention.
I was hoping that pfSense would have an ability to define a firewall rule Destination something like this: "PD::aaaa:bbbb:cccc:dddd" where "PD" is a variable whose value is the prefix. This would be similar to the way they prepend the delegated prefix to the host range in the DHCPv6 server.
I would like to avoid writing a dynamic prefix change detection script. I am not a UNIX expert, nor do I have any experience managing firewall rules from a script. The learning curve would be substantial.
-
I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.
-
I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.
It would be a nice feature though wouldn't it?
-
IPv6 has something called "privacy addresses", which change regularly.
I saw those and disabled them, :)
Why disable privacy addresses?
-
I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.
It would be a nice feature though wouldn't it?
This feature has been requested numerous times.
-
Why disable privacy addresses?
No need for them on a server, where you'd normally use the MAC based address. However, I also don't see the need to delete them. They're not hurting anything.
-
OK. If the feature has been requested numerous times, can anyone tell me if there are facilities for managing the firewall from script? If so, I guess I would need documentation. This would appear to be a simple matter of detecting a change to the prefix from a given interface, then changing and applying rules having the old prefix to refer to the new prefix. It is not a fix, but a work around.
For now I am going to turn IPv6 off on my WAN interface and set up an opt/gif tunnel using Hurricane Electric. I have one running in a sandbox and I must be really close to the Phoenix entry point. It seems to be adding only about 10 ms to my ping times. It's a shame that Cox, with billions of subnets at their disposal, won't supply a static one to the account. HE is doing it for free.
I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.
It would be a nice feature though wouldn't it?
This feature has been requested numerous times.
-
I was hoping that pfSense would have an ability to define a firewall rule Destination something like this: "PD::aaaa:bbbb:cccc:dddd" where "PD" is a variable whose value is the prefix. This would be similar to the way they prepend the delegated prefix to the host range in the DHCPv6 server.
Funny you mention this… I asked for this functionality over a year ago. See this: Allow IPv6 firewall entries with dynamic PD prefix + static host address
-
It's a shame that Cox, with billions of subnets at their disposal, won't supply a static one to the account. HE is doing it for free.
Cox is a typical ISP. HE is not a typical ISP. If HE offered residential internet service, I would pay more for it.
