Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rules for individual hosts with PD

    Scheduled Pinned Locked Moved IPv6
    5 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      enodeb
      last edited by

      Hi folks,

      I'm just making myself familiar with v6 and have successfully configured pfSense to obtain a /60 prefix from Comcast. I run several VLANs on the LAN side, which are assigned to 4-bit subnet IDs under Comcast's prefix using the prefix tracking feature.

      I now want to open a hole in the firewall on the WAN interface to make a server that is running in one of the subnets accessible from the Internet (i.e. the equivalent to "opening a port" in v4). But how do I specify the v6 address of an individual host for use in a firewall rule, given that Comcast can change the prefix at any time? Is there any way to construct an address from dynamic prefix and static host ID in a rule or alias? The only thing I can think of is to open up an entire subnet (using the network address of the VLAN interface that is assigned to the subnet where the server is).

      I feel like I'm missing something obvious?  ???

      1 Reply Last reply Reply Quote 0
      • MikeV7896M
        MikeV7896
        last edited by

        This is not the first time this topic has come up (there are at least two other threads, one linked below)… I think the last time was around or shortly after 2.3.1's release. There was a question of how best to implement it... whether there would be a token you would put in the address field that would be converted to the prefix, or if there were a drop-down item that could be selected (i.e. LAN Prefix), allowing you to enter the host portion of the address as well.

        I think one of the devs had said that they preferred the idea of the drop-down + host address.

        https://forum.pfsense.org/index.php?topic=109278.0

        I think it might be time to create a feature request for this, since work on 2.4 is in progress... maybe with luck we can see it added.

        The S in IOT stands for Security

        1 Reply Last reply Reply Quote 0
        • MikeV7896M
          MikeV7896
          last edited by

          As a work-around, if you have a dynamic DNS provider that supports IPv6, you could create a DNS record for the host, have it update its address with the provider, and create an alias in pfSense for the hostname. But there will be a bit of a lapse when the prefix changes… the host will receive the new prefix/address and updates the DDNS entry... but by that time, the rules have already been re-generated and it will be x amount of time before the alias is refreshed and rules are updated again.

          Also, I created a feature request... Allow IPv6 firewall entries with dynamic PD prefix + static host address

          The S in IOT stands for Security

          1 Reply Last reply Reply Quote 0
          • E
            enodeb
            last edited by

            Thanks Michael! Appreciate that you opened a feature request.

            FWIW, from the user perspective I'd prefer to use the same method as in the existing prefix tracking, rather than a placeholder token for the prefix.

            1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott
              last edited by

              It would be nice if pfSense would support filtering based on MAC address, as some other firewalls do.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.