4. Firewall rules for individual hosts with PD

Firewall rules for individual hosts with PD

  • E

    Hi folks,

    I'm just making myself familiar with v6 and have successfully configured pfSense to obtain a /60 prefix from Comcast. I run several VLANs on the LAN side, which are assigned to 4-bit subnet IDs under Comcast's prefix using the prefix tracking feature.

    I now want to open a hole in the firewall on the WAN interface to make a server that is running in one of the subnets accessible from the Internet (i.e. the equivalent to "opening a port" in v4). But how do I specify the v6 address of an individual host for use in a firewall rule, given that Comcast can change the prefix at any time? Is there any way to construct an address from dynamic prefix and static host ID in a rule or alias? The only thing I can think of is to open up an entire subnet (using the network address of the VLAN interface that is assigned to the subnet where the server is).

    I feel like I'm missing something obvious?  ???

    0
  • V

    This is not the first time this topic has come up (there are at least two other threads, one linked below)… I think the last time was around or shortly after 2.3.1's release. There was a question of how best to implement it... whether there would be a token you would put in the address field that would be converted to the prefix, or if there were a drop-down item that could be selected (i.e. LAN Prefix), allowing you to enter the host portion of the address as well.

    I think one of the devs had said that they preferred the idea of the drop-down + host address.

    https://forum.pfsense.org/index.php?topic=109278.0

    I think it might be time to create a feature request for this, since work on 2.4 is in progress... maybe with luck we can see it added.

    0
  • V

    As a work-around, if you have a dynamic DNS provider that supports IPv6, you could create a DNS record for the host, have it update its address with the provider, and create an alias in pfSense for the hostname. But there will be a bit of a lapse when the prefix changes… the host will receive the new prefix/address and updates the DDNS entry... but by that time, the rules have already been re-generated and it will be x amount of time before the alias is refreshed and rules are updated again.

    Also, I created a feature request... Allow IPv6 firewall entries with dynamic PD prefix + static host address

    0
  • E

    Thanks Michael! Appreciate that you opened a feature request.

    FWIW, from the user perspective I'd prefer to use the same method as in the existing prefix tracking, rather than a placeholder token for the prefix.

    0

  • It would be nice if pfSense would support filtering based on MAC address, as some other firewalls do.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy