Firewall rules for individual hosts with PD

  • Hi folks,

    I'm just making myself familiar with v6 and have successfully configured pfSense to obtain a /60 prefix from Comcast. I run several VLANs on the LAN side, which are assigned to 4-bit subnet IDs under Comcast's prefix using the prefix tracking feature.

    I now want to open a hole in the firewall on the WAN interface to make a server that is running in one of the subnets accessible from the Internet (i.e. the equivalent to "opening a port" in v4). But how do I specify the v6 address of an individual host for use in a firewall rule, given that Comcast can change the prefix at any time? Is there any way to construct an address from dynamic prefix and static host ID in a rule or alias? The only thing I can think of is to open up an entire subnet (using the network address of the VLAN interface that is assigned to the subnet where the server is).

    I feel like I'm missing something obvious?  ???

  • This is not the first time this topic has come up (there are at least two other threads, one linked below)… I think the last time was around or shortly after 2.3.1's release. There was a question of how best to implement it... whether there would be a token you would put in the address field that would be converted to the prefix, or if there were a drop-down item that could be selected (i.e. LAN Prefix), allowing you to enter the host portion of the address as well.

    I think one of the devs had said that they preferred the idea of the drop-down + host address.

    I think it might be time to create a feature request for this, since work on 2.4 is in progress... maybe with luck we can see it added.

  • As a work-around, if you have a dynamic DNS provider that supports IPv6, you could create a DNS record for the host, have it update its address with the provider, and create an alias in pfSense for the hostname. But there will be a bit of a lapse when the prefix changes… the host will receive the new prefix/address and updates the DDNS entry... but by that time, the rules have already been re-generated and it will be x amount of time before the alias is refreshed and rules are updated again.

    Also, I created a feature request... Allow IPv6 firewall entries with dynamic PD prefix + static host address

  • Thanks Michael! Appreciate that you opened a feature request.

    FWIW, from the user perspective I'd prefer to use the same method as in the existing prefix tracking, rather than a placeholder token for the prefix.

  • It would be nice if pfSense would support filtering based on MAC address, as some other firewalls do.