IPv6 firewall rule dynamic IP

SoulChild

Basically, suppose you have a torrent-downloader running and it's also listening on IPv6

Using IPv6 prefix delegation, I'm getting a public IPV6 address on my pc. Fine :) Outgoing connectivity works great

How do I enable 1 port to be opened toward my ipv6 address inside my network? I can just add a rule in the firewall, that works… untill the provider gives me another ipv6 address

Is there a way to dynamically track this?

JKnott

Instead of specifying a specific host, you can specify the network as the destination.  You can then use any computer, with any IPv6 address.

SoulChild

Euhm… this question is solved :)

Thank you!

MikeV7896

Just be aware that you've allowed access to the port(s) on ALL computers/devices on your network. Of course if they don't have something listening, or have their own firewall that will ensure that they're at least somewhat secure.

As far as your original post goes… the firewall rule is unfortunately not yet possible with a dynamic prefix. I created a feature request a couple of months ago regarding this, asking for an option to select something like "LAN Prefix" (which could be updated if the prefix changes) while allowing the host portion of the rule to be static.

BTW, you're not the first to ask for this… I know there's at least one other thread asking for the same capability, which is what drew me to create the feature request.

Unfortunately, now it's a waiting game to have this capability implemented.

JKnott

One other thing, are you sure your ISP is changing your IPv6 address?  With IPv6, addresses are commonly configured using SLAAC.  There are 2 types of SLAAC address.  The first is based on the MAC address and does not change.  The other is called a privacy address which is based on a random number and changes periodically.  When you set up a DNS record, you must use the MAC based one.  It's easy to spot, as the right part is identical to the right part of your link local address.  On other factor is some versions of Windows use a non-changing random number for the permanent address.  In that case, that's the one you use for the DNS.

SoulChild

Hi JKnott,

yes, I am fully aware this this solution is essentially allowing all traffic incoming on this port for all IPv6 listening hosts in my network. I know this isn't exactly ideal, but as far as quick fixes go, it works. And it doesn't require me to manually check the rule every now and then to see if it still being used.

I also found that I'm not the first one to ask this, but it's not  yet implemented indeed. This problem seems to sometimes also comes in the form that people sometimes ask for "IPv6 port forwarding"… Bit of a contradiction, that one :). Goes to illustrate that even IT people don't realise that port forwarding is both nat AND a firewall change.

And my internet provider is using DHCPv6 on my pfsense external IP, but is delegating a  /56 for my internal use, indeed the internal is SLAAC, but the prefix is dynamically allocated from my provider.

I'm not 100% sure what the rules are as of yet, but yes, they do change my internal prefix periodically. My static rule allowing the port towards my internal IP becomes obsolete after my internal IP changes.

Not sure yet how often this happens, though. But this will fix it untill a more granular solution is implemented for us IPv6 Delegation users :)

PigLover

@virgiliomi:

…I created a feature request a couple of months ago regarding this, asking for an option to select something like "LAN Prefix" (which could be updated if the prefix changes) while allowing the host portion of the rule to be static. …

This - please.  Any idea how we could get this feature request prioritized?  Would be a brilliant solution.

SoulChild

Ofcourse, this would require that you use SLAAC as standardized, with your mac address visible in the IP address. Some implementations consider this a security issue and will randomly generate a host-portion afterwards. Windows does this by default, surely some linux distros as well. Usually you can see this in a ipconfig, with the "temporary ip address" listed under the adapter.

So unless you change this behaviour in your OS and having your MAC address visible and easily identifiable in the IP address(the glaring "FFFE" in the middle…), this isn't as easy as it sounds. Is this really an issue? Not really, but it's lazy, imo...

Maybe a more secure option would be to track the IPv6 address based on the mac address of the end host? Regardless of the actual IPv6 address generated? That way you have the obscufation of the random assigned IP address, and more importantly: a implementation that works without getting messy in the windows register or linux settings to disable randomly generated IPv6 host portions.

PigLover

Its not really all that hard - once you know what the client will use in the "suffix" you can just enter it.  With the exception of random rotating address selection used by Windows the suffix is completely predictable.

In fact, you can even set this with Windows.  You can, with the right powershell incantations, force it to use an EIU64 translation of your mac address or even a fixed address (like ::1).

The really hard part, the part that you can only fix with inside PFSense, is what prefix is used for the interface.

SoulChild

My point wasn't that it was so hard or impossible to do, it's that I do feel there is merit in not having a static host portion in ipv6. For ipv4 private IP's, this is almost always irrelevant since Source nat hides your internals anyway.

However, having thought about it, having the internal host portion static isn't a half-bad idea actually. It's the equivalent of setting up a static private IP, with a public IP… That way the implementation in PFSense would be to simply have the prefix in a dynamicly adjusting list, while adding your internal bits it and the port you want to open.

JKnott

^^^^
The normal practice is to use the MAC based address for incoming connections, so that DNS can point to it and use the random number addresses for privacy on outgoing connections.

ddffnn

I found a solution. I created an alias for the lan host that I want to be accessible. Then in the actual firewall rule I specify that alias as the single alias in the destination field.

I tested that other ipv6 addresses get blocked, but the one I wanted to use does get through.

Apparently this feature is often used to collapse several external hosts or ips into a single entry to keep the list of rules shorter, but it also works for this purpose because the fqdn will be resolved periodically.

aledesma

@ddffnn:

I found a solution. I created an alias for the lan host that I want to be accessible. Then in the actual firewall rule I specify that alias as the single alias in the destination field.

I tested that other ipv6 addresses get blocked, but the one I wanted to use does get through.

Apparently this feature is often used to collapse several external hosts or ips into a single entry to keep the list of rules shorter, but it also works for this purpose because the fqdn will be resolved periodically.

Hi, I have been pondering this for a while as well. I am unclear on how to create port forwards with my IPV6 set up from comcast.  I can connect to all the IPV6 sites and pass all the tests, but I don't know how to make rules. I thought that with IPV6 it was like having a public IP for all of my LAN hosts.

What did you do? Did you have to set up and internal DHCP6 server and Router advertisements on pfsense or did you just create a rule in the wan interface to point to the alias that you created with the IPV6 addressed handed out by your ISP?

Super confused,

Alex

MikeV7896

@aledesma:

Hi, I have been pondering this for a while as well. I am unclear on how to create port forwards with my IPV6 set up from comcast.  I can connect to all the IPV6 sites and pass all the tests, but I don't know how to make rules. I thought that with IPV6 it was like having a public IP for all of my LAN hosts.

What did you do? Did you have to set up and internal DHCP6 server and Router advertisements on pfsense or did you just create a rule in the wan interface to point to the alias that you created with the IPV6 addressed handed out by your ISP?

With IPv6, it's not a port forward you're creating. You're creating a firewall rule on the WAN to allow an incoming connection to your host using its global IPv6 address. No NAT… no forwards... just a firewall rule.

From what it sounds like...

• A static DHCPv6 entry was created for the host. This allows a hostname to be associated with the IPv6 address.

• An alias was created, pointing to the hostname. pfSense will occasionally re-resolve the hostname in case the IP address changes (really just the prefix, since the host portion is the same based on the DHCPv6 static entry).

• A firewall rule was created on the WAN interface, allowing traffic with a destination of the alias and the desired port(s) through the firewall.

I personally consider an alias to be a workaround to this problem (what if I don't want to set an internal hostname?), but it certainly does work. I still would like to see this feature request implemented to provide a more direct solution to the issue though.

Not to mention that there are potential races with an alias… the prefix changes, firewall rules reload, but DHCPv6 hasn't yet updated the host/lease with the new prefix, causing the alias to still resolve to the old address. Seconds later, DHCPv6 updates the lease, but now you have a period of time until the next alias DNS resolution where the host is not accessible.

flstaats

I have this issue also.  I've added my own notes to the feature request https://redmine.pfsense.org/issues/6626

I'm using firewall aliases manually configured to cover the whole prefix delegation and ipv4 NAT address space as my work around.  This can cause issues when the delegation automatically changes, but allows me to create rules chains that allow whitelisted connections / deny all other internal connections (with my firewall alias) / then allow all external connections which are simple to read (important) and maintain.

pfadmin

Yes I'm sure to post to this topic.

I ran into the same problem. Dynamic IPv6 and a lot of interfaces / VLANs. So my clients on this different LAN's should be able to use IPv6 for browsing the internet but not for connecting clients in other LAN's on my homesite. At this time, I use a rule with an alias to block this LAN's for incoming IPv6 with given prefix/56. It is an IP Alias with something like 2003ef12:aa00 and /56 what I pulled from ISP. If the prefix changes, I have to change the alias manualy.

So, it is really that difficult to code a script what's probe the existing prefix with the alias and if different, change the alias?  :o I think, this is the first thing we need.
Don't ask, I'm not the right man to code this  ???

pfadmin

JKnott

@pfadmin:

Yes I'm sure to post to this topic.

I ran into the same problem. Dynamic IPv6 and a lot of interfaces / VLANs. So my clients on this different LAN's should be able to use IPv6 for browsing the internet but not for connecting clients in other LAN's on my homesite. At this time, I use a rule with an alias to block this LAN's for incoming IPv6 with given prefix/56. It is an IP Alias with something like 2003ef12:aa00 and /56 what I pulled from ISP. If the prefix changes, I have to change the alias manualy.

So, it is really that difficult to code a script what's probe the existing prefix with the alias and if different, change the alias?  :o I think, this is the first thing we need.
Don't ask, I'm not the right man to code this  ???

pfadmin

One thing you can do for your local network is to use Unique Local Addresses (ULA) for local connections.  I set that up as an experiment on my network, but it would solve that part of your problem.  With ULA, you create a /48 prefix that starts with fd, to which you add a 40 random number.  PfSense will advertise that prefix and it works just as well as a global address for use on the local network.  You'd still have global addresses for accessing the Internet.

pfadmin

I could use ULA for connecting between LAN's, but clients who wants to connect the internet via IPv6 need global unicast adresses. This adresses come with the prefix to all clients in my different vlans (divided in subnets with the bits between /56 and /64). But now I have to allow all IPv6 traffic to everywhere. I don't want allow IPv6 traffic between vlans so I need to block it first. Telekom_prefix is manualy 2003:ca:abcd:d300/56 and RFC_1918 is 192.168.0.0/24 172.16.0.0/12 10.0.0.0/8 and fc00::/7
So I need a script which is automaticaly changing the Telekom_prefix alias if it changes.

The example is not what the rule picture shows

WAN / Internet
            :
            : DialUp-/PPPoE-/Cable-/whatever-Provider
            :
            |
      .–---+-----.  vlan10                                  .------------.
      |  pfSense  +---------------------------------+ client10|
      '-----+-----' 2003:ca:abcd:f310::/64        '------------'
            |
            |
      vlan20 | 2003:ca:abcd:f320::/64
            |

JKnott

I could use ULA for connecting between LAN's, but clients who wants to connect the internet via IPv6 need global unicast adresses.

Enabling ULA does not mean losing global addresses.  With IPv6, multiple addresses are normal.  In fact, if you can reach the Internet, you have at least 2, the global address and link local.  Currently, on this computer, I have 17.  Link local, 1 MAC based global, 1 MAC based ULA and 7 each private ULA and GLOBAL.  The Windows 10 virtual machine has another 17.  So, just enable ULA and your computers will have both ULA and global addresses.

Derelict

If you are sending the proper DUID every time and getting a different prefix delegation, your ISP is broken and they should be told to fix it or they should lose your business.

JKnott

@Derelict:

If you are sending the proper DUID every time and getting a different prefix delegation, your ISP is broken and they should be told to fix it or they should lose your business.

Also, ensure "Do not allow PD/Address release" on the WAN tab is selected.  If it isn't, something as simple as disconnecting/reconnecting the Ethernet cable can cause a change of prefix.

pfadmin

All you say is right, but without blocking connections with IPv& Prefix from vlan10 to vlan20 and vlan20 to vlan10 clients could talk to each other . that is what I want to block with this prefix alias. Ula is not what I want. Ula is not intended to talk with the world and thats what the clients should could do. (my english ok?). No connection between vlans and all other connections to the world (IPv6) is my goal. I block all IPv6 Traffic to prefix/56 (all my vlans are included) and allow all other. That is how the old RFC_1918 rule works for IPv4.

Deutsche Telekom is changing the prefix at a maximum time of a half year as far as I know. Playing with pfsense changes this sometimes earlier. "Do not allow PD/Address release" is set. DUID is something in progress with the 2.4 release I think.

So this script could help

JKnott

@pfadmin:

All you say is right, but without blocking connections with IPv& Prefix from vlan10 to vlan20 and vlan20 to vlan10 clients could talk to each other . that is what I want to block with this prefix alias. Ula is not what I want. Ula is not intended to talk with the world and thats what the clients should could do. (my english ok?). No connection between vlans and all other connections to the world (IPv6) is my goal. I block all IPv6 Traffic to prefix/56 (all my vlans are included) and allow all other. That is how the old RFC_1918 rule works for IPv4.

Deutsche Telekom is changing the prefix at a maximum time of a half year as far as I know. Playing with pfsense changes this sometimes earlier. "Do not allow PD/Address release" is set. DUID is something in progress with the 2.4 release I think.

So this script could help

As I mentioned above,  you can have both ULA and global addresses on the same device.  That's what I have here.  ULA is used for communicating between devices and global addresses to access the Internet.  If your ISP keeps changing your prefix, ULA gives you consistent addresses for your local devices.

Derelict

Saving the DUID in the configuration is new in 2.4. The DUID file exists and persists in 2.3.4_1 but if you reinstall, change hardware, etc, it is generated fresh. If you want to keep it the file is in /var/db/dhcp6c_duid.

You would need to take care to get that file replaced in the new install. Preferably before a PD was attempted with the ISP but that would depend on the ISP.

pfadmin

@JKnot: ULA is not needed because I don't want to let talk clients across the vlans/subnets. ULA is clear.
For I-Net I need global unicast. BUT if I let out IPv6 to ALL IPv6, and thats what I have to do with allow any to any, then I allow connections to the other vlans too (same global unicast prefix+8 bit subnetting!!). Thats what I don't want, so I have to block the other vlans before. Thats why I need to block my /56 prefix and that is what I'm doing with the prefix alias.

@Derelict: Thats clear, but prefix is changing as well. IPv6 on WAN-site is stable. It is dynamic and the ISP is right with this.

Maybe we talk not about the same or I'm blind. But I found a user with the same idea, I have to refind the thread…

Thanks
pfadmin

Derelict

@Derelict: Thats clear, but prefix is changing as well. IPv6 on WAN-site is stable. It is dynamic and the ISP is right with this.

No, they are wrong.

JKnott

@Derelict: Thats clear, but prefix is changing as well. IPv6 on WAN-site is stable. It is dynamic and the ISP is right with this.

No it's not.  The whole point of the DUID is to maintain a consistent prefix.  My ISP provides me with a stable prefix.  While there's no guarantee it will never change, practically it doesn't.  The same applies to my IPv4 address.  While DHCP, it changes so seldom it's virtually static.  For me to get a different address on either requires that either the ISP has a network change, forcing an address change or I have to change my hardware, so that my ISP sees a different cable modem or firewall/router MAC address.

bimmerdriver

@Derelict:

If you are sending the proper DUID every time and getting a different prefix delegation, your ISP is broken and they should be told to fix it or they should lose your business.

Ha ha, good one! As if Comcast and their many like-minded monopolies will GAF if you tell them that. The reality is that many people do not have the luxury of multiple choices of ISP. ISPs get away with shoddy service because they have a government granted monopoly, bought and paid for by their lobbyists. They will never commit to maintaining a "static" ip for residential or small business customers, even if the DUID is static. I'm fortunate that my ISP will make best effort, but they will not guarantee. It's not the same for many others. This issue needs to be addressed in pfsense.

JKnott

This issue needs to be addressed in pfsense.

And what would you suggest?

pfadmin

@JKnott:

This issue needs to be addressed in pfsense.

And what would you suggest?

What about this script-wish? Some examples for me or links to do that? Is it that strange to code or an absolut mistake to do it so? How do you stop talking clients between different interfaces/vlans via ipv6?

In germany its default to get dynamic ips. no chance to change it with customer accounts. A ministry called "Datenschutzbehoerde" would take some rounds in the boxring with deutsche telekom, if they give me a non dynamic IP  :o. So no need to think about this fact… ::)

pfadmin

pox

@SoulChild:

Basically, suppose you have a torrent-downloader running and it's also listening on IPv6

Using IPv6 prefix delegation, I'm getting a public IPV6 address on my pc. Fine :) Outgoing connectivity works great

How do I enable 1 port to be opened toward my ipv6 address inside my network? I can just add a rule in the firewall, that works… untill the provider gives me another ipv6 address

Is there a way to dynamically track this?

This is an old thread, but for my own sake I write here how I did it:

The torrent server uses privacy addresses, so they change regularly.
I made a cron job on the torrent server that does

ip addr show dev eth0|grep inet6 |grep global|awk '{print $2}'|awk 'BEGIN { FS = "/" }; {print $1}' >/var/www/html/WNMpyVH7t9V08MCvF91zSBuGNvsJaawW1JTq6tQl6Z0A7ohwHsGv9Z05vYTOqQ5Oyp.txt

This saves all IPv6 addresses currently in use by the torrent server.
Then on pFsense I created an URL alias, fetching that file from the torrent server periodically.
Then I created a firewall rule to allow access to that alias on the torrent ports.

Done.