IPv6 firewall rule dynamic IP

aledesma

I found a solution. I created an alias for the lan host that I want to be accessible. Then in the actual firewall rule I specify that alias as the single alias in the destination field.

I tested that other ipv6 addresses get blocked, but the one I wanted to use does get through.

Apparently this feature is often used to collapse several external hosts or ips into a single entry to keep the list of rules shorter, but it also works for this purpose because the fqdn will be resolved periodically.

Hi, I have been pondering this for a while as well. I am unclear on how to create port forwards with my IPV6 set up from comcast. I can connect to all the IPV6 sites and pass all the tests, but I don't know how to make rules. I thought that with IPV6 it was like having a public IP for all of my LAN hosts.

What did you do? Did you have to set up and internal DHCP6 server and Router advertisements on pfsense or did you just create a rule in the wan interface to point to the alias that you created with the IPV6 addressed handed out by your ISP?

Super confused,

Alex

MikeV7896

@aledesma:

Hi, I have been pondering this for a while as well. I am unclear on how to create port forwards with my IPV6 set up from comcast. I can connect to all the IPV6 sites and pass all the tests, but I don't know how to make rules. I thought that with IPV6 it was like having a public IP for all of my LAN hosts.

What did you do? Did you have to set up and internal DHCP6 server and Router advertisements on pfsense or did you just create a rule in the wan interface to point to the alias that you created with the IPV6 addressed handed out by your ISP?

With IPv6, it's not a port forward you're creating. You're creating a firewall rule on the WAN to allow an incoming connection to your host using its global IPv6 address. No NAT… no forwards... just a firewall rule.

From what it sounds like...

A static DHCPv6 entry was created for the host. This allows a hostname to be associated with the IPv6 address.
An alias was created, pointing to the hostname. pfSense will occasionally re-resolve the hostname in case the IP address changes (really just the prefix, since the host portion is the same based on the DHCPv6 static entry).
A firewall rule was created on the WAN interface, allowing traffic with a destination of the alias and the desired port(s) through the firewall.

I personally consider an alias to be a workaround to this problem (what if I don't want to set an internal hostname?), but it certainly does work. I still would like to see this feature request implemented to provide a more direct solution to the issue though.

Not to mention that there are potential races with an alias… the prefix changes, firewall rules reload, but DHCPv6 hasn't yet updated the host/lease with the new prefix, causing the alias to still resolve to the old address. Seconds later, DHCPv6 updates the lease, but now you have a period of time until the next alias DNS resolution where the host is not accessible.

flstaats

I have this issue also. I've added my own notes to the feature request https://redmine.pfsense.org/issues/6626

I'm using firewall aliases manually configured to cover the whole prefix delegation and ipv4 NAT address space as my work around. This can cause issues when the delegation automatically changes, but allows me to create rules chains that allow whitelisted connections / deny all other internal connections (with my firewall alias) / then allow all external connections which are simple to read (important) and maintain.

pfadmin

Yes I'm sure to post to this topic.

I ran into the same problem. Dynamic IPv6 and a lot of interfaces / VLANs. So my clients on this different LAN's should be able to use IPv6 for browsing the internet but not for connecting clients in other LAN's on my homesite. At this time, I use a rule with an alias to block this LAN's for incoming IPv6 with given prefix/56. It is an IP Alias with something like 2003ef12:aa00 and /56 what I pulled from ISP. If the prefix changes, I have to change the alias manualy.

So, it is really that difficult to code a script what's probe the existing prefix with the alias and if different, change the alias? :o I think, this is the first thing we need.
Don't ask, I'm not the right man to code this ???

pfadmin

JKnott

@pfadmin:

Yes I'm sure to post to this topic.

I ran into the same problem. Dynamic IPv6 and a lot of interfaces / VLANs. So my clients on this different LAN's should be able to use IPv6 for browsing the internet but not for connecting clients in other LAN's on my homesite. At this time, I use a rule with an alias to block this LAN's for incoming IPv6 with given prefix/56. It is an IP Alias with something like 2003ef12:aa00 and /56 what I pulled from ISP. If the prefix changes, I have to change the alias manualy.

So, it is really that difficult to code a script what's probe the existing prefix with the alias and if different, change the alias? :o I think, this is the first thing we need.
Don't ask, I'm not the right man to code this ???

pfadmin

One thing you can do for your local network is to use Unique Local Addresses (ULA) for local connections. I set that up as an experiment on my network, but it would solve that part of your problem. With ULA, you create a /48 prefix that starts with fd, to which you add a 40 random number. PfSense will advertise that prefix and it works just as well as a global address for use on the local network. You'd still have global addresses for accessing the Internet.

pfadmin

I could use ULA for connecting between LAN's, but clients who wants to connect the internet via IPv6 need global unicast adresses. This adresses come with the prefix to all clients in my different vlans (divided in subnets with the bits between /56 and /64). But now I have to allow all IPv6 traffic to everywhere. I don't want allow IPv6 traffic between vlans so I need to block it first. Telekom_prefix is manualy 2003:ca:abcd:d300/56 and RFC_1918 is 192.168.0.0/24 172.16.0.0/12 10.0.0.0/8 and fc00::/7
So I need a script which is automaticaly changing the Telekom_prefix alias if it changes.

The example is not what the rule picture shows

Unbenannt.JPG_thumb

JKnott

I could use ULA for connecting between LAN's, but clients who wants to connect the internet via IPv6 need global unicast adresses.

Enabling ULA does not mean losing global addresses. With IPv6, multiple addresses are normal. In fact, if you can reach the Internet, you have at least 2, the global address and link local. Currently, on this computer, I have 17. Link local, 1 MAC based global, 1 MAC based ULA and 7 each private ULA and GLOBAL. The Windows 10 virtual machine has another 17. So, just enable ULA and your computers will have both ULA and global addresses.

Derelict

If you are sending the proper DUID every time and getting a different prefix delegation, your ISP is broken and they should be told to fix it or they should lose your business.

JKnott

@Derelict:

If you are sending the proper DUID every time and getting a different prefix delegation, your ISP is broken and they should be told to fix it or they should lose your business.

Also, ensure "Do not allow PD/Address release" on the WAN tab is selected. If it isn't, something as simple as disconnecting/reconnecting the Ethernet cable can cause a change of prefix.

pfadmin

All you say is right, but without blocking connections with IPv& Prefix from vlan10 to vlan20 and vlan20 to vlan10 clients could talk to each other . that is what I want to block with this prefix alias. Ula is not what I want. Ula is not intended to talk with the world and thats what the clients should could do. (my english ok?). No connection between vlans and all other connections to the world (IPv6) is my goal. I block all IPv6 Traffic to prefix/56 (all my vlans are included) and allow all other. That is how the old RFC_1918 rule works for IPv4.

Deutsche Telekom is changing the prefix at a maximum time of a half year as far as I know. Playing with pfsense changes this sometimes earlier. "Do not allow PD/Address release" is set. DUID is something in progress with the 2.4 release I think.

So this script could help

JKnott

@pfadmin:

All you say is right, but without blocking connections with IPv& Prefix from vlan10 to vlan20 and vlan20 to vlan10 clients could talk to each other . that is what I want to block with this prefix alias. Ula is not what I want. Ula is not intended to talk with the world and thats what the clients should could do. (my english ok?). No connection between vlans and all other connections to the world (IPv6) is my goal. I block all IPv6 Traffic to prefix/56 (all my vlans are included) and allow all other. That is how the old RFC_1918 rule works for IPv4.

Deutsche Telekom is changing the prefix at a maximum time of a half year as far as I know. Playing with pfsense changes this sometimes earlier. "Do not allow PD/Address release" is set. DUID is something in progress with the 2.4 release I think.

So this script could help

As I mentioned above, you can have both ULA and global addresses on the same device. That's what I have here. ULA is used for communicating between devices and global addresses to access the Internet. If your ISP keeps changing your prefix, ULA gives you consistent addresses for your local devices.

Derelict

Saving the DUID in the configuration is new in 2.4. The DUID file exists and persists in 2.3.4_1 but if you reinstall, change hardware, etc, it is generated fresh. If you want to keep it the file is in /var/db/dhcp6c_duid.

You would need to take care to get that file replaced in the new install. Preferably before a PD was attempted with the ISP but that would depend on the ISP.

pfadmin

@JKnot: ULA is not needed because I don't want to let talk clients across the vlans/subnets. ULA is clear.
For I-Net I need global unicast. BUT if I let out IPv6 to ALL IPv6, and thats what I have to do with allow any to any, then I allow connections to the other vlans too (same global unicast prefix+8 bit subnetting!!). Thats what I don't want, so I have to block the other vlans before. Thats why I need to block my /56 prefix and that is what I'm doing with the prefix alias.

@Derelict: Thats clear, but prefix is changing as well. IPv6 on WAN-site is stable. It is dynamic and the ISP is right with this.

Maybe we talk not about the same or I'm blind. But I found a user with the same idea, I have to refind the thread…

Thanks
pfadmin

Derelict

@Derelict: Thats clear, but prefix is changing as well. IPv6 on WAN-site is stable. It is dynamic and the ISP is right with this.

No, they are wrong.

JKnott

@Derelict: Thats clear, but prefix is changing as well. IPv6 on WAN-site is stable. It is dynamic and the ISP is right with this.

No it's not. The whole point of the DUID is to maintain a consistent prefix. My ISP provides me with a stable prefix. While there's no guarantee it will never change, practically it doesn't. The same applies to my IPv4 address. While DHCP, it changes so seldom it's virtually static. For me to get a different address on either requires that either the ISP has a network change, forcing an address change or I have to change my hardware, so that my ISP sees a different cable modem or firewall/router MAC address.

bimmerdriver

@Derelict:

If you are sending the proper DUID every time and getting a different prefix delegation, your ISP is broken and they should be told to fix it or they should lose your business.

Ha ha, good one! As if Comcast and their many like-minded monopolies will GAF if you tell them that. The reality is that many people do not have the luxury of multiple choices of ISP. ISPs get away with shoddy service because they have a government granted monopoly, bought and paid for by their lobbyists. They will never commit to maintaining a "static" ip for residential or small business customers, even if the DUID is static. I'm fortunate that my ISP will make best effort, but they will not guarantee. It's not the same for many others. This issue needs to be addressed in pfsense.

JKnott

This issue needs to be addressed in pfsense.

And what would you suggest?

pfadmin

@JKnott:

This issue needs to be addressed in pfsense.

And what would you suggest?

What about this script-wish? Some examples for me or links to do that? Is it that strange to code or an absolut mistake to do it so? How do you stop talking clients between different interfaces/vlans via ipv6?

In germany its default to get dynamic ips. no chance to change it with customer accounts. A ministry called "Datenschutzbehoerde" would take some rounds in the boxring with deutsche telekom, if they give me a non dynamic IP :o. So no need to think about this fact… ::)

pfadmin

pox

@SoulChild:

Basically, suppose you have a torrent-downloader running and it's also listening on IPv6

Using IPv6 prefix delegation, I'm getting a public IPV6 address on my pc. Fine :) Outgoing connectivity works great

How do I enable 1 port to be opened toward my ipv6 address inside my network? I can just add a rule in the firewall, that works… untill the provider gives me another ipv6 address

Is there a way to dynamically track this?

This is an old thread, but for my own sake I write here how I did it:

The torrent server uses privacy addresses, so they change regularly.
I made a cron job on the torrent server that does

ip addr show dev eth0|grep inet6 |grep global|awk '{print $2}'|awk 'BEGIN { FS = "/" }; {print $1}' >/var/www/html/WNMpyVH7t9V08MCvF91zSBuGNvsJaawW1JTq6tQl6Z0A7ohwHsGv9Z05vYTOqQ5Oyp.txt

This saves all IPv6 addresses currently in use by the torrent server.
Then on pFsense I created an URL alias, fetching that file from the torrent server periodically.
Then I created a firewall rule to allow access to that alias on the torrent ports.

Done.