IPv6 firewall rule dynamic IP
-
If you are sending the proper DUID every time and getting a different prefix delegation, your ISP is broken and they should be told to fix it or they should lose your business.
Also, ensure "Do not allow PD/Address release" on the WAN tab is selected. If it isn't, something as simple as disconnecting/reconnecting the Ethernet cable can cause a change of prefix.
-
All you say is right, but without blocking connections with IPv& Prefix from vlan10 to vlan20 and vlan20 to vlan10 clients could talk to each other . that is what I want to block with this prefix alias. Ula is not what I want. Ula is not intended to talk with the world and thats what the clients should could do. (my english ok?). No connection between vlans and all other connections to the world (IPv6) is my goal. I block all IPv6 Traffic to prefix/56 (all my vlans are included) and allow all other. That is how the old RFC_1918 rule works for IPv4.
Deutsche Telekom is changing the prefix at a maximum time of a half year as far as I know. Playing with pfsense changes this sometimes earlier. "Do not allow PD/Address release" is set. DUID is something in progress with the 2.4 release I think.
So this script could help
-
All you say is right, but without blocking connections with IPv& Prefix from vlan10 to vlan20 and vlan20 to vlan10 clients could talk to each other . that is what I want to block with this prefix alias. Ula is not what I want. Ula is not intended to talk with the world and thats what the clients should could do. (my english ok?). No connection between vlans and all other connections to the world (IPv6) is my goal. I block all IPv6 Traffic to prefix/56 (all my vlans are included) and allow all other. That is how the old RFC_1918 rule works for IPv4.
Deutsche Telekom is changing the prefix at a maximum time of a half year as far as I know. Playing with pfsense changes this sometimes earlier. "Do not allow PD/Address release" is set. DUID is something in progress with the 2.4 release I think.
So this script could help
As I mentioned above, you can have both ULA and global addresses on the same device. That's what I have here. ULA is used for communicating between devices and global addresses to access the Internet. If your ISP keeps changing your prefix, ULA gives you consistent addresses for your local devices.
-
Saving the DUID in the configuration is new in 2.4. The DUID file exists and persists in 2.3.4_1 but if you reinstall, change hardware, etc, it is generated fresh. If you want to keep it the file is in /var/db/dhcp6c_duid.
You would need to take care to get that file replaced in the new install. Preferably before a PD was attempted with the ISP but that would depend on the ISP.
-
@JKnot: ULA is not needed because I don't want to let talk clients across the vlans/subnets. ULA is clear.
For I-Net I need global unicast. BUT if I let out IPv6 to ALL IPv6, and thats what I have to do with allow any to any, then I allow connections to the other vlans too (same global unicast prefix+8 bit subnetting!!). Thats what I don't want, so I have to block the other vlans before. Thats why I need to block my /56 prefix and that is what I'm doing with the prefix alias.@Derelict: Thats clear, but prefix is changing as well. IPv6 on WAN-site is stable. It is dynamic and the ISP is right with this.
Maybe we talk not about the same or I'm blind. But I found a user with the same idea, I have to refind the thread…
Thanks
pfadmin -
@Derelict: Thats clear, but prefix is changing as well. IPv6 on WAN-site is stable. It is dynamic and the ISP is right with this.
No, they are wrong.
-
@Derelict: Thats clear, but prefix is changing as well. IPv6 on WAN-site is stable. It is dynamic and the ISP is right with this.
No it's not. The whole point of the DUID is to maintain a consistent prefix. My ISP provides me with a stable prefix. While there's no guarantee it will never change, practically it doesn't. The same applies to my IPv4 address. While DHCP, it changes so seldom it's virtually static. For me to get a different address on either requires that either the ISP has a network change, forcing an address change or I have to change my hardware, so that my ISP sees a different cable modem or firewall/router MAC address.
-
If you are sending the proper DUID every time and getting a different prefix delegation, your ISP is broken and they should be told to fix it or they should lose your business.
Ha ha, good one! As if Comcast and their many like-minded monopolies will GAF if you tell them that. The reality is that many people do not have the luxury of multiple choices of ISP. ISPs get away with shoddy service because they have a government granted monopoly, bought and paid for by their lobbyists. They will never commit to maintaining a "static" ip for residential or small business customers, even if the DUID is static. I'm fortunate that my ISP will make best effort, but they will not guarantee. It's not the same for many others. This issue needs to be addressed in pfsense.
-
This issue needs to be addressed in pfsense.
And what would you suggest?
-
This issue needs to be addressed in pfsense.
And what would you suggest?
What about this script-wish? Some examples for me or links to do that? Is it that strange to code or an absolut mistake to do it so? How do you stop talking clients between different interfaces/vlans via ipv6?
In germany its default to get dynamic ips. no chance to change it with customer accounts. A ministry called "Datenschutzbehoerde" would take some rounds in the boxring with deutsche telekom, if they give me a non dynamic IP :o. So no need to think about this fact… ::)
pfadmin
-
Basically, suppose you have a torrent-downloader running and it's also listening on IPv6
Using IPv6 prefix delegation, I'm getting a public IPV6 address on my pc. Fine :) Outgoing connectivity works great
How do I enable 1 port to be opened toward my ipv6 address inside my network? I can just add a rule in the firewall, that works… untill the provider gives me another ipv6 address
Is there a way to dynamically track this?
This is an old thread, but for my own sake I write here how I did it:
The torrent server uses privacy addresses, so they change regularly.
I made a cron job on the torrent server that doesip addr show dev eth0|grep inet6 |grep global|awk '{print $2}'|awk 'BEGIN { FS = "/" }; {print $1}' >/var/www/html/WNMpyVH7t9V08MCvF91zSBuGNvsJaawW1JTq6tQl6Z0A7ohwHsGv9Z05vYTOqQ5Oyp.txt
This saves all IPv6 addresses currently in use by the torrent server.
Then on pFsense I created an URL alias, fetching that file from the torrent server periodically.
Then I created a firewall rule to allow access to that alias on the torrent ports.Done.