Dynamic IPv6 alias tracking provider prefix delegation.



  • Re: Is a dynamic alias or variable for IPv6 Prefix scheduled?

    Good day, as far as I can read everywhere, there is still no fix for dynamic ipv6 aliases tracking the first 64 bits of prefix delegation.
    The latest post which I did find on the forum is quite old, maybe I didn't searched well enough.
    Two years ago one could argue that IPv6 was in the early stages of adoption, but now these days?
    Lack of this feature means that the whole firewall part for IPv6 is useless for any professional dedicated purpose.
    Isn't there any active development anymore on pfsense?



  • @ronnyvdb said in Dynamic IPv6 alias tracking provider prefix delegation.:

    Lack of this feature means that the whole firewall part for IPv6 is useless for any professional dedicated purpose.

    Professional purposes with dynamic prefixes, bullshit.



  • @grimson Gee, that's helpful and constructive.



  • Professional purposes or not, there's still a desire to have the ability for a dynamic prefix variable or list selection in order for IPv6 firewall rules to dynamically adjust if the prefix assigned by an ISP should change. And this has been around for now over 2.5 years (the topic linked to was started in April 2016).

    Whether you're allowing something in from the internet to a particular host, or restricting host(s) on a LAN from making particular outbound connections, this is still a desire that multiple people have. And there's still an open feature request for this.



  • @virgiliomi But that means not checking the firewall rules and leave it to PFSense to automatically make dynamic rules like Windows....bad idea...imo.



  • Are your prefixes really dynamic? With DUID, the prefix should be consistent. However, there is a setting "Do not allow PD/Address release" on the WAN tab that must be selected. It's off by default, IIRC.



  • My prefix is "dynamic"... yes, in theory as long as the DUID doesn't change, my prefix doesn't change either (I successfully held the same /60 prefix from my ISP for over a year, before changing the DUID for troubleshooting purposes). Same with the IPv4 address and my MAC address.

    But that doesn't mean that my ISP couldn't at some point initiate some changes to their network that would cause my prefix to change, just as my IPv4 address has changed in the past when they've done major network maintenance, though obviously the MAC wouldn't have changed.

    So I am still of the notion that this is something needed. A dynamic prefix, no matter how stable it might be, is still dynamic and could potentially change at any time for a variety of reasons.