Does firewall aliases support getting a ipv6 address from a FQDN?

ivarh

Not sure if this is supposed to go to the ipv6 subforum or here, but here goes

I have a Synology box that gets it ipv6 address from my dhcpv6d server. It works fine and the address is updated in the DNS via RFC2136.

I am trying to create a firewall rule that allows incoming ipv6 traffic to the Synology box and it works fine when I enter the ipv6 address in the destination field of the firewall rule.
But sometimes the Synology box changes the ipv6 address and this breaks the rule. I have created an alias mapping to the hostname of the Synology box but when I go to diagnostics -> table the alias only gets the local ipv4 address and not the ipv6 address.

dig aaaa synology.mydomain.com resolves fine to the correct address when executed from the pfsense box itself.

Is ipv6 addresses from FQDN's not supported in pfsense or am I missing something?

johnpoz

So aliases will update every 5 minutes by default. What pfsense uses for dns will determine what is returned..

So here just tested by putting in a public fqdn that resolves both IPv4 and IPv6

If your not resolving ipv6 in tables, you need to look to how your actually resolving.

edit: btw will leave this here in firewall section, because aliases are under the firewall tab ;)

So details of how you have pfsense setup for dns, is it out of the box resolving - or did you setup forwarding, etc. etc.

If you want PM me the fqdn your using and will validate aliases get the IPv6 address, etc.

You could have an issue if you have any sort of host override or register dhcp or something and the fqdn your using is only listed IPv4 in unbound cache. For your alias fqdn you prob be good to use your whatever.synology.me ddns they provide.. I don't have IPv6 enabled on mine - but let me test that.

ivarh

I changed the hostname from synology.mydomain.com to synology.mydomain.com. and it started to resolve to both addresses.

It works fine now but I am not sure why using the absolute hostname instead of the normal one was what was needed. Changing it back to the no . terminated name makes it return only the ipv4 address.

Thanks for the answer and help.

johnpoz

with the . you would not resolve with any suffix, without the . you could be resolving a suffix search ie synology.mydomain.com.other.tld

Without actual info of that this fqdn is on the public internet its hard to say, knowing whats in your local cache and what your suffix might be, etc.

I just changed my test alias to forum.netgate.com with the . on the end so forum.netgate.com. and still resolving just fine both ipv4 and ipv6.

edit: So just added ipv6 to my synology, and instantly reflected in my synology.me ddns they give you.. And added it with . on end and resolving ipv6 just fine.

If you want to actually get to the bottom of what is going on with your . or not . we need to dig a bit deeper.

ivarh

I am using the dns resolver and I have not set up any host or domain overrides.

I am not sure how to pm you, the only option I get is a chat when I click on the menu on your profile page. I am using my own domain and not the synology.me one. If that is the correct way to pm you the FQDN let me know and I will do so.

johnpoz

chat is PM ;)

Gertjan

@ivarh said in Does firewall aliases support getting a ipv6 address from a FQDN?:

I changed the hostname from synology.mydomain.com to synology.mydomain.com

The 2 are identical for me.

ivarh

@Gertjan @johnpoz helped in locating the problem. I used the same domain name (without the hostname part) internally in the dns resolver as well as externally on my dns server. This caused the dns resolver to resolve the hostname to just the private ipv4 address. adding the . to the end of the hostname forced the dns resolver to resolve it externally and that is why they are different for me.

@johnpoz advised me to use a local domain name that is not the same as my official domain name so the resolver will not interfere. I will change this when I have time as using the . at the end works as a workaround :)

Gertjan

@ivarh said in Does firewall aliases support getting a ipv6 address from a FQDN?:

advised me to use a local domain name that is not the same as my official domain name so the resolver will not interfere. I will change this when I have time as using the . at the end works as a workaround :)

That's exactly what I'm doing right now :
I'm using some company-name.com domain name on the Internet for sites and mail, and I also own the .net domain name.
It's the .net that I'm using internally, on my LAN.
Like pfsense.comapny-name.net as the FQDN for my pfSEnse.
And "diskstation" or diskstation.company-name.net for my Syno ^^

Works just perfect.

NogBadTheBad

@ivarh said in Does firewall aliases support getting a ipv6 address from a FQDN?:

But sometimes the Synology box changes the ipv6 address and this breaks the rule.

Odd my Synology DS415+ consistently gets the same IPv6 address.