Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to create IPv6 firewall rules?

    Scheduled Pinned Locked Moved IPv6
    47 Posts 7 Posters 11.4k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ Offline
      JKnott @HG
      last edited by JKnott

      @HG

      Well, that setting definitely works for me. When I first started using pfSense, that option was not available and my prefix frequently changed, for something as little as disconnecting/reconnecting the WAN cable. Then, when it was added, my prefix became solid. I can disconnect/reconnect that cable all I want, reboot, etc. and I still keep my prefix. The one and only occasion when it didn't work was when I had that problem with my ISP, about 1.5 years ago, where they weren't providing a valid prefix. Here's a packet capture from when I had that problem. It clearly shows an error and when they fixed that, IPv6 worked again and my prefix has been steady since then.

      User Datagram Protocol, Src Port: 547, Dst Port: 546
      DHCPv6
      Message type: Reply (7)
      Transaction ID: 0x18a8e9
      Client Identifier
      Option: Client Identifier (1)
      Length: 14
      Value: 0001000123eb5e12001617a7f2d3
      DUID: 0001000123eb5e12001617a7f2d3
      DUID Type: link-layer address plus time (1)
      Hardware type: Ethernet (1)
      DUID Time: Feb 4, 2019 15:33:22.000000000 EST
      Link-layer address: 00:16:17:a7:f2:d3
      Server Identifier
      Option: Server Identifier (2)
      Length: 14
      Value: 00010001159bb6e50021285fd2b7
      DUID: 00010001159bb6e50021285fd2b7
      DUID Type: link-layer address plus time (1)
      Hardware type: Ethernet (1)
      DUID Time: Jun 27, 2011 17:47:17.000000000 EDT
      Link-layer address: 00:21:28:5f:d2:b7
      Identity Association for Prefix Delegation
      Option: Identity Association for Prefix Delegation (25)
      Length: 72
      Value: 000000000000000000000000000d003800064e6f20707265...
      IAID: 00000000
      T1: 0
      T2: 0
      Status code
      Option: Status code (13)
      Length: 56
      Value: 00064e6f2070726566697820617661696c61626c65206f6e...
      Status Code: NoPrefixAvail (6)
      Status Message: No prefix available on Link

      'CMTS89.WLFDLE-BNDL1-GRP3'
      DNS recursive name server
      Option: DNS recursive name server (23)
      Length: 32
      Value: 2607f7980018001000000640712552042607f79800180010...
      1 DNS server address: 2607:f798:18:10:0:640:7125:5204
      2 DNS server address: 2607:f798:18:10:0:640:7125:5198

      One of the reasons for the DUID is to keep the prefix associated with a device, such as a firewall running pfSense.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 1
      • H Offline
        HG
        last edited by HG

        @JKnott, yes I understand that, it definitely improves the situation in some cases, specifically in these cases where the ISP under normal circumstances only assigns new prefixes after the client explicitly sent a release. So for these ISPs you will only get new IP addresses very rarely if you never send a release (which is what this setting does), e.g. when their DHCP server crashes or when they are reorganizing their address space. But you are more or less just lucky when your ISPs implementation behaves like that. Many ISPs (like mine, too) just assign new IP addresses with each reconnection for whatever reason (implementation reasons, save resources, keep static IP addresses as a USP for the more expensive business tariffs, ...) and in my understanding this is perfectly fine from DHCP perspective.

        JKnottJ 1 Reply Last reply Reply Quote 0
        • Bob.DigB Offline
          Bob.Dig LAYER 8
          last edited by Bob.Dig

          And for privacy reasons, I even like dynamic IPs (and prefixes) in general. ๐Ÿ˜

          H JKnottJ 2 Replies Last reply Reply Quote 1
          • H Offline
            HG @Bob.Dig
            last edited by

            Oh yes, that's definitely a good point!

            1 Reply Last reply Reply Quote 0
            • JKnottJ Offline
              JKnott @HG
              last edited by

              @HG

              That conflicts with RFC 8415, which includes:

              "If the client wishes to obtain a distinctly new address or prefix and
              deprecate the existing one, the client sends a Release message to the
              server for the IAs using the original IAID. The client then creates
              a new IAID, to be used in future messages to obtain leases for the
              new IA."

              That seems to say that a device is supposed to specifically release the association and the setting simply tells pfsense to not release the address, etc..

              What's the point of having a permanent identifier, if the ISP ignores it?

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              H 1 Reply Last reply Reply Quote 0
              • JKnottJ Offline
                JKnott @Bob.Dig
                last edited by

                @Bob-Dig said in How to create IPv6 firewall rules?:

                And for privacy reasons, I even like dynamic IPs (and prefixes) in general.

                Well, if you turn off that setting, then pfSense gets amnesia. ๐Ÿ˜‰

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 1
                • H Offline
                  HG @JKnott
                  last edited by HG

                  @JKnott Implications only work in one direction. This only describes what to do when the client from its side wants a distinctly new address/prefix so when the server behaves like the one of your ISP. This says nothing about other situations where the address/prefix may change as well.

                  The IAID is the ID of "a construct through which a server and a client can identify, group, and manage a set of related IPv6 addresses or delegated prefixes.", so to distinguish different sets of DHCP parameters, e.g for different interfaces "A client must associate at least one distinct IA with each of its network interfaces for which it is to request the assignment of IPv6 addresses from a DHCP server. The client uses the IAs assigned to an interface to obtain configuration information from a server for that interface. Each such IA must be associated with exactly one interface.".

                  The point of having a permanent identifier is that the DHCP server can use it to distinguish the IAs even if the client restarts (e.g. not to switch the IP addresses of the interfaces), but it doesn't imply that it isn't allowed to changes prefixes or any other information within the IA if it or its administrator likes.

                  For "Assignment of Prefixes for IA_PD" what we are talking here about, https://tools.ietf.org/html/rfc8415#section-13.3 is relevant, which basically says that's not covered at all by RFC8415 ("The mechanism through which the server selects prefix(es) for delegation is not specified in this document.") so basically "do as you like", as examples "static assignment based on subscription to an ISP, dynamic assignment from a pool of available prefixes" and as one example it refers to https://tools.ietf.org/html/rfc3162 (RADIUS, which is probably often used on ISP side for logins) and it gives even the RADIUS server much freedom, e.g. it says "This Attribute indicates an IPv6 prefix (and corresponding route) to be configured for the user. It MAY be used in Access-Accept packets, and can appear multiple times. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer these prefix(es), but the server is not required to honor the hint."

                  JKnottJ 1 Reply Last reply Reply Quote 0
                  • JKnottJ Offline
                    JKnott @HG
                    last edited by

                    @HG

                    We got into this discussion because @zjgn said:
                    "Thanks for your input. Those bug reports confirm that IPv6 in pfSense isn't really usable as of now (at least on domestic connections), which is a great shame.

                    To which I replied:
                    If the ISP is not respecting the Do not allow PD/Address release setting, how is that pfSense's fault?

                    If that setting works with some ISPs, but not others, is the problem with pfSense, as @zjgn implies? Or the ISP, as I suggest? It seems to me this wouldn't affect only pfSense, but any firewall/router that uses DHCPv6-PD, so @zjgn shouldn't be blaming pfSense for something beyond it's control.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • H Offline
                      HG
                      last edited by

                      @JKnott The "Do not allow PD/Address" is not even relevant in this descussion. When you are getting your IP prefix via DHCP, that means you get it dynamically. If you copy this dynamic prefix into a static configuration, you are doing it wrong. Period. If you have a dynamic prefix, all settings you want to use have to support that. If you have a static prefix, configure it statically and do not get it via DHCP!

                      Settings in pfSense that do not support dynamic prefixes (some even do already, like e.g. the IP configurations for LANs that have the "track interface" option) are just not usable in this scenario. You may call it a bug or you might call it just missing features, but it's pfSense's task to support dynamic prefixes ideally for all settings. It can be done and as it was mentioned before, they are working on it, it's just work that has to be done, and as pfSense has many features compared to other routers (e.g. not many routers support Multi-WAN at all), it's much work. Therefore I cannot follow your conclusion "It seems to me this wouldn't affect only pfSense, but any firewall/router that uses DHCPv6-PD, so @zjgn shouldn't be blaming pfSense for something beyond it's control.".

                      "Do not allow PD/Address" is just a workround that works in some situations, but it is not a static prefix/address. Period.

                      JKnottJ 1 Reply Last reply Reply Quote 0
                      • JKnottJ Offline
                        JKnott @HG
                        last edited by

                        @HG said in How to create IPv6 firewall rules?:

                        The "Do not allow PD/Address" is not even relevant in this descussion. When you are getting your IP prefix via DHCP, that means you get it dynamically. If you copy this dynamic prefix into a static configuration, you are doing it wrong. Period. If you have a dynamic prefix, all settings you want to use have to support that. If you have a static prefix, configure it statically and do not get it via DHCP!

                        Who's copying an address into a static config? I am using DHCPv6-PD. Always have. When I use that setting, my prefix does not change. Is that not the purpose of it? According to my understanding, if that setting is not enabled, pfSense will tell my ISP to release my prefix and that's exactly what was happening before it was available. A loose comparison would be DHCPv4 static mappings. DHCP is still being used, but the address doesn't change. Even without that, DHCP addresses don't normally change, unless the lease has expired and the address is no longer available. With my ISP, my IPv4 address is virtually static. It only changes when I change hardware. Other than that, there was one occasion several years ago, when they renumbered the network, which forced an address change on everyone. By comparison, without that setting, my prefix would change if I did nothing more than disconnect/reconnect the WAN cable, which made it even worse than plain DHCP on IPv4.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 0
                        • Bob.DigB Offline
                          Bob.Dig LAYER 8
                          last edited by Bob.Dig

                          You both have valid reasons.
                          I for myself think that the first thing that should be made possible in pfSense is the integration of NPt for dynamic prefixes, should be rather easy to implement by now.

                          What I can't tell is, if it would solve all the problems with the lack of fine control over IPv6 we now have over IPv4...

                          Privacy extensions maybe could be implemented at the router level and not the host level? That potentially would help for example.
                          Or better, the firewall just knows all the hosts with all their addresses, however this is possible.
                          This fine control is probably the reason why we are using (and loving) pfSense in the first place.

                          JKnottJ 1 Reply Last reply Reply Quote 1
                          • JKnottJ Offline
                            JKnott @Bob.Dig
                            last edited by

                            @Bob-Dig said in How to create IPv6 firewall rules?:

                            Privacy extensions maybe could be implemented at the router level and not the host level?

                            ????

                            Privacy extensions are host addresses. They have to be on the host.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            Bob.DigB 1 Reply Last reply Reply Quote 0
                            • Bob.DigB Offline
                              Bob.Dig LAYER 8 @JKnott
                              last edited by

                              @JKnott said in How to create IPv6 firewall rules?:

                              @Bob-Dig said in How to create IPv6 firewall rules?:

                              Privacy extensions maybe could be implemented at the router level and not the host level?

                              ????

                              Privacy extensions are host addresses. They have to be on the host.

                              See it in the context of the problems we got now in pfSense. But first you have to see the problems.

                              JKnottJ 1 Reply Last reply Reply Quote 0
                              • JKnottJ Offline
                                JKnott @Bob.Dig
                                last edited by

                                @Bob-Dig

                                I believe the relevant part of the original question is:

                                "How to create firewall rules if I don't know the address of the hosts?"

                                @zjgn was trying to solve a problem that doesn't exist, due to his unfamiliarity with IPv6 and privacy addresses. I pointed out that he only had to worry about the consistent address, which is often based on the MAC address, but could also be a random number. This is the address that's used for incoming connections and for which the rules have to be written. The privacy addresses are normally used for outgoing connections, which are blocked for incoming connections by default. As mentioned, if privacy addresses are a problem, they can be disabled. Then you mentioned using NPt, for some reason, and the discussion moved into how that didn't work because the prefix was changing, etc.. Does that sum it up? The next question is why the prefix is changing. I maintain it shouldn't, when Do not allow PD/Address release is set, though I know some ISPs will change the prefix anyway. This reminds me of when some ISPs would frequently change the IPv4 address, when there was no need to. In short, they were just being nasty.

                                PfSense running on Qotom mini PC
                                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                UniFi AC-Lite access point

                                I haven't lost my mind. It's around here...somewhere...

                                Bob.DigB 1 Reply Last reply Reply Quote 0
                                • Bob.DigB Offline
                                  Bob.Dig LAYER 8 @JKnott
                                  last edited by Bob.Dig

                                  @JKnott said in How to create IPv6 firewall rules?:

                                  @Bob-Dig
                                  "How to create firewall rules if I don't know the address of the hosts?"

                                  No, the problem we are facing is that pfSense doesn't know all the addresses of a host and therefore we can't create granular firewall rules, especially for outgoing connections, like we could for IPv4.

                                  JKnottJ 1 Reply Last reply Reply Quote 0
                                  • JKnottJ Offline
                                    JKnott @Bob.Dig
                                    last edited by

                                    @Bob-Dig said in How to create IPv6 firewall rules?:

                                    No, the problem we are facing is that pfSense doesn't know all the addresses of a host and therefore we can't create granular firewall rules, especially for outgoing connections, like we could for IPv4.

                                    Well, given that privacy addresses come and go by design, there's no way around that, short of filtering on the MAC address, which pfSense doesn't do.

                                    PfSense running on Qotom mini PC
                                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                    UniFi AC-Lite access point

                                    I haven't lost my mind. It's around here...somewhere...

                                    Bob.DigB 1 Reply Last reply Reply Quote 0
                                    • Bob.DigB Offline
                                      Bob.Dig LAYER 8 @JKnott
                                      last edited by

                                      @JKnott said in How to create IPv6 firewall rules?:

                                      Well, given that privacy addresses come and go by design, there's no way around that, short of filtering on the MAC address, which pfSense doesn't do.

                                      Then I hope pfSense will get there. ๐Ÿ––

                                      1 Reply Last reply Reply Quote 0
                                      • S Offline
                                        SteveITS Galactic Empire
                                        last edited by

                                        Perhaps DDNS and use that hostname in rules? https://duckduckgo.com/?t=ffab&q=ddns+for+ipv6&ia=web

                                        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                                        Upvote ๐Ÿ‘ helpful posts!

                                        Bob.DigB 1 Reply Last reply Reply Quote 0
                                        • Bob.DigB Offline
                                          Bob.Dig LAYER 8 @SteveITS
                                          last edited by Bob.Dig

                                          @teamits said in How to create IPv6 firewall rules?:

                                          Perhaps DDNS and use that hostname in rules? https://duckduckgo.com/?t=ffab&q=ddns+for+ipv6&ia=web

                                          Perhaps read the thread before posting crap.

                                          1 Reply Last reply Reply Quote 0
                                          • H Offline
                                            HG
                                            last edited by HG

                                            @JKnott

                                            Well the initial and one of the important questions in this thread was to create something like this, so e.g. an alias for all internal addresses.

                                            @zjgn said in How to create IPv6 firewall rules?:

                                            internal_nets = 10.0.0.0/8, 192.168.0.0/16
                                            

                                            To solve this specific problem, you do not need to know all the addresses or whatever. You only need the possibility to use the dynamic prefix in firewall aliases, e.g. if you have a /56 prefix:

                                            internal_nets = $WAN_IPV6_PREFIX/56
                                            

                                            or even

                                            internal_nets = $WAN_IPV6_PREFIX/$WAN_IPV6_PREFIX_SIZE
                                            

                                            where pfSense automatically substitutes $WAN_IPV6_PREFIX with the prefix it got via DHCP on that interface. Unfortunately not possible right now, but this could be a option from UI perspective how firewall aliases could be extended to work with dynamic prefixes. Could also be a drop-down in the web interface or whatever.

                                            Another solution, if https://redmine.pfsense.org/issues/4881 is implemented, you can configure static ULAs for the internal communication and easily use these addresses in firewall rules because they are really really static, not somewhat sometimes temporary pseudo-static as with "Do not allow PD/Address release".

                                            This only thing that's really hard from conceptual perspective (on IP level), but that has nothing to do with DHCP at all and is also not solved by "Do not allow PD/Address release", is if you want to block individual temporary privacy IPv6 addresses. But everything that is because of the prefix changing could be solved by something like a $WAN_IPV6_PREFIX placeholder (or drop-downs in the UI or whatever). Don't get me wrong, I know that it's not easy to integrate it everywhere and I understand that it takes time, but it's the clean solution that's needed to be able to use the full functionality of pfSense with delegated prefixes via DHCPv6.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.