IPv6 Firewall Rules, Multiple Dynamic Prefixes
-
@bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:
OP had concerns about rules with dynamic prefixes, your solution was to use ULAs instead
Why is he concerned about changing prefixes? Is it because he wants remote access? Or he wants to use DNS for host names on his LAN? It it the latter that having both ULA and global addresses is for. The ULA gives him consistent addresses. He still has global addresses for accessing the Internet, without using NAT, etc..
In some ways, IPv6 requires an entirely different way of thinking about things. For example, while it was possible to have multiple IP addresses on an interface with IPv4, it wasn't often done. With IPv6, it's expected. In fact, you can even have 2 or 3 routers on a LAN, with priority, in addition to ULA. I believe his issue about rules could be handled with aliases, where the rule is for the network, rather than any specific addresses.
-
@JKnott , @Bob-Dig , circling back to thank you two for this discussion and the ULA guide.
Running 23.05 on a commodity box with per-subnet prefixes for ULAs and GUAs. The latter prefixes are dynamic. Addresses obtained by SLAAC for both, plus static ULAs for machines that need local DNS entries. No NPt or NAT. It works well.