Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 Firewall Rules, Multiple Dynamic Prefixes

    Scheduled Pinned Locked Moved Firewalling
    22 Posts 4 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ
      JKnott @Bob.Dig
      last edited by JKnott

      @bob-dig said in IPv6 Firewall Rules, Multiple Dynamic Prefixes:

      OP had concerns about rules with dynamic prefixes, your solution was to use ULAs instead

      Why is he concerned about changing prefixes? Is it because he wants remote access? Or he wants to use DNS for host names on his LAN? It it the latter that having both ULA and global addresses is for. The ULA gives him consistent addresses. He still has global addresses for accessing the Internet, without using NAT, etc..

      In some ways, IPv6 requires an entirely different way of thinking about things. For example, while it was possible to have multiple IP addresses on an interface with IPv4, it wasn't often done. With IPv6, it's expected. In fact, you can even have 2 or 3 routers on a LAN, with priority, in addition to ULA. I believe his issue about rules could be handled with aliases, where the rule is for the network, rather than any specific addresses.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      M 1 Reply Last reply Reply Quote 0
      • M
        marcg @JKnott
        last edited by marcg

        @JKnott , @Bob-Dig , circling back to thank you two for this discussion and the ULA guide.

        Running 23.05 on a commodity box with per-subnet prefixes for ULAs and GUAs. The latter prefixes are dynamic. Addresses obtained by SLAAC for both, plus static ULAs for machines that need local DNS entries. No NPt or NAT. It works well.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.