• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Does pfsense have an equivalent feature to opnsense's ipv6 dynamic hosts or negative masks in iptables?

Scheduled Pinned Locked Moved Firewalling
5 Posts 4 Posters 662 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • E
    echoxxzz
    last edited by Dec 26, 2023, 3:50 AM

    I can't find anyway to create ipv6 rules for my internal hosts that all get a dynamic ipv6 address using the ipv6-pd assigned by the ISP.
    In opnsense there is ipv6 dynamic hosts and linux firewalls using iptables all support negative masks but I can't anything comparable in pfsense.

    Am I crazy or is pfsense about 6 years behind everyone else with regards to ipv6 support?

    B G J 3 Replies Last reply Dec 26, 2023, 8:47 AM Reply Quote 0
    • B
      Bob.Dig LAYER 8 @echoxxzz
      last edited by Bob.Dig Dec 26, 2023, 10:02 AM Dec 26, 2023, 8:47 AM

      @echoxxzz You can create aliases via host names from the DHCPv6 Server. Then use these aliases in your rules and they will be auto updated with every prefix change. But a prefix change can be challenging on its own. Better have those only at night times so that you can reboot pfSense via cron or similar.

      1 Reply Last reply Reply Quote 0
      • G
        Gertjan @echoxxzz
        last edited by Gertjan Dec 26, 2023, 9:56 AM Dec 26, 2023, 9:19 AM

        @echoxxzz

        Hard to answer.
        pfSense doesn't any "opnsense", neither iptables, so : how to find out ?

        My ISP (Orange, France) proposes IPv6 fro their clients, and has /56 available for 'me'.
        pfSense manages to carve out one (just one) /64, using dhcp6c on the pfSense WAN interface.

        pfSEnse can not make IPv6 any better if your ISP is breaking the IPv6 rules : your /56 or /48 should be static, and only change when the ISP router's DUID changes.
        Further one, the prefix(s) obtained by pfSense should not change, as longs as the pfSense DUID :

        b129e6c4-b068-42c1-ba89-508cb803b423-image.png

        doesn't change.

        These prefixes are assigned to the LAN that 'track' for an IPv6 network (prefix).
        For me, the xxxx:xxxx:xxxx:xxxx:: part of the IPv6 network stays always the same. If that one would change randomaly every day or week, I would call my ISP and ask the them to stop breaking decades old RFC rules. When they keep doing this, they will lose a client.
        I know, the reality is : many ISPs do not respect the "IPv6" rules.
        Not a real issue, as the question "do they mess up IPv6 ?" is just one of the criteria I use when selecting ISP.

        Why IPv4 WAN can changes, we all know why this happens. ISP have also to manage their available IPv4 these days, because 'none' are left. That said, my IPv4 WAN IP is allocated using DHCP, but I get always the same IPv4. With IPv4, we don't bother if the IPv4 changes, as everything is 'hidden' behind the NAT anyway.
        IPv6 is different : if the equipment (hardware) doesn't change, assigned IPv6 addresses - GUA's (?) (not the local fe80::..... ones) should stay the same.

        So, yeah, I get it

        ipv6 dynamic hosts

        that's seems pretty broken to me.

        Btw : My ISP isn't perfect neither.
        Example :

        2232dc98-79d7-4e88-99d7-0ab145412262-image.png

        so : cool, one /64 for the ISP router itself, and the other ("/64" divided by "/56") = /8 = 65535 minus 1
        is 65534 /64 prefeix for the down stream routers, like my pfSense.
        Still : my ISP routers dhcpd IPv6 daemon only grants one (1) /64 prefix to pfSense : the $eb or number 235 decimal. Impossible to obtain others ... 😢
        Result : only my first pfSense LAN can use IPv6, not the other LAN's, as just one prefix is available for pfSense.
        So, I've checked the other ISPs available to me. They all have issues.

        edit : see also here.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • J
          JKnott @echoxxzz
          last edited by Dec 26, 2023, 3:40 PM

          @echoxxzz

          Does your prefix change? Mine hasn't in almost 5 years and has survived replacing both my modem and the computer I run pfSense on.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          E 1 Reply Last reply Dec 29, 2023, 6:01 AM Reply Quote 0
          • E
            echoxxzz @JKnott
            last edited by Dec 29, 2023, 6:01 AM

            @JKnott Only if I leave the modem off for more than 4 hours and that only happens during power outages so my concerns are probably a mute point.

            1 Reply Last reply Reply Quote 0
            • L Lurick referenced this topic on Oct 23, 2024, 7:45 PM
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received