Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Does pfsense have an equivalent feature to opnsense's ipv6 dynamic hosts or negative masks in iptables?

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 4 Posters 637 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      echoxxzz
      last edited by

      I can't find anyway to create ipv6 rules for my internal hosts that all get a dynamic ipv6 address using the ipv6-pd assigned by the ISP.
      In opnsense there is ipv6 dynamic hosts and linux firewalls using iptables all support negative masks but I can't anything comparable in pfsense.

      Am I crazy or is pfsense about 6 years behind everyone else with regards to ipv6 support?

      Bob.DigB GertjanG JKnottJ 3 Replies Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @echoxxzz
        last edited by Bob.Dig

        @echoxxzz You can create aliases via host names from the DHCPv6 Server. Then use these aliases in your rules and they will be auto updated with every prefix change. But a prefix change can be challenging on its own. Better have those only at night times so that you can reboot pfSense via cron or similar.

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @echoxxzz
          last edited by Gertjan

          @echoxxzz

          Hard to answer.
          pfSense doesn't any "opnsense", neither iptables, so : how to find out ?

          My ISP (Orange, France) proposes IPv6 fro their clients, and has /56 available for 'me'.
          pfSense manages to carve out one (just one) /64, using dhcp6c on the pfSense WAN interface.

          pfSEnse can not make IPv6 any better if your ISP is breaking the IPv6 rules : your /56 or /48 should be static, and only change when the ISP router's DUID changes.
          Further one, the prefix(s) obtained by pfSense should not change, as longs as the pfSense DUID :

          b129e6c4-b068-42c1-ba89-508cb803b423-image.png

          doesn't change.

          These prefixes are assigned to the LAN that 'track' for an IPv6 network (prefix).
          For me, the xxxx:xxxx:xxxx:xxxx:: part of the IPv6 network stays always the same. If that one would change randomaly every day or week, I would call my ISP and ask the them to stop breaking decades old RFC rules. When they keep doing this, they will lose a client.
          I know, the reality is : many ISPs do not respect the "IPv6" rules.
          Not a real issue, as the question "do they mess up IPv6 ?" is just one of the criteria I use when selecting ISP.

          Why IPv4 WAN can changes, we all know why this happens. ISP have also to manage their available IPv4 these days, because 'none' are left. That said, my IPv4 WAN IP is allocated using DHCP, but I get always the same IPv4. With IPv4, we don't bother if the IPv4 changes, as everything is 'hidden' behind the NAT anyway.
          IPv6 is different : if the equipment (hardware) doesn't change, assigned IPv6 addresses - GUA's (?) (not the local fe80::..... ones) should stay the same.

          So, yeah, I get it

          ipv6 dynamic hosts

          that's seems pretty broken to me.

          Btw : My ISP isn't perfect neither.
          Example :

          2232dc98-79d7-4e88-99d7-0ab145412262-image.png

          so : cool, one /64 for the ISP router itself, and the other ("/64" divided by "/56") = /8 = 65535 minus 1
          is 65534 /64 prefeix for the down stream routers, like my pfSense.
          Still : my ISP routers dhcpd IPv6 daemon only grants one (1) /64 prefix to pfSense : the $eb or number 235 decimal. Impossible to obtain others ... 😢
          Result : only my first pfSense LAN can use IPv6, not the other LAN's, as just one prefix is available for pfSense.
          So, I've checked the other ISPs available to me. They all have issues.

          edit : see also here.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @echoxxzz
            last edited by

            @echoxxzz

            Does your prefix change? Mine hasn't in almost 5 years and has survived replacing both my modem and the computer I run pfSense on.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            E 1 Reply Last reply Reply Quote 0
            • E
              echoxxzz @JKnott
              last edited by

              @JKnott Only if I leave the modem off for more than 4 hours and that only happens during power outages so my concerns are probably a mute point.

              1 Reply Last reply Reply Quote 0
              • L Lurick referenced this topic on
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.