Does pfsense have an equivalent feature to opnsense's ipv6 dynamic hosts or negative masks in iptables?

echoxxzz · Dec 26, 2023, 3:50 AM

I can't find anyway to create ipv6 rules for my internal hosts that all get a dynamic ipv6 address using the ipv6-pd assigned by the ISP.
In opnsense there is ipv6 dynamic hosts and linux firewalls using iptables all support negative masks but I can't anything comparable in pfsense.

Am I crazy or is pfsense about 6 years behind everyone else with regards to ipv6 support?

Bob.Dig · Dec 26, 2023, 8:47 AM

@echoxxzz You can create aliases via host names from the DHCPv6 Server. Then use these aliases in your rules and they will be auto updated with every prefix change. But a prefix change can be challenging on its own. Better have those only at night times so that you can reboot pfSense via cron or similar.

Gertjan · Dec 26, 2023, 9:56 AM

@echoxxzz

Hard to answer.
pfSense doesn't any "opnsense", neither iptables, so : how to find out ?

My ISP (Orange, France) proposes IPv6 fro their clients, and has /56 available for 'me'.
pfSense manages to carve out one (just one) /64, using dhcp6c on the pfSense WAN interface.

pfSEnse can not make IPv6 any better if your ISP is breaking the IPv6 rules : your /56 or /48 should be static, and only change when the ISP router's DUID changes.
Further one, the prefix(s) obtained by pfSense should not change, as longs as the pfSense DUID :

doesn't change.

These prefixes are assigned to the LAN that 'track' for an IPv6 network (prefix).
For me, the xxxx:xxxx:xxxx:xxxx:: part of the IPv6 network stays always the same. If that one would change randomaly every day or week, I would call my ISP and ask the them to stop breaking decades old RFC rules. When they keep doing this, they will lose a client.
I know, the reality is : many ISPs do not respect the "IPv6" rules.
Not a real issue, as the question "do they mess up IPv6 ?" is just one of the criteria I use when selecting ISP.

Why IPv4 WAN can changes, we all know why this happens. ISP have also to manage their available IPv4 these days, because 'none' are left. That said, my IPv4 WAN IP is allocated using DHCP, but I get always the same IPv4. With IPv4, we don't bother if the IPv4 changes, as everything is 'hidden' behind the NAT anyway.
IPv6 is different : if the equipment (hardware) doesn't change, assigned IPv6 addresses - GUA's (?) (not the local fe80::..... ones) should stay the same.

So, yeah, I get it

ipv6 dynamic hosts

that's seems pretty broken to me.

Btw : My ISP isn't perfect neither.
Example :

so : cool, one /64 for the ISP router itself, and the other ("/64" divided by "/56") = /8 = 65535 minus 1
is 65534 /64 prefeix for the down stream routers, like my pfSense.
Still : my ISP routers dhcpd IPv6 daemon only grants one (1) /64 prefix to pfSense : the $eb or number 235 decimal. Impossible to obtain others ...
Result : only my first pfSense LAN can use IPv6, not the other LAN's, as just one prefix is available for pfSense.
So, I've checked the other ISPs available to me. They all have issues.

edit : see also here.

JKnott · Dec 26, 2023, 3:40 PM

@echoxxzz

Does your prefix change? Mine hasn't in almost 5 years and has survived replacing both my modem and the computer I run pfSense on.

echoxxzz · Dec 29, 2023, 6:01 AM

@JKnott Only if I leave the modem off for more than 4 hours and that only happens during power outages so my concerns are probably a mute point.