Network separation with a dynamic IPv6-PD
-
Hey there,
i'm currently trying to setup IPv6 to get it finally up and running in my network.First of all a few infos:
Version: 2.7.2-RELEASE
"Do not allow PD/Address release": checked
My IPv6 Prefix changes when i'm rebooting or restart the modem
Yes, my ISP sucks
No, i can't change thatI've 9 networks but for simplicity lets say 3 - it's rinse and repeat for the other network/VLAN.
- 001_LAN
- 005_GUEST
- 170_MGMT
For IPv4 it's easy to create a "internet only" rule:
create an RFC1918 alias
create an inverted firewall rule with the alias
done
But with IPv6 and a changing Prefix, that doesn't work.
The only idea i came up with is creating a "block"-rule for each network and then at the end an "allow"-rule
Downsides:
- if i add a new network i've to add a "block"-rule to each network but that doesn't concern me, since i'm not planning on adding another network.
- Multiple "block"-rules per network - i don't really care about that
Question:
Does the "... subnets" contain both the GUA and ULA (if configured)?
Would that work or am i missing something?
I should add ICMPv6 rules, right? Since IPv6 loves ICMP :DRegards,
gadean -
@gadean said in Network separation with a dynamic IPv6-PD:
Does the "... subnets" contain both the GUA and ULA (if configured)?
Yes
Would that work or am i missing something?
This is the way
I should add ICMPv6 rules, right? Since IPv6 loves ICMP :D
You don't have to.
-
I have two rules to keep segregation between VLANs. I'm not sure if this is what you're trying to do.
The first works for IPv6. For whatever reason, I cannot add it as a part of my private network alias (used for the IPv4 traffic) and have it work. Not a big deal for me. I get a /56 from my ISP.
Joel
-
Oh the famous
::0/56from https://redmine.pfsense.org/issues/6626 - didn't knew it works now :DThe problem with aliases was already discussed in the issue
-
The ::0/56 rule only works if it's set as is (not as an alias) and only in the specific VLAN firewall, it will not work in the Floating section of the firewall. It's definitely a hacky workaround but it does work.
-
@Bob-Dig said in Network separation with a dynamic IPv6-PD:
@gadean said in Network separation with a dynamic IPv6-PD:
Does the "... subnets" contain both the GUA and ULA (if configured)?
Yes
Looks like that is not the case.
I've also tried adding a virtual ip (single address/network) to the interface and rebooted, but the... subnetstable contains only my ipv4 and GUA address
Even though the documentation says that it should be included:
Interface Subnets
An entry in this list is present for each interface on the firewall. These macros specify the subnet for that interface exactly, including any IP alias VIP subnets that differ from the defined interface subnet. -
@gadean said in Network separation with a dynamic IPv6-PD:
Looks like that is not the case.
Right. You need a patch, see here. Too bad it is not included in the auto-patches.
-
@Bob-Dig You are the best!
Thanks for the info, i really appreciate it -
S Sevi referenced this topic on
