Fixed firewall address when using track interface?

dennypage

When using Track Interface as the IPv6 Configuration Type for an interface such as LAN, is there any way to use a fixed address for the firewall itself, such as "::1", rather than a SLAAC style address?

I.E.

2600:8801:df30:3a00::1/64

instead of

2600:8801:df30:3a00:91ec:73ff:fe69:8af2/64

JKnott

@dennypage

The easiest way would be to set your MAC address to ::1.

dennypage

@JKnott said in Fixed firewall address when using track interface?:

The easiest way would be to set your MAC address to ::1.

Setting MAC to "00:00:00:00:00:01" Cute idea, but it doesn't work--it uses hwaddr.

Bob.Dig

This post is deleted!

Gertjan

@dennypage said in Fixed firewall address when using track interface?:

When using Track Interface as the IPv6 Configuration Type for an interface such as LAN, is there any way to use a fixed address for the firewall itself, such as "::1", rather than a SLAAC style address?

I.E.

2600:8801:df30:3a00::1/64

instead of

2600:8801:df30:3a00:91ec:73ff:fe69:8af2/64

That's a question I was asking myself.
@JKnott : is there a way to 'force' the pfSense LAN IPv6 to the prefix + ::1 ?

Bob.Dig

@Gertjan I tried it with a VIP. At first, it looked like it could work but it wasn't.

What need is there for ::1 anyways?

Gertjan

@Bob-Dig

Because I'm old ....
Because shorter is better ?

Instead of

if would prefer a way shorter ::1
I know, I can't change the prefix, the first part. but the second part is determined locally.

dennypage

[I'm guessing that if you are wondering why, you are probably using SLAAC for client address assignment and don't really care what the firewall's IP address is.]

The local networks are managed via DHCPv6, no SLAAC. The need is for the firewall to have a predictable and easily identifiable address in all segments.

The desire is that the firewall be configurable in the manner as DHCPv6 Static Mappings, where the network portion comes from the PD and the host portion is assignable.

JKnott

@dennypage

The link local address, which is what is used for routing, does not change, so is always predictable.

dennypage

@JKnott

The local firewall address ends up being different on each interface, and subsequently is not easily identifiable in packet traces.

It's not an unreasonable thing to want this in a managed network. It is achievable for all hosts in the network except the firewall itself.