Allow onbound IPv6 traffic for specific host, how?
-
I have a host ´nc´ which I want to allow inbound IPv6 traffic to.
How do I create a firewall rule for this?
My LAN interface is configured to track WAN for a prefix and it gets configured with a prefix just fine. The host ´nc´ assigns itself a static IPv6 address based on its MAC.
If I could match the fixed host-part of the IPv6 address I would be fine. However it seems this is not possible? Surely there is another way to do this?
-
@flo-0 said in Allow onbound IPv6 traffic for specific host, how?:
How do I create a firewall rule for this?
Create a WAN 'pass' firewall rule :
where "2a01 : abcd : ef01 : 1234 :: 56" is the IPv6 of your LAN device.
No NAT needed ;)
-
The host part of the IPv6 address (in your example this would be the ::56) is fixed, however the prefix (2a01
ef01
:) may change from my provider, for example to 2a01ef01:1235::. Traffic to the host will then be blocked.How can I write a rule which works for any prefixes but only for one specific host part?
-
@flo-0 said in Allow onbound IPv6 traffic for specific host, how?:
however the prefix (2a01
ef01:) may change from my provider, for example to 2a01ef01:1235::Ah, ok, I get it.
Your ISP changes the prefix for 'some reason'. They loved to do that with our IPv4 back in the good old days. My IPv4 is now static, as I checked the option "don't change it anymore".
For the IPv6 I haven't that option, so mine can also change.
Upgraded my ISP fiber capable router yesterday, the prefix was still the same.A solution ( ? ) Try this :
Create a firewall Alias, and use "diskstation2.rented-domaine-name.net" (your device) as the FQDN. It will get resolved every 5 minutes
which means that the alias "diskstation2" will contain the IPv4 and IPv6 of your LAN device.
Use this alias in your firewall rule.The prefix changes ? No issue, max 5 minutes later the alias changes and the firewall rules get reloaded, and you have access again.
-
Ah, so you have your server registered with a name server and pfSense retrieves the address from there into the alias. This is smart!
Actually my ISP does not change addresses frequently. They stopped forcing a daily disconnect already years ago and the IP4 address stays fix for very long times. I'm not sure about the prefix because until now I never paid much attention to this.
The problem is that the ISP does not guarantee to keep the addresses and prefixes fix. This means if I use such a "nearly fixed" address or prefix I have a ticking bomb in my setup. If eventually the ISP decides to change something I will long have forgotten about this and solving this will then take a long time.
-
Ok, this works like a charm!
-
@flo-0 said in Allow onbound IPv6 traffic for specific host, how?:
you have your server registered with a name server
Actually, correct.
Just for me, as when I'm outside, driving in my car, I have it (the media stuff) connect to my mp3 bank, which is a actually my NAS @home.Bit this isn't needed.
If you set up a static DHCPv6 lease, pfSEnse 'knows' the IPv4 and IPv6 of every device.
See for yourself :cat /etc/hostsA snippet from mine :
This file is also loaded into 'unbound', so, no surprise :
Thus : make an alias out of it, and use this alias in the firewall rule as the "destination" address.
Take note : for IPv4 this doesn't make any sense, as (my example) 192.168.1.33 can't be used on the outside (Internet), but an IPv6 is very valid on my LAN, and the entire Internet. -
@Gertjan
Ok, understood. I would need to try this as well.Regarding IP4: I'm exposing services based on IP4 since years, so I have a good understanding here. But I believe it's time to become more "IPv6 fluent" :-).
-
Good for you
www.amazone.com www.cnn.com www.whitehouse.gov www.apple.com www.microsoft.com www.netflix.comto to name some big players all switched.
google.com adopted it years ago.
Others, like twitter or truthsocial.com have still issues .... ^^
