IPv6 firewall incoming rule - host IP relative to delegated prefix?

jhg

I want to pass some IPv6 traffic to a specific LAN host via a firewall rule.

The LAN host receives a "fixed" IPv6 address relative to the delegated prefix by configuring it in the DHCPv6 server Static Mappings section with its address specified as, for instance, ::1234:0:8. This works.

Now I'd like to create a rule that allows inbound TCP traffic to [delegated-prefix]:0:1234:0:8. The UI lets me create it, but it doesn't seem to have the desired effect -- traffic doesn't get forwarded.

Am I doing this right, or is there a different way of accomplishing this?

Gertjan

@jhg said in IPv6 firewall incoming rule - host IP relative to delegated prefix?:

different way of accomplishing this

Always ^^

I've a web/mail/whatever server somewhere in on the Internet in data center, and I want to use my pfSense LAN bases NAS for the backups.
And I want to use IPv6, "because I can".

The pfSense WAN firewall rule :

Where SYS is an alias with all the server's IPv4 and IPv6 - this is the authorized "source".
Diskstation2 is an alias, and contains the IPv4 and IPv6 of my NAS (a syno), the destination.
Port '22' because of rsync. And TCP of course.

I use IPv6 tracking on my LAN interfaces.

The IPv6 isn't hard-coded in my alias, its set as "diskstation2.bff.tld" where bhf.tld is my local LAN domain. The alias will resolve for me this IPv6, so it always points to the right IPv4 (DHCP4 MAC Lease) and IPv6 (DHCP6 MAC/DUID Lease). So the IPv4 wll always be 192.168.1.33 but the IPv6 can change (the prefix part), in theory.
But I don't care ... Aliases host name are auto resolved.
Normally, my ISP IPv6 LAN Prefixes don't change .... so I just guess that I'm close to a working situation, the day the prefix does change. Again : never actually tested it.

jhg

@Gertjan That was my original plan. I created an alias to the internal host and a rule allowing traffic in.

The rule for ICMP works, but the one for SSH doesn't. Here's what I have:

Incoming ipv4 ssh is handled via a NAT port forward rule, and works.
Incoming icmp6 works
Incoming ipv6 TCP arrives at the pfSense WAN interface but isn't forwarded

I've verified that there is an AAAA record in the local DNS resolver for the alias target with the correct IP.

jhg

@Gertjan

OK, now I think I've hit a Heisenbug

I noticed the rule specified the same port in the "From" and "To" port range, and the surrounding text said to leave the "To" port blank for a single port. I blanked out the "To" port and committed the change, and the ipv6 ssh forwarding started working.

I made no other changes, and now the form fills in the "to" port with the same number, so it looks exactly like it did when it wasn't working.

It appears the rule just needed to be updated, but I have no idea why since the update didn't actually change anything.