IPV6 Newbie questions

  • I only recently started playing around IPV6 and I admit that I don't fully understand some aspects of it so forgive my ignorance.

    At home, my ISP is providing a 6rd tunnel with a /28 prefix for the WAN. I then use 'Track interface' for the LAN and all clients on the LAN get a /64 address. IPV6 connectivity works across the board and I pass all the IPV6 tests.

    My question is how can I apply FW rules to control traffic of specific IPV6 clients on LAN when their address are assigned automatically Windows machines also use temporary addresses that change over time? I just upgraded to 2.3 for the record.

  • First, you'd need to switch to using DHCPv6… if you want your Windows computers to always have the same IPv6 address, you'd need to set up static DHCPv6 entries for them. Note that it might be easier to let the computer get an IPv6 address first, then create a static entry so that the DUID (which is used instead of the MAC address for identifying the device/system) is already filled in.

    Now... something you have to keep in mind is that your prefix is being delegated by your ISP. In theory, at any time they could delegate you a different prefix, and the first part of your IPv6 address would change. pfSense will (should?) take care of automatically changing everything with regards to DHCPv6... but at this time, there's no way to have a firewall rule that is associated with a network using "Track Interface" that will update the prefix portion of the address automatically. However, you're not the first person to ask for this capability... you're at least the third or fourth I've seen in the past week or so.

    I'm not sure if there's a feature request submitted for this yet, but if there isn't, there should be.

  • Sounds very similar to my question here: https://forum.pfsense.org/index.php?topic=109879.0

    So far I've worked around it by adding an alias for the dyndns entry I've set up for my server box. I need that dyndns anyway to reach it from the outside (especially since the prefix changes).

    The server maintains the dyndns entry by running a small script every minute, checking the local ipv6 address and updating if neccessary (couldn't get inadyn working). The pfSense box updates the alias every 5 minutes by default, which is good enough for me.

  • Yep, and a similar idea here, with some feedback from one of the pfSense developers. He'd like to see the "dynamic" firewall rules for Track Interface networks happen at some point in the future, though no plans to implement at this time.


  • Thank you guys for the info. In regards to the DHCP v6, I have noticed something different in 2.3. In 2.2.6 I could not use DHCP6 on the LAN interface while it was set to Track Interface, but in 2.3 I noticed it's enabled by default with RA. How does that work?

  • Yep, that was new with 2.3… though there are some limitations (as far as prefix sub-delegation, and I think static DHCPv6 also, but haven't confirmed that last one).

    Basically, if you have the RA set to Assisted or Managed, and DHCPv6 server is enabled, your hosts that support DHCPv6 can get IPv6 address leases through DHCP. If your prefix changes, the DHCP range will be automatically adjusted to include the new prefix.

    You can also do static DHCP, however you need to know the DUID of the system (not just the MAC Address, though the MAC address is included in it). Also, I don't know if the prefix part of the static DHCP addresses is changed if your ISP delegates a new prefix to you (I've questioned one of the developers about it, waiting for a response).

    The RA options available indicate how clients will determine their IPv6 addresses.

    • Router Only - the RA will only include the router address, Addressing handled by the client.
    • Unmanaged - Use only SLAAC addressing
    • Assisted - Use/prefer SLAAC if available, if not use DHCPv6
    • Managed - Use DHCPv6 only (note: Android devices do NOT support DHCPv6; they won't get IPv6 addresses in this mode)

  • Great, thanks for the help. I will have to play around with it.

Log in to reply