Feature #12190
open
Ability to use an IPv6 prefix in firewall rules
0%
Description
Many users have internet connections with a dynamic ipv6 prefix (a real joy). Currently firewall rules can only reference the rule's interface's prefix. To get around this limitation, allow the use of a tag in rules and aliases to select the specific interface to use a prefix from, as well as define the length of the prefix being extracted.
As of now, first 5 commits here: https://github.com/gregtwallace/pfsense/commits/ipv6-tags are a rough implementation of tags in the firewall rules (aliases not yet implemented). Format for source or destination address is {LAN-56}2601:db8::dead:beef This example would extract the first 56 bits from the lan ipv6 address and combine it with the remaining end bits of 2601:db8::dead:beef
- Not covered by this, but a future additional feature could be to include this same format as valid in DHCPv6/RA server (for things such as DNS server, NTP, etc.)
Updated by Greg Wallace over 4 years ago
I see alias addresses in FW rules are stored as $alias_name when resolved by filter_generate_address(). Can someone advise what function turns that into an actual address as the filter is being reloaded?
Updated by Marcos M over 3 years ago
- Status changed from New to Rejected
This is possible in rules, but not practical to implement in aliases, see https://redmine.pfsense.org/issues/6626#note-30
Instead, one can use NPT which now supports tracked interfaces.
Updated by Greg Wallace over 3 years ago
Marcos M wrote in #note-2:
This is possible in rules, but not practical to implement in aliases, see https://redmine.pfsense.org/issues/6626#note-30
Instead, one can use NPT which now supports tracked interfaces.
I really didn't want to use NAT in ipv6 so I actually ended up implementing it locally with a few minor changes and it works nicely.
Updated by Robin Kluth almost 2 years ago
Same here.
pfSense is missing some kind of another dropdown for that :: feature in dynamic prefix cases to select from what interface to add it. Or, as mentioned, the {LAN} magic keyword.
I also cant find any docs mentioning the :: feature.
Updated by Marcos M over 1 year ago
- Subject changed from Add ability to reference ipv6 prefix in firewall rules and aliases to Ability to use an IPv6 prefix in firewall rules
- Status changed from Rejected to New
Updated by Johannes Rohde 10 months ago
This would help massively since for instance in Germany most isps only hand out dynamic prefixes to their customers.
Updated by Dean Arnold 10 months ago
Same for xfinity/Comcast in US with /60 prefix.
The :: notation does not work in an alias and there is no way to target ::0/X for a given interface in a floating rule, making it impossible to use IPv4 & IPv6 addresses in the same rule rules using an alias as either a source/destination.
A way to use ::0/X and designated interface with both alias and firewall source/destination would be greatly appreciated.