Feature #12190
closed
Add ability to reference ipv6 prefix in firewall rules and aliases
0%
Description
Many users have internet connections with a dynamic ipv6 prefix (a real joy). Currently firewall rules can only reference the rule's interface's prefix. To get around this limitation, allow the use of a tag in rules and aliases to select the specific interface to use a prefix from, as well as define the length of the prefix being extracted.
As of now, first 5 commits here: https://github.com/gregtwallace/pfsense/commits/ipv6-tags are a rough implementation of tags in the firewall rules (aliases not yet implemented). Format for source or destination address is {LAN-56}2601:db8::dead:beef This example would extract the first 56 bits from the lan ipv6 address and combine it with the remaining end bits of 2601:db8::dead:beef
- Not covered by this, but a future additional feature could be to include this same format as valid in DHCPv6/RA server (for things such as DNS server, NTP, etc.)
Updated by Greg Wallace over 2 years ago
I see alias addresses in FW rules are stored as $alias_name when resolved by filter_generate_address(). Can someone advise what function turns that into an actual address as the filter is being reloaded?
Updated by Marcos M over 1 year ago
- Status changed from New to Rejected
This is possible in rules, but not practical to implement in aliases, see https://redmine.pfsense.org/issues/6626#note-30
Instead, one can use NPT which now supports tracked interfaces.
Updated by Greg Wallace over 1 year ago
Marcos M wrote in #note-2:
This is possible in rules, but not practical to implement in aliases, see https://redmine.pfsense.org/issues/6626#note-30
Instead, one can use NPT which now supports tracked interfaces.
I really didn't want to use NAT in ipv6 so I actually ended up implementing it locally with a few minor changes and it works nicely.
Updated by Robin Kluth 7 days ago
Same here.
pfSense is missing some kind of another dropdown for that :: feature in dynamic prefix cases to select from what interface to add it. Or, as mentioned, the {LAN} magic keyword.
I also cant find any docs mentioning the :: feature.