Project

General

Profile

Actions

Feature #12190

open

Ability to use an IPv6 prefix in firewall rules

Added by Greg Wallace over 3 years ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

Many users have internet connections with a dynamic ipv6 prefix (a real joy). Currently firewall rules can only reference the rule's interface's prefix. To get around this limitation, allow the use of a tag in rules and aliases to select the specific interface to use a prefix from, as well as define the length of the prefix being extracted.

As of now, first 5 commits here: https://github.com/gregtwallace/pfsense/commits/ipv6-tags are a rough implementation of tags in the firewall rules (aliases not yet implemented). Format for source or destination address is {LAN-56}2601:db8::dead:beef This example would extract the first 56 bits from the lan ipv6 address and combine it with the remaining end bits of 2601:db8::dead:beef

  • Not covered by this, but a future additional feature could be to include this same format as valid in DHCPv6/RA server (for things such as DNS server, NTP, etc.)
Actions #1

Updated by Greg Wallace over 3 years ago

I see alias addresses in FW rules are stored as $alias_name when resolved by filter_generate_address(). Can someone advise what function turns that into an actual address as the filter is being reloaded?

Actions #2

Updated by Marcos M almost 2 years ago

  • Status changed from New to Rejected

This is possible in rules, but not practical to implement in aliases, see https://redmine.pfsense.org/issues/6626#note-30

Instead, one can use NPT which now supports tracked interfaces.

Actions #3

Updated by Greg Wallace almost 2 years ago

Marcos M wrote in #note-2:

This is possible in rules, but not practical to implement in aliases, see https://redmine.pfsense.org/issues/6626#note-30

Instead, one can use NPT which now supports tracked interfaces.

I really didn't want to use NAT in ipv6 so I actually ended up implementing it locally with a few minor changes and it works nicely.

Actions #4

Updated by Robin Kluth 8 months ago

Same here.

pfSense is missing some kind of another dropdown for that :: feature in dynamic prefix cases to select from what interface to add it. Or, as mentioned, the {LAN} magic keyword.

I also cant find any docs mentioning the :: feature.

Actions #5

Updated by Marcos M 4 months ago

  • Subject changed from Add ability to reference ipv6 prefix in firewall rules and aliases to Ability to use an IPv6 prefix in firewall rules
  • Status changed from Rejected to New
Actions

Also available in: Atom PDF