Bug #15202
open
Add Option for Network Portion of Subnet "Wildcard" for IPv6 Rules
0%
Description
Filtering hosts with IPv6 is extremely difficult when utilizing an upstream provider that is providing a Prefix Delegation via DHCPv6 because the Prefix Delegation can change, which invalidates existing rules.
If there was a way to detect the interface PD for firewall rules, similar to how the DHCPv6 server currently detects the delegated prefix, users could assign rules based on only the host portion of the subnet and have the firewall filter rule automatically fill in the delegated prefix network ID portion before feeding it to pf.
This solves the following two scenarios:
1. A static DHCPv6 lease is assigned, but the delegated prefix changes
2. Clients configured via SLAAC typically will have the same host portion of an address, regardless of the network portion discovered by RAs, unless they are utilizing privacy extensions.
Obviously, this won't help in cases where SLAAC is used with RFC4941, but in many cases when creating rules like this it's possible to disable privacy extensions optionally in most operating systems.
Updated by Sevi A 24 days ago
Kris Phillips wrote:
If there was a way to detect the interface PD for firewall rules, similar to how the DHCPv6 server currently detects the delegated prefix, users could assign rules based on only the host portion of the subnet and have the firewall filter rule automatically fill in the delegated prefix network ID portion before feeding it to pf.
Perhaps I misunderstood, but isn't this already possible?
By specifying a firewall rule with an address or network starting with two colons :: it gets expanded to the same address/network with the interface's IPv6 prefix (at least I just checked that on an interface with "Track Interface" in pfSense+ 23.09.1 by inspecting the rules in /tmp/rules.debug ).
E.g. if the delegated prefix of the interface is 2001:db8:: then- ::/56 gets expanded to 2001:db8::/56
- ::123 gets expanded to 2001:db8::123
Both sound like they would solve your scenarios (?). I'm currently using the first approach to isolate my VLANs, but I'll probably switch to using interface groups.
For hosts with static addresses, it might still be a bit cumbersome, as the address has to be "hard-coded" into the rule - aliases with leading :: don't get expanded to the interface prefix.
I wish this would be documented somewhere though, at least I couldn't find it. I just stumbled on it while figuring out how to segregate VLANs with IPv6.
Sources:
- original feature request: https://redmine.pfsense.org/issues/6626
- related discussion: https://forum.netgate.com/topic/185522/network-separation-with-a-dynamic-ipv6-pd/5