pfSense » pfSense Plus

Kris Phillips wrote:

If there was a way to detect the interface PD for firewall rules, similar to how the DHCPv6 server currently detects the delegated prefix, users could assign rules based on only the host portion of the subnet and have the firewall filter rule automatically fill in the delegated prefix network ID portion before feeding it to pf.

Perhaps I misunderstood, but isn't this already possible?

By specifying a firewall rule with an address or network starting with two colons :: it gets expanded to the same address/network with the interface's IPv6 prefix (at least I just checked that on an interface with "Track Interface" in pfSense+ 23.09.1 by inspecting the rules in /tmp/rules.debug ).

E.g. if the delegated prefix of the interface is 2001:db8:: then

• ::/56 gets expanded to 2001:db8::/56
• ::123 gets expanded to 2001:db8::123

Both sound like they would solve your scenarios (?). I'm currently using the first approach to isolate my VLANs, but I'll probably switch to using interface groups.
For hosts with static addresses, it might still be a bit cumbersome, as the address has to be "hard-coded" into the rule - aliases with leading :: don't get expanded to the interface prefix.

I wish this would be documented somewhere though, at least I couldn't find it. I just stumbled on it while figuring out how to segregate VLANs with IPv6.

Sources:

- original feature request: https://redmine.pfsense.org/issues/6626
- related discussion: https://forum.netgate.com/topic/185522/network-separation-with-a-dynamic-ipv6-pd/5