Feature #6626

Allow IPv6 firewall entries with dynamic PD prefix + static host address

Added by Michael Virgilio over 2 years ago. Updated 3 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:


When using an ISP with dynamic prefix delegation, the prefix may change at any time, resulting in a change of the IP address of a host. A mechanism needs to be added to the firewall rule setup that allows the prefix of an interface to be dynamically updated should it change on the interface, while still allowing the host portion of the address to be static. This way firewall rules for a host can be updated automatically, allowing it to retain access in the event of a prefix change.

One possible way to do this would be to add an item to the Destination drop-down (i.e. LAN Prefix) and allow the host portion of the address to be entered into the text box.

Another possible way would be to have a token that could be entered into the Address box, that is replaced with the prefix during rule generation.

However this is implemented, validation should reject the rule with an error if the protocol is IPv4 or IPv4+IPv6.

My personal preference would be the drop-down box, but I leave this decision to whoever is implementing this feature.


#1 Updated by Corey Boyle over 2 years ago

Another place this would be handy is when configuring server options in DCHPv6 and RAs.

#2 Updated by Frederick Staats almost 2 years ago

I would also like to see such a feature. My work around currently is to manually create an aliases that contains the full prefix network delegation and use that in our rules. This allows me to set a simple rulesets between my ipv4/ipv6 VLAN. Note: with aliases you can mix ipv4/ipv6 addresses and any prefix notation should still allow that. I think the implementation could be as simple as a text macro substitution in the aliases definitions and an automatic trigger to reparse and save automatically save updated aliases when the prefix delegation changes.

Typically I whitelist allow rules at the network level (VPN_A net can talk to VPN_B net, VPN_A net can talk to WAN net, etc.) and then set a few deny rules (All nets nets can not talk to Internal nets [my delegation prefix alias containing all configured ipv4/ipv6 networks], all nets can not talk to private addresses [another alias], all nets can not talk to firewall [a built in alias]), and then set a blanket permission rule to talk to the internet (VPN_A net can talk to all nets.)

My problem is that anytime the prefix delegation gets reset (an extended power failure, I reconfigure the WAN) I'm left with a hole in my firewall rules between delegated IPv6 networks until I remember to fix the alias. With dynamic DNS I can set a script to detect the issue, but I would still rather make rules that can observe the prefix delegation dynamically.

#3 Updated by Frederick Staats almost 2 years ago

Note I also have the issue with configuring DHCPv6 and RAs and in configuring somme OpenVPN configurations that are internal address aware.

#4 Updated by Graham Gudgin over 1 year ago

I would like to see support for this added as I have switched my home router to use pfSense and run into the same issue. On my previous consumer router I was able to add a netmask to my IPv6 rule that ignored the prefix portion and only matched on the host portion. Not an exact match, but hey, more than close enough.

i.e. 2601:1234:1234:1234:abcd:abcd:abcd/::ffff:ffff:ffff:ffff or the lower 64 bits

Currently updating the alias for server's IPv6 address should my prefix change that is assigned.
Ideally agree with being able to add a host with a <LAN Prefix> variable that tracks the LAN network prefix the is delegated and I can add the static host portion.

#5 Updated by Lukas Kuzmiak 6 months ago

Same issue as Frederick described - I can't seem to be able to effectively block inter-vlan traffic for IPv6 as the addresses change (dynamic PD prefix).

#6 Updated by Elv Quant 3 months ago

On generating the interface identifier using EUI-64 (based on MAC address), the interface identifier are independed by the prefix. So it is able to use only the interface identifier for the firewall rule and internaly add the prefix, even it changed for the delegated network.


Newer versions of operation systems implements RFC-7217 (Semantically Opaque Interface Identifiers) and/or RFC-3972 (Cryptographic Generated Address). In this case the interface identifiers contains hash-values which are depend by the prefix. So the interface identifier changing the prefix changed.

SOII and CGA can by disabled on debian 16.04ff and macOS 10.12ff by changing sysctl-parameters and on rasbian jessie ff changing slaac from private to hwaddr. But should we restrict new security features to get back the EUI-64 interface identifier?

My idea are to define a rule based on an "alias" and make it possible the client in the delegated net can update the alias with it's new IPv6 (secured by token)

Also available in: Atom PDF