pfSense

Another place this would be handy is when configuring server options in DCHPv6 and RAs.

I would also like to see such a feature. My work around currently is to manually create an aliases that contains the full prefix network delegation and use that in our rules. This allows me to set a simple rulesets between my ipv4/ipv6 VLAN. Note: with aliases you can mix ipv4/ipv6 addresses and any prefix notation should still allow that. I think the implementation could be as simple as a text macro substitution in the aliases definitions and an automatic trigger to reparse and save automatically save updated aliases when the prefix delegation changes.

Typically I whitelist allow rules at the network level (VPN_A net can talk to VPN_B net, VPN_A net can talk to WAN net, etc.) and then set a few deny rules (All nets nets can not talk to Internal nets [my delegation prefix alias containing all configured ipv4/ipv6 networks], all nets can not talk to private addresses [another alias], all nets can not talk to firewall [a built in alias]), and then set a blanket permission rule to talk to the internet (VPN_A net can talk to all nets.)

My problem is that anytime the prefix delegation gets reset (an extended power failure, I reconfigure the WAN) I'm left with a hole in my firewall rules between delegated IPv6 networks until I remember to fix the alias. With dynamic DNS I can set a script to detect the issue, but I would still rather make rules that can observe the prefix delegation dynamically.

Note I also have the issue with configuring DHCPv6 and RAs and in configuring somme OpenVPN configurations that are internal address aware.

I would like to see support for this added as I have switched my home router to use pfSense and run into the same issue. On my previous consumer router I was able to add a netmask to my IPv6 rule that ignored the prefix portion and only matched on the host portion. Not an exact match, but hey, more than close enough.

i.e. 2601:1234:1234:1234:abcd:abcd:abcd/::ffff:ffff:ffff:ffff or the lower 64 bits

Currently updating the alias for server's IPv6 address should my prefix change that is assigned.
Ideally agree with being able to add a host with a <LAN Prefix> variable that tracks the LAN network prefix the is delegated and I can add the static host portion.

Same issue as Frederick described - I can't seem to be able to effectively block inter-vlan traffic for IPv6 as the addresses change (dynamic PD prefix).

On generating the interface identifier using EUI-64 (based on MAC address), the interface identifier are independed by the prefix. So it is able to use only the interface identifier for the firewall rule and internaly add the prefix, even it changed for the delegated network.

BUT

Newer versions of operation systems implements RFC-7217 (Semantically Opaque Interface Identifiers) and/or RFC-3972 (Cryptographic Generated Address). In this case the interface identifiers contains hash-values which are depend by the prefix. So the interface identifier changing the prefix changed.

SOII and CGA can by disabled on debian 16.04ff and macOS 10.12ff by changing sysctl-parameters and on rasbian jessie ff changing slaac from private to hwaddr. But should we restrict new security features to get back the EUI-64 interface identifier?

EDIT:
My idea are to define a rule based on an "alias" and make it possible the client in the delegated net can update the alias with it's new IPv6 (secured by token)

I think this issue really needs to be adressed ASAP. If I understand this correctly it means that today the best workaround is to disable IPv6 completely because you effectively cannot deny traffic in between local nets. Disabling IPv6 on the other hand doesn't seem to be a reasonable option in nowadays networking landscape since IPv6 becomes more and more important.

I think we would need a variable that always keeps the current delegated prefix ID so that we can define rules based upon this.
With such a variable we could define rules that affect jut the prefix ID + network portion or we could even define rules like:

allow SSH for *prefixID*-*mynetwork portion*-*interface ID*

Same issue here. I need the ability to filter/firewall some hosts IPV6 traffic just the same as IPV4 traffic. Right now its either all or none for IPV6 when it comes to firewall rules. Im not sure how this has not been resolved yet? Not complaining as much as im just not sure how this isnt a bigger deal. Seems pretty basic to me, the need to have firewall rules work on single hosts or alias's.

Ideally, the ability to specify a single IPV6 address as an alias would be best. I can assign ::1001 to a machine, why cant i filter based on the same ::1001 instead of requiring the entire V6 address? It seems this should work as i can input ::1001 in an alias, it just does not function despite not throwing an error when saving.

A global variable with the current delegated IPv6 prefix in CIDR form, which could be used in firewall aliases would be a nice start :-)

The global prefix variable should be available to the Dynamic DNS tool as well. Currently the Dynamic DNS tool has an `%IP%` variable that can be used to fill in the WAN's IPv4 or IPv6 address, but it would be nice to also have IPv6Prefix here to allow pfSense to update DNS entries for servers on pfSense's LAN.

What would be required internally to create this? Would the existing Alias code be sufficient for this with some modification? Or does this require the creation of a new Prefix type?

Without looking at the code, I feel like a new Prefix type would be best. Then rather than touching every location in the UI (and code) that consumes aliases, we could allow Prefixes to be used in Aliases (and nowhere else) and then a user could create a new Prefix, make an alias that uses that prefix, and then use the alias just as they do normally.

Or maybe a new customizable prefix type isn't required and we just allow the use of something like WANPrefix inside an alias definition.

This issue should be adressed in the near future, as it may prevent the use of IPv6 in some instances, where filtering and blocking is needed.

This issue should get a higher priority IMO. It renders IPv6 pretty much inoperable on (domestic) connections with changing prefix as there's no practical way to create firewall rules.

Some form of management for dynamic PD for IPv6 would be nice. It seems there are several, maybe many, ISPs that are running out of IPv4 but won’t implement static IPv6.

Management is cumbersome but still doable. I’m using static DHCPv6 assignments which get registered in DNS. Then I’m creating Aliases for those DNS entries and finally, firewall rules with Aliases. I’m managing only several hosts this way though.

Hello,

we are also in dire need of this feature. Lack of support for dynamic prefixes makes IPv6 pretty much unusable in our scenario.

Thanks!

This request is now 4,5 years old and has not seen any relevant activity.
As ISPs in Europe still provide users with only temporary IPv6 prefixes and most likely continue to do this in the future, I will probably switch to Mikrotik, as their RouterOS doesn't support this natively, but there seems to be an pretty easy workaround: https://forum.mikrotik.com/viewtopic.php?t=168470 / https://web.archive.org/web/20201231173931/https://forum.mikrotik.com/viewtopic.php?t=168470

Allow to use host portion of IPv6 in firewall rules:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/134

Already in 21.05 branch.

This appears to only be partially resolved. While using ::0/56 as a 'destination' on a Rule works, using the same ::0/56 on an Alias and then setting the Rule 'destination' to that Alias fails.

Did you get this figured out by chance? I was going to spend some time this weekend setting up IPV6 but if its still not working yet, there is no need as I use alias's also.

It works as intended for entries on rules.

It cannot work on aliases because aliases are not associated with an interface, and delegated prefixes are specifically associated with an interface.

The underlying software does not give pfSense knowledge of the entire prefix, or a list, so it only has the specific prefixes assigned to interfaces with which it can work.

So another feature request is needed for the ability to use IPV6 with rules that use alias's?

That would be a separate request, yes, but as I mentioned it's not currently possible to implement. There isn't any way for an alias to know how to resolve that prefix since there is no association with an interface, and even if it did have a list of prefixes available, there isn't a way for an alias to know which one to pick since it's a completely ambiguous situation.

Aliases are global objects, a single copy used potentially by multiple rules on multiple interfaces. Telling it you want ::blah/prefix would not be viable since it has no way to know what to fill in there when the ruleset it generated. Even with a prefix list available there isn't a viable way to figure out the intent without doing things like making multiple copies of the alias (one for each interface) which doesn't scale well and has its own share of problems.

So while you can make a new feature request, I wouldn't get your hopes up about a viable implementation appearing.

Ok, thanks for the response.

How does someone use IPV6 with dynamic assignments, and firewall rules?
I am a home user of PFSense so i not an expert.
I feel like i must be missing something as not being able to use IPV6 with firewall rules seems fairly restrictive.
Am i being a newb and am unaware of how to use dynamic IPV6 addresses with a firewall correctly?

Thanks for your time in responding. Ive been waiting years for this issue to be resolved, thinking it would address this issue.
This is the single reason i do not use IPV6.

I have kids and want the internet to turn off at night.
My ISP determines how address's are assigned so i have no choice but to use dynamic address's.
What's a person to do?

Is there another firewall option with a solution to this that someone can point me to?
Or a site/page that will help me figure out how to use this properly if its my hangup on how im trying to use it.

Most of those are items for discussion on the forum, not a bug report.

You can use these shorthand notations in firewall rule source and destination fields directly, just not in aliases.

Well, i know IPv6 firewall entries with dynamic delegated prefix and static host address's are not supported when using alias's.
With alias's being such an integral part of rules, and rules being such an integral part of a firewall, im not sure how this counts as resolved.
Hence posting on here in case other people are confused as i am.

It's resolved because they work on rules directly, which as I explained in my comments above is the only solution currently possible. Also, aliases are not mentioned in the original request. Aliases are fundamentally different than rules, despite their usual association.

Rather than leave this open and expand the scope to include aliases and keep kicking it down the road indefinitely, we consider this to be as complete as it can be given the fundamental incompatibility with aliases I described above.

Making it work with aliases would be a separate request. See my other comments for details.

Regardless, this is not the place so i created a forum post.
If you might be so kind as to offer some advice there, it would be appreciated.
https://forum.netgate.com/topic/164971/ipv6-and-firewall-rules-my-newb-is-showing

I opened Feature #12190 to address the remaining issues/considerations.
https://redmine.pfsense.org/issues/12190

May someone provide me a link to documentation of this long awaited feature…

I‘ve searched the hole day how to setup the fw rule…. ;-O

Thilo Gass wrote in #note-37:

May someone provide me a link to documentation of this long awaited feature…

I‘ve searched the hole day how to setup the fw rule…. ;-O

Good luck if you are working with alias's.
I've been told it works, but it doesn't work with alias's so its 100% useless for me.
I was told (in a nutshell) that making it work with aliases is too much coding work for too little return.

My workaround with alias is to setup an alias with a fqdn and let the server update this fqdn with his new ipv6 Adresse on prefix change… :-)

In https://redmine.pfsense.org/issues/12190 you find the information:

Format for source or destination address is {LAN-56}2601:db8::dead:beef

but I’m not able to generate a valid dest entry

Today I tested OPNsense in a VM: there you can use an alias.

Thilo Gass wrote in #note-39:

My workaround with alias is to setup an alias with a fqdn and let the server update this fqdn with his new ipv6 Adresse on prefix change… :-)

In https://redmine.pfsense.org/issues/12190 you find the information:

Format for source or destination address is {LAN-56}2601:db8::dead:beef

but I’m not able to generate a valid dest entry

Today I tested OPNsense in a VM: there you can use an alias.

I just gave in and configured NPt for each of my subnets.

I don’t like it in principle, but everything internal uses private address space and whenever my delegated prefix changes I only have to update the NPt mapping.

Thilo Gass wrote in #note-39:

In https://redmine.pfsense.org/issues/12190 you find the information:

Format for source or destination address is {LAN-56}2601:db8::dead:beef

In 2.6.0 there is still:

The following input errors were detected: {LAN-56}2601:db8::dead:beef is not a valid destination IP address or alias.

Any hints…?

Thilo Gass wrote in #note-39:

Format for source or destination address is {LAN-56}2601:db8::dead:beef

but I’m not able to generate a valid dest entry

Anyone successfull on that?

Anyone who searches the mentioned PR above: https://github.com/pfsense/pfsense/commit/7c4b3d3c8d2d15b1e59d1d262cc295a848434355