Allow IPv6 firewall entries with dynamic PD prefix + static host address
When using an ISP with dynamic prefix delegation, the prefix may change at any time, resulting in a change of the IP address of a host. A mechanism needs to be added to the firewall rule setup that allows the prefix of an interface to be dynamically updated should it change on the interface, while still allowing the host portion of the address to be static. This way firewall rules for a host can be updated automatically, allowing it to retain access in the event of a prefix change.
One possible way to do this would be to add an item to the Destination drop-down (i.e. LAN Prefix) and allow the host portion of the address to be entered into the text box.
Another possible way would be to have a token that could be entered into the Address box, that is replaced with the prefix during rule generation.
However this is implemented, validation should reject the rule with an error if the protocol is IPv4 or IPv4+IPv6.
My personal preference would be the drop-down box, but I leave this decision to whoever is implementing this feature.
#2 Updated by Frederick Staats almost 3 years ago
I would also like to see such a feature. My work around currently is to manually create an aliases that contains the full prefix network delegation and use that in our rules. This allows me to set a simple rulesets between my ipv4/ipv6 VLAN. Note: with aliases you can mix ipv4/ipv6 addresses and any prefix notation should still allow that. I think the implementation could be as simple as a text macro substitution in the aliases definitions and an automatic trigger to reparse and save automatically save updated aliases when the prefix delegation changes.
Typically I whitelist allow rules at the network level (VPN_A net can talk to VPN_B net, VPN_A net can talk to WAN net, etc.) and then set a few deny rules (All nets nets can not talk to Internal nets [my delegation prefix alias containing all configured ipv4/ipv6 networks], all nets can not talk to private addresses [another alias], all nets can not talk to firewall [a built in alias]), and then set a blanket permission rule to talk to the internet (VPN_A net can talk to all nets.)
My problem is that anytime the prefix delegation gets reset (an extended power failure, I reconfigure the WAN) I'm left with a hole in my firewall rules between delegated IPv6 networks until I remember to fix the alias. With dynamic DNS I can set a script to detect the issue, but I would still rather make rules that can observe the prefix delegation dynamically.
#4 Updated by Graham Gudgin over 2 years ago
I would like to see support for this added as I have switched my home router to use pfSense and run into the same issue. On my previous consumer router I was able to add a netmask to my IPv6 rule that ignored the prefix portion and only matched on the host portion. Not an exact match, but hey, more than close enough.
i.e. 2601:1234:1234:1234:abcd:abcd:abcd/::ffff:ffff:ffff:ffff or the lower 64 bits
Currently updating the alias for server's IPv6 address should my prefix change that is assigned.
Ideally agree with being able to add a host with a <LAN Prefix> variable that tracks the LAN network prefix the is delegated and I can add the static host portion.
#6 Updated by Elv Quant about 1 year ago
On generating the interface identifier using EUI-64 (based on MAC address), the interface identifier are independed by the prefix. So it is able to use only the interface identifier for the firewall rule and internaly add the prefix, even it changed for the delegated network.
Newer versions of operation systems implements RFC-7217 (Semantically Opaque Interface Identifiers) and/or RFC-3972 (Cryptographic Generated Address). In this case the interface identifiers contains hash-values which are depend by the prefix. So the interface identifier changing the prefix changed.
SOII and CGA can by disabled on debian 16.04ff and macOS 10.12ff by changing sysctl-parameters and on rasbian jessie ff changing slaac from private to hwaddr. But should we restrict new security features to get back the EUI-64 interface identifier?
My idea are to define a rule based on an "alias" and make it possible the client in the delegated net can update the alias with it's new IPv6 (secured by token)
I think this issue really needs to be adressed ASAP. If I understand this correctly it means that today the best workaround is to disable IPv6 completely because you effectively cannot deny traffic in between local nets. Disabling IPv6 on the other hand doesn't seem to be a reasonable option in nowadays networking landscape since IPv6 becomes more and more important.
I think we would need a variable that always keeps the current delegated prefix ID so that we can define rules based upon this.
With such a variable we could define rules that affect jut the prefix ID + network portion or we could even define rules like:
allow SSH for *prefixID*-*mynetwork portion*-*interface ID*
#8 Updated by Nathan Stansell 8 months ago
Same issue here. I need the ability to filter/firewall some hosts IPV6 traffic just the same as IPV4 traffic. Right now its either all or none for IPV6 when it comes to firewall rules. Im not sure how this has not been resolved yet? Not complaining as much as im just not sure how this isnt a bigger deal. Seems pretty basic to me, the need to have firewall rules work on single hosts or alias's.
Ideally, the ability to specify a single IPV6 address as an alias would be best. I can assign ::1001 to a machine, why cant i filter based on the same ::1001 instead of requiring the entire V6 address? It seems this should work as i can input ::1001 in an alias, it just does not function despite not throwing an error when saving.
#10 Updated by B P about 1 month ago
The global prefix variable should be available to the Dynamic DNS tool as well. Currently the Dynamic DNS tool has an `%IP%` variable that can be used to fill in the WAN's IPv4 or IPv6 address, but it would be nice to also have IPv6Prefix here to allow pfSense to update DNS entries for servers on pfSense's LAN.
What would be required internally to create this? Would the existing Alias code be sufficient for this with some modification? Or does this require the creation of a new Prefix type?
Without looking at the code, I feel like a new Prefix type would be best. Then rather than touching every location in the UI (and code) that consumes aliases, we could allow Prefixes to be used in Aliases (and nowhere else) and then a user could create a new Prefix, make an alias that uses that prefix, and then use the alias just as they do normally.
Or maybe a new customizable prefix type isn't required and we just allow the use of something like WANPrefix inside an alias definition.