Hi all.
My provider assigns me an IPv4 Address and an IPv6 Prefix /56. I use "Track Interface" for my internal VLANs. That all works great, no problem here. I am looking for an easy way to get a firewall alias with that /56 prefix from my internet provider. I only find aliases for the prefixes of the individual NICs, but none for the prefix from the provider.
Thanks,
Steffen
I'm not sure I fully understand your question, but under Firewall > Aliases you can configure Dynamic ipv6 Host aliases where only the last 64 bits are static. Just write ::1234:1234:1234:1234 in the content section (obviously replace 1234 with your suffix).
A short example what i mean. When I connect to the internet I will get a prefix like this:
2a00:abcd:1234:9300::/56
With tracking I could assign for example the id 0x12 for the KIDS network. So the KIDS Network uses addresses like 2a00:abcd:1234:9312::/64. With the Dynamic IPv6 Host alias it is possible to address one pc/server/... in the KIDS network. Just use a mask like ::2345:6789:abcd:0001 and the alias would contain 2a00:abcd:1234:9312:2345:6789:abcd:0001/128. Also there is an alias __opt# containing 2a00:abcd:1234:9312::/64. That is all fine and works for me.
I am looking for an alias containing 2a00:abcd:1234:9300::/56.
Hmm, I'm not sure if you can create an alias like that. Maybe someone else knows.
But there might be another way to achieve your end goal. What are you trying to do?
Unfortunately, that's not possible yet. It was discussed back when the dynamic IPv6 alias type was implemented. A decision was made to implement the host alias first and a network alias later (maybe).
Cheers
Maurice
@Maurice: Thank you for that information.
@emzy: Yes, there is another way to implement what I want to achieve. But it would be more convenient with the alias described. A small example: I want to allow the access to the internet via IPv6 for all destination addresses, expect the local used prefix.
The existing/auto-generated aliases that start with double underline (__an_interface_name) look like they could do what I need, but I haven't found a way to use them.
Quote from: zoechi on June 18, 2024, 04:20:05 PM
The existing/auto-generated aliases that start with double underline (__an_interface_name) look like they could do what I need, but I haven't found a way to use them.
I tried this and it seems to work perfectly.
I created an ngroup_local_network network alias and added __lan_network and __optX_network as appropriate to it.
I then created a rule using destination invert to allow access.
This seems to be working exactly as I want it to
Ah rats, I'm doing dynamic prefix delegation internally so grouping interface networks won't cut it. IPv6 Dynamic Host alias type looked close but seems hard-coded to splitting on /64 and the address being /128, boo.
I may try something bodgy like this https://forum.opnsense.org/index.php?topic=43994.msg219298#msg219298