Hi,
I have a opnsense behind a fritzbox which sucessfully delegates a /60 prefix to it.
The problem begins with if i try to create a firewall alias for that prefix.
For the lan adress Ive create a dynamic ipv6 host with a content like
::cafe:cafe:cafe:cafe
Now the alias contains the complete address and will be refreshed hopefully if the prefix changes.
What I need further is the prefix address without the
/64 host-id. I would write this
like
::cafe:cafe:cafe:cafe/60 The result should be the prefix without host-id and the given netmask.
Now the standard firewall internet access rule could be expressed with
- src=<network> dst= not <prefix>
Is there a chance to get this implemented?
You can use "INTERFACE network" for the directly connected /64. What exactly are you doing with the other /64s from that /60? If they are assigned to different interfaces you should be able to create a matching group. If they aren't, what do you plan to do with that alias?
Why would you? I do not see the use-case. If your aim is a rule to allow internet access for "all but the IPs on the same (V)LAN", then you can just as well allow to "any", because the local VLAN traffic does not pass the firewall anyway (modulo OpnSense itself, which you can block individually via a dynamic IPv6 alias).
If you want to block inter-VLAN traffic, you can totally do that with interface-related rules, no subnets needed.
;-) Patrick beat me by a few seconds...
I understand that we can create a network group holding all vlan networks to prohibit inter vlan routing when internet access is to be defined. but thats fiddly.
I want to be precise and substainable and so the prefix himself is the best.
Nevertheless Iam okay with the network group of interfaces.
Thanks.