OPNsense Forum
English Forums => General Discussion => Topic started by: chris42 on April 05, 2019, 04:13:08 pm
-
Hi there,
is there a possibility to add IPv6 DNS entries to unbound on Opnsense and the firewall configuration? Similar to a dyndns option?
To explain a bit further what I am looking for (might be a completely different solution possible):
I have a docker setup behind Opnsense in which multiple containers will spawn which have outside access. I am able to update my regular DNS via dyndns, hence making them reachable. However within Opnsense the IPv6 of the containers are not known. As I see the configuration, I could delegate a prefix or use DHCP for the docker host, but would never be able to know the IPv6s of the containers.
Therefore I cannot configure the Opnsense firewall per container but only for a delegated subnet. Now out of IPv4 that would not have been a problem, as docker would only expose configured ports for a container via the NAT configuration. With IPv6 this is different, as - no NAT - all ports are exposed.
Hence I need to setup extra IPv6 filtering for each container on the docker host.
tldr;: What I am looking for:
Basically the possibility to have a central firewall in Opnsense
- register IPv6 of each container similar to dyndns in Opnsense, e.g. unbound
- access registered container in firewall to use as targets in rules
- trigger mechanism, as when container IPv6 is updated to reload firewall rules.
Anyone has an idea, if this is remotely possible?
-
can the container run nsupdate?
-
The docker host can, which knows all the container IPv6s. DynDNS script is running there as well.
As I understand this, that would be an update request following RFC2136. Never used nsupdate and always thought unbound can't do RFC2136?
Would that info show up for firewall config as well?
-
I don't bother with DNS on OPNSense, I just use my own public BIND9 server and do RFC2136.