OPNsense Forum

English Forums => General Discussion => Topic started by: lxsq on March 24, 2020, 09:16:23 am

Title: [Solved]How to Set Firewall Rules Matching IPv6 Addresses
Post by: lxsq on March 24, 2020, 09:16:23 am

Hi,
I'm trying to allow TCP/UDP requests from IPv6 WAN, but the maxium prefix is 32 :'(. And I'm not able to use formats like ::xxxx/64 nor ::xxxx/::ffff, it results as The following input errors were detected: ::xxxx/64 is not a valid destination IP address or alias.. Any ways to solve this? Thanks for any kinds of help.

Title: Re: How to Set Firewall Rules Matching IPv6 Addresses
Post by: Tupsi on March 24, 2020, 09:46:55 am

I stumbled over that myself, it seems to be a feature, but then I first though it to be a bug, so it might be a typical way of interpretation.

The dropdown adds the masks above 32 the moment you leave the ip address for the first time AND when you have entered a valid v6 address.

Although that might be a recent change in 20.1.3. Up until 20.1.2 I thought I brute forced the showing up of numbers 32+ my appending the mask directly in the ip address filed like /64 and hitting save. This produces an error first, but then I was always able to select numbers above 32 in the dropdown. Of course you have to delete the /64 in the address field itself to be able to save it, but that always worked for me.

Give it a try.

Edit: If you ment a way to put the slaac (static) part of dynamic addresses in there, then sorry, as I havent figured out how to do that myself yet. Still new to opnsense.

Title: Re: How to Set Firewall Rules Matching IPv6 Addresses
Post by: Maurice on March 24, 2020, 12:59:34 pm

Prefix lengths beyond /32 become available in the drop down when you enter a valid IPv6 address. This is by design and true for most parts of the OPNsense UI (not just firewall rules).

If you're trying to wildcard the prefix: That's not currently supported. Firewall rules matching individual internal hosts / subnets are only possible with a static prefix.

Cheers

Maurice

Title: Re: How to Set Firewall Rules Matching IPv6 Addresses
Post by: lxsq on March 24, 2020, 02:43:20 pm

Quote from: Tupsi on March 24, 2020, 09:46:55 am

I stumbled over that myself, it seems to be a feature, but then I first though it to be a bug, so it might be a typical way of interpretation.

The dropdown adds the masks above 32 the moment you leave the ip address for the first time AND when you have entered a valid v6 address.

Although that might be a recent change in 20.1.3. Up until 20.1.2 I thought I brute forced the showing up of numbers 32+ my appending the mask directly in the ip address filed like /64 and hitting save. This produces an error first, but then I was always able to select numbers above 32 in the dropdown. Of course you have to delete the /64 in the address field itself to be able to save it, but that always worked for me.

Give it a try.

Edit: If you ment a way to put the slaac (static) part of dynamic addresses in there, then sorry, as I havent figured out how to do that myself yet. Still new to opnsense.

It works exactly as you say on OPNsense 20.1.3-amd64 👍. Thanks a lot :)

Title: Re: How to Set Firewall Rules Matching IPv6 Addresses
Post by: lxsq on March 24, 2020, 04:08:30 pm

Quote from: Maurice on March 24, 2020, 12:59:34 pm

Prefix lengths beyond /32 become available in the drop down when you enter a valid IPv6 address. This is by design and true for most parts of the OPNsense UI (not just firewall rules).

If you're trying to wildcard the prefix: That's not currently supported. Firewall rules matching individual internal hosts / subnets are only possible with a static prefix.

Cheers

Maurice

Got it :), thanks a lot for replying.