IPv6 Track Interface with preferred interface suffix?

Started by FF2PacketPusher, October 22, 2021, 09:45:59 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 22, 2021, 09:45:59 PM
First post here, so hello everyone! I'm a recent convert from OpenWRT, tried pfSense but I feel it didn't really live up to the hype and the UI is atrocious...  Decided to install OPNSense and I've loved it so far!!

In OpenWRT I was able to assign the interface identifier of a delegated IP6 prefix to a LAN interface. I'm trying to end up with assigning my firewall an IP of ::1 out of my delegated (tracked) prefix for each LAN interface, but still have the prefix update if the delegated prefix changes from my upstream ISP.  Is this possible with OPNSense?

Thanks!
Richard
October 23, 2021, 04:17:50 PM #1 Last Edit: October 23, 2021, 06:33:47 PM by bimbar
I don't think so. There is a whole set of feature requests about static suffixes with dynamic prefixes, firewall rules with dynamic prefixes and NPT with dynamic prefixes, but none of that yet exists.

I'd recommend using static ULA addresses or link-local addresses via alias or CARP, if that is possible in your case.
October 23, 2021, 05:30:20 PM #2
My experience has been that the "happy eyeballs" implementation of Apple devices ignores IPv6 when only ULA prefixes are present. This might have changed, I have not looked into this issue any further.

If it's a simple home/small office LAN you can of course borrow a global unicast /64, from someone who has got e.g. a /56 or /48 assignment. If you NAT that for outgoing traffic, nothing bad is going to happen. Don't pick a global unicast /64 at random, though. You might blackhole $something for you just by accident.

Kind regards
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 23, 2021, 11:19:11 PM #3
I like the idea of using a GUA based range for my home network and doing NAT on it.  One of my cloud providers hands out a routable /48 with every VPS, so I could easily use one of those and as long as I don't use it in the cloud, I'd never blackhole myself.  I was thinking of even doing a P2P Wireguard tunnel and just using that entirely for my IPv6 and don't use my PD from Comcast at all.  Or setting up an HE.net IPv6 tunnel.

Sounds like it's decision time. lol

Thank you both pmhausen and bimbar for the suggestions.
Print
Go Up Pages1
User actions