Firewall Rule to Match /64 Routed Subnet With Dynamic Prefix

Started by Monstieur, August 13, 2023, 03:11:05 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 13, 2023, 03:11:05 AM Last Edit: August 13, 2023, 06:09:32 AM by Monstieur
OPNsense gets a /60 dynamic prefix from the ISP and delegates a /61 to a downstream L3 switch. Appropriate routes are created for the /61. The switch uses one /64 subnet per VLAN from the /61. How do I create a LAN interface firewall rule that matches an entire /64 source subnet with a dynamic prefix?

I want to create separate rules for each source subnet below.
::0:0:0:0:0/64
to
::7:0:0:0:0/64

The rule should ignore the last 64 bits, and merge the first 64 bits with the /60 dynamic prefix to match the specified subnet.
August 13, 2023, 01:23:45 PM #1
Unfortunately you can't. Firewall aliases for dynamic IPv6 have been debated in depth years ago. As far as I remember, it was decided to implement the (then new) "Dynamic IPv6 Host" alias type first and then maybe later add an alias type for dynamic IPv6 subnets. As far as I'm aware, this hasn't happened yet.

Cheers
Maurice

https://github.com/opnsense/core/issues/2544
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
Print
Go Up Pages1
User actions