Firewall IPv6 with dynamic Prefix? ::1000 work?

[Bytechanger]

Hi,

I want to set some Client rules in the firewall.
On ipv4 no problem, but what is with ipv6.
In past it works only with static prefix.

Does the firewall now accept rules for e.g.  :8000::1000  (e.g. for subnet 8000 and ip ::1000) ?
I´ve set a DHVPv6 with some subnet, :8000, :8001, :8002 and tried to set static Mappings with variable prefix.

Greets

Byte

[Maurice]

No, that hasn't changed yet. Firewall rules don't support dynamic prefixes. You will find many discussions about this here and on GitHub.

DHCPv6 static mappings do work with dynamic prefixes, but Unbound integration is broken.

Cheers

Maurice

[Bytechanger]

Hi,

that's too bad.
It makes switching to ipv6 very difficult.

What do you mean "Unbound integration is broken" ?

Greets

Byte

[Maurice]

The "Register DHCP static mappings" feature in the Unbound settings doesn't work if you only specify the interface identifier in a DHCPv6 static mapping (like ::1000). DNS resolution of such hostnames won't work: https://github.com/opnsense/core/issues/3657

Your options are to get a (semi-)static prefix, get involved in OPNsense development or switch to a firewall with better support for dynamic prefixes. There are a few commercial ones, but I'm not aware of an open source one. It is like it is...

Cheers

Maurice

[Hikari]

Hello!

I'm looking for same thing and DDG pointed me to this thread. This is very sad indeed, I knew opnsense doesn't support NPTv6 with dynamic prefix, but didn't know firewall also didn't work.

OpenWRT support IPv6 dynamic prefix, but doesn't support NPTv6.

It's very frustrating how IPv6 isn't fully supported on any router OS yet :/

[Maurice]

Well, at least the DHCPv6 static mappings situation has recently improved. They are now correctly registered in Unbound. Depending on your use case, you might be able to use host name aliases in firewall rules.