[Solved]How to Set Firewall Rules Matching IPv6 Addresses

Started by lxsq, March 24, 2020, 09:16:23 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 24, 2020, 09:16:23 AM Last Edit: March 24, 2020, 02:43:48 PM by lxsq
Hi,
I'm trying to allow TCP/UDP requests from IPv6 WAN, but the maxium prefix is 32 :'(. And I'm not able to use formats like ::xxxx/64 nor ::xxxx/::ffff, it results as The following input errors were detected: ::xxxx/64 is not a valid destination IP address or alias.. Any ways to solve this? Thanks for any kinds of help.
March 24, 2020, 09:46:55 AM #1 Last Edit: March 24, 2020, 09:48:56 AM by Tupsi
I stumbled over that myself, it seems to be a feature, but then I first though it to be a bug, so it might be a typical way of interpretation.

The dropdown adds the masks above 32 the moment you leave the ip address for the first time AND when you have entered a valid v6 address.

Although that might be a recent change in 20.1.3. Up until 20.1.2 I thought I brute forced the showing up of numbers 32+ my appending the mask directly in the ip address filed like /64 and hitting save. This produces an error first, but then I was always able to select numbers above 32 in the dropdown. Of course you have to delete the /64 in the address field itself to be able to save it, but that always worked for me.

Give it a try.

Edit: If you ment a way to put the slaac (static) part of dynamic addresses in there, then sorry, as I havent figured out how to do that myself yet. Still new to opnsense.
March 24, 2020, 12:59:34 PM #2
Prefix lengths beyond /32 become available in the drop down when you enter a valid IPv6 address. This is by design and true for most parts of the OPNsense UI (not just firewall rules).

If you're trying to wildcard the prefix: That's not currently supported. Firewall rules matching individual internal hosts / subnets are only possible with a static prefix.

Cheers

Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
March 24, 2020, 02:43:20 PM #3
Quote from: Tupsi on March 24, 2020, 09:46:55 AM
I stumbled over that myself, it seems to be a feature, but then I first though it to be a bug, so it might be a typical way of interpretation.

The dropdown adds the masks above 32 the moment you leave the ip address for the first time AND when you have entered a valid v6 address.

Although that might be a recent change in 20.1.3. Up until 20.1.2 I thought I brute forced the showing up of numbers 32+ my appending the mask directly in the ip address filed like /64 and hitting save. This produces an error first, but then I was always able to select numbers above 32 in the dropdown. Of course you have to delete the /64 in the address field itself to be able to save it, but that always worked for me.

Give it a try.

Edit: If you ment a way to put the slaac (static) part of dynamic addresses in there, then sorry, as I havent figured out how to do that myself yet. Still new to opnsense.

It works exactly as you say on OPNsense 20.1.3-amd64 👍. Thanks a lot :)
March 24, 2020, 04:08:30 PM #4
Quote from: Maurice on March 24, 2020, 12:59:34 PM
Prefix lengths beyond /32 become available in the drop down when you enter a valid IPv6 address. This is by design and true for most parts of the OPNsense UI (not just firewall rules).

If you're trying to wildcard the prefix: That's not currently supported. Firewall rules matching individual internal hosts / subnets are only possible with a static prefix.

Cheers

Maurice
Got it :), thanks a lot for replying.
Print
Go Up Pages1
User actions