Support for dynamic IPv6 prefixes in firewall rules?

[134]

Most ISPs delegate new IPv6 prefixes to router (and subsequently to all clients that track interface) upon reconnection, this creates problem that firewall rules with existing prefixes become useless once new prefixes are pushed.

This is also a much desired feature in pfSense for years, but it seems they are targeting 2.6.0:

https://redmine.pfsense.org/issues/6626

For me this is the only feature currently preventing me from deploying full dual-stack for all internal hosts. Does OPNsense plan to implement similar feature that allows users to input only 64bit suffix of the hosts in rules and forget about the prefix? Hopefully the answer is yes because i don't want to go back to pfsense  .

Thank you!

[Maurice]

Yes, this has been a frequently requested feature for many years. Franco recently stated that they are now looking into it:

https://github.com/opnsense/core/issues/2544#issuecomment-817103706

This is not easy because pf doesn't support dynamic prefixes. The solution might be "tracking aliases". We'll see. When you read the comments over there you'll find that Martin is already working on patches for the DHCPv6 client. So absolutely no promises, but it seems we can now see light at the end of the tunnel.

Cheers

Maurice

[marjohn56]

@134 - As Maurice said we are looking at tracking aliases which should work with statically assigned devices on the LAN. However at the moment I'm looking at an issue with dhcp6c client where I think it's not correctly updating the addresses and prefixes on the LAN side when the prefix changes. I need full dhcp6 logs though, if your prepared to share your logs with me that would be really useful. PM them to if you wish to keep them private. Firstly you'll need to go to Interfaces->Settings and set dhcp6c logging to debug and then reboot. I don't know how often your ISP changes your prefix, but a couple of cycles worth of system logs would be useful. To anyone else reading this I'm really looking for the debug info from dhcp6c when the prefix changes, does the address on your WAN and the LAN change correctly too? My initial debugging seems to suggest that dhcp6c is ( or was ) not removing the existing prefix(es) from the interfaces and in some cases is adding the new prefix on top. If we can get some concise answers to exactly what's going on with dhcp6c  then it will be more likely that when we start work on the prefix aliases it will work properly.

[franco]

More discussion here: https://github.com/opnsense/core/issues/2544

The pfSense patch in question https://github.com/pfsense/pfsense/commit/7c4b3d3c is pretty naive assuming that it took that long for someone to fix something that "simple". Maybe it's not simple and this will raise complains pretty soo after being in production. Just my thoughts on this particular route...


Cheers,
Franco

[134]

@134 - As Maurice said we are looking at tracking aliases which should work with statically assigned devices on the LAN. However at the moment I'm looking at an issue with dhcp6c client where I think it's not correctly updating the addresses and prefixes on the LAN side when the prefix changes. I need full dhcp6 logs though, if your prepared to share your logs with me that would be really useful. PM them to if you wish to keep them private. Firstly you'll need to go to Interfaces->Settings and set dhcp6c logging to debug and then reboot. I don't know how often your ISP changes your prefix, but a couple of cycles worth of system logs would be useful. To anyone else reading this I'm really looking for the debug info from dhcp6c when the prefix changes, does the address on your WAN and the LAN change correctly too? My initial debugging seems to suggest that dhcp6c is ( or was ) not removing the existing prefix(es) from the interfaces and in some cases is adding the new prefix on top. If we can get some concise answers to exactly what's going on with dhcp6c  then it will be more likely that when we start work on the prefix aliases it will work properly.

Not sure if this is what you're looking for but I tried rebooting Opnsense twice to get some logs. If i remember correctly my prefix never change unless i reboot router or ISP provided modem (which is in bridge mode). I will pay more attention to the logs in future:

https://pastebin.com/Wtk6Pife

https://pastebin.com/HMMw7cRR

[marjohn56]

@134 - Thanks for that. Nice lease time your ISP gives you... 10 minutes!


The other things to make note of is the addresses on the interfaces, check Interfaces->Overview and see if the new addresses have been applied correctly and whether the old address has been removed. I have a feeling that this might be the cause of some of our problems. Your issue with statics is as has been said more complex, but we're looking at that with renewed vigour; I tend to aggress with @franco though, the pfS patch whilst looking simple is not so straight forward.

[bimbar]

Discussion seems to have moved to documentation first: https://github.com/opnsense/docs/pull/330