Netgate SG-1000 microFirewall

Author Topic: IPv6 hosting website  (Read 561 times)

0 Members and 1 Guest are viewing this topic.

Offline bigtfromaz

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: IPv6 hosting website
« Reply #15 on: November 19, 2017, 02:56:52 pm »
I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.

It would be a nice feature though wouldn't it?

Offline bimmerdriver

  • Sr. Member
  • ****
  • Posts: 509
  • Karma: +21/-3
    • View Profile
Re: IPv6 hosting website
« Reply #16 on: November 19, 2017, 04:02:08 pm »
Quote
IPv6 has something called "privacy addresses", which change regularly.

I saw those and disabled them, :)
Why disable privacy addresses?

Offline bimmerdriver

  • Sr. Member
  • ****
  • Posts: 509
  • Karma: +21/-3
    • View Profile
Re: IPv6 hosting website
« Reply #17 on: November 19, 2017, 04:04:15 pm »
I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.

It would be a nice feature though wouldn't it?
This feature has been requested numerous times.

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1090
  • Karma: +43/-8
    • View Profile
Re: IPv6 hosting website
« Reply #18 on: November 19, 2017, 04:04:46 pm »
Quote
Why disable privacy addresses?

No need for them on a server, where you'd normally use the MAC based address.  However, I also don't see the need to delete them.  They're not hurting anything.

Offline bigtfromaz

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: IPv6 hosting website
« Reply #19 on: November 19, 2017, 06:45:38 pm »
OK.  If the feature has been requested numerous times, can anyone tell me if there are facilities for managing the firewall from script?  If so, I guess I would need documentation.  This would appear to be a simple matter of detecting a change to the prefix from a given interface, then changing and applying rules having the old prefix to refer to the new prefix.  It is not a fix, but a work around. 

For now I am going to turn IPv6 off on my WAN interface and set up an opt/gif tunnel using Hurricane Electric.  I have one running in a sandbox and I must be really close to the Phoenix entry point.  It seems to be adding only about 10 ms to my ping times.  It's a shame that Cox, with billions of subnets at their disposal, won't supply a static one to the account.  HE is doing it for free.

I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.

It would be a nice feature though wouldn't it?
This feature has been requested numerous times.


Offline virgiliomi

  • Sr. Member
  • ****
  • Posts: 563
  • Karma: +74/-4
    • View Profile
Re: IPv6 hosting website
« Reply #20 on: November 19, 2017, 07:48:13 pm »
I was hoping that pfSense would have an ability to define a firewall rule Destination something like this: "PD::aaaa:bbbb:cccc:dddd" where "PD" is a variable whose value is the prefix.  This would be similar to the way they prepend the delegated prefix to the host range in the DHCPv6 server.

Funny you mention this... I asked for this functionality over a year ago. See this: Allow IPv6 firewall entries with dynamic PD prefix + static host address

Offline bimmerdriver

  • Sr. Member
  • ****
  • Posts: 509
  • Karma: +21/-3
    • View Profile
Re: IPv6 hosting website
« Reply #21 on: November 19, 2017, 10:32:03 pm »
It's a shame that Cox, with billions of subnets at their disposal, won't supply a static one to the account.  HE is doing it for free.
Cox is a typical ISP. HE is not a typical ISP. If HE offered residential internet service, I would pay more for it.