Hello, I've got a problem to properly build IPv6 address in pf.conf in order to have the proper protection... i may be tired and i probably missed something... but i now begin to go round and round... and round...
the constraint is that the IPv6 prefix (a /56) given by the ISP to its router is dynamic each time there's a router reboot/restart/update, thus without notice. Yes... it seems that this is a bizness model... :-/ I can get the renewed prefix easily using "(interface)/64" in pf.conf to circumvent the problem. But if i want to designate a computer on the LAN for which i know the EUI64 suffix or a semi-dynamic assignment used by DHCPv6 : i'm stuck ! I was not able to guess how to do something like this : HOST1_SFX="wwww:xxxx:yyyy:zzzz" HOST2_SFX="wwww:xxxx:yyyy:zzzz" match in on $LAN_IF inet6 from ! ($LAN_IF)/64 to ($LAN_IF)/64:$HOST1 _SFX tag LAN_INCOMING match in on $LAN_IF inet6 from ! ($LAN_IF)/64 to ($LAN_IF)/64:$HOST2 _SFX tag LAN_PRIVATE pass in tagged LAN_INCOMING block in tagged LAN_PRIVATE (etc) And i'm still not considering the use of subnet delegation : this function is not available even with a /56... My ISP seems to love to shovel dung on its own fans. Any ideas ? thanks ! Eric.
