[MaKey]

> And, if I had bothered configuring IPv6 firewall rules, those would have had to be reconfigured manually with the new prefix. I understand this is mostly fixed in pfSense recently, but this was the case for many, many years.

Why would you have to reconfigure your firewall rules when you're getting a new IPv6 prefix?

[magicalhippo]

> Why would you have to reconfigure your firewall rules when you're getting a new IPv6 prefix?

Because the IP address of the target changes when you get a new prefix.

There's some discussion in this[1] old pfSense ticket.

With IPv4 you typically do address translation (NAT) and so the internal target address is not tied to the global address.

[1]: https://redmine.pfsense.org/issues/6626

[delotrag]

My consumer router uses iptables under the hood, so it accepts a mask in the firewall rule (so e.g. I can do ::0123:4567:89ab:cdef/::ff:ffff:ffff:ffff:ffff as a target, and when my /56 changes, the rules Just Work™)

[magicalhippo]

It seems iptables has been ahead there.

But I think it further strengthens my case, software support for IPv6 has been quite spotty over the years, which combined with the less-than ideal deployments out there has made things frustrating for many users over the past couple of decades.