Jump to content
  • 0

Allow IPv6 subnet in firewall


Question

Posted

My ISP delegates a /56 IPv6 prefix, which is assigned to my Keenetic gateway and everything works fine.

I'd like to statically add a /64 subnet to another router connected to my LAN (or to some VMs behind a supervisor). I can easily achieve this configuration with a static route on the Keenetic.

However, I noticed that if the IPv6 firewall is enabled no communication is possible from the Internet. If the firewall is disabled, everything works, but I don't want to completely disable the firewall. Is there any way to allow traffic to a specific subnet?

Also, I'm running version 3.9 Beta 1 and I noticed that with the IPv6 firewall enabled hosts on the LAN do not reply to ICMPv6 echo requests (and possibly to ICMPv6 altogether), while the router still answers to pings to the IPv6 address on the Bridge0 interface. Is this an intended change? I'm pretty sure that ICMPv6 used to not be filtered by the firewall.

3 answers to this question

Recommended Posts

  • 0
Posted

Yes, ICMPv6 ping forwarding rules were deleted. But there is some different solution...

We have implemented DHCPv6 prefix delegation since NDMS 4.x. You may try to configure your device using the following configuration:

  Quote

ipv6 subnet Default
    bind Home
    mode slaac
    prefix length 63
    number 0
    prefix delegate 64
!

Expand  

In this configuration we have /63 network which consists of /64 LAN and delegation pool with one /64 network. No firewall rules need to be added but your VM must support DHCPv6.

  • Thanks 1
  • 0
Posted (edited)
  On 10/23/2022 at 4:01 PM, vst said:

Yes, ICMPv6 ping forwarding rules were deleted.

Expand  

Isn't ICMPv6 necessary for IPv6 to work correctly?

 

  On 10/23/2022 at 4:01 PM, vst said:

We have implemented DHCPv6 prefix delegation since NDMS 4.x.

Expand  

Oh wow, prefix delegation would be excellent! However I can't seem to be able to use it in 3.9 Beta 1, when will it be publicly available?

Edited by fl4co
  • 0
Posted
  On 10/23/2022 at 4:34 PM, fl4co said:

Isn't ICMPv6 necessary for IPv6 to work correctly?

Expand  

ICMPv6 ping was only disabled. It doesn't seem to be necessary.

  On 10/23/2022 at 4:34 PM, fl4co said:

However I can't seem to be able to use it in 3.9 Beta 1, when will it be publicly available?

Expand  

We are preparing a new version, hopefully it will be released soon.

  • Thanks 1
  • Y'r wrong 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...