Jump to content
  • 0

Allow IPv6 subnet in firewall


fl4co
 Share

Question

My ISP delegates a /56 IPv6 prefix, which is assigned to my Keenetic gateway and everything works fine.

I'd like to statically add a /64 subnet to another router connected to my LAN (or to some VMs behind a supervisor). I can easily achieve this configuration with a static route on the Keenetic.

However, I noticed that if the IPv6 firewall is enabled no communication is possible from the Internet. If the firewall is disabled, everything works, but I don't want to completely disable the firewall. Is there any way to allow traffic to a specific subnet?

Also, I'm running version 3.9 Beta 1 and I noticed that with the IPv6 firewall enabled hosts on the LAN do not reply to ICMPv6 echo requests (and possibly to ICMPv6 altogether), while the router still answers to pings to the IPv6 address on the Bridge0 interface. Is this an intended change? I'm pretty sure that ICMPv6 used to not be filtered by the firewall.

Link to comment
Share on other sites

3 answers to this question

Recommended Posts

  • 0

Yes, ICMPv6 ping forwarding rules were deleted. But there is some different solution...

We have implemented DHCPv6 prefix delegation since NDMS 4.x. You may try to configure your device using the following configuration:

Quote

ipv6 subnet Default
    bind Home
    mode slaac
    prefix length 63
    number 0
    prefix delegate 64
!

In this configuration we have /63 network which consists of /64 LAN and delegation pool with one /64 network. No firewall rules need to be added but your VM must support DHCPv6.

  • Thanks 1
Link to comment
Share on other sites

  • 0
34 minutes ago, vst said:

Yes, ICMPv6 ping forwarding rules were deleted.

Isn't ICMPv6 necessary for IPv6 to work correctly?

 

34 minutes ago, vst said:

We have implemented DHCPv6 prefix delegation since NDMS 4.x.

Oh wow, prefix delegation would be excellent! However I can't seem to be able to use it in 3.9 Beta 1, when will it be publicly available?

Edited by fl4co
Link to comment
Share on other sites

  • 0
3 hours ago, fl4co said:

Isn't ICMPv6 necessary for IPv6 to work correctly?

ICMPv6 ping was only disabled. It doesn't seem to be necessary.

3 hours ago, fl4co said:

However I can't seem to be able to use it in 3.9 Beta 1, when will it be publicly available?

We are preparing a new version, hopefully it will be released soon.

  • Thanks 1
  • Y'r wrong 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...