Menu
What's new
By:
Filters Better Search

IPV6 Firewall with dynamic prefix

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

O

omrij

Occasional Visitor
Hi
What is the best way to use IPV6 firewall when IPV6 prefix is dynamic?
Can we add rule based on suffix? Based on host name? Based on Mac address?

Thanks in advance
 
ColinTaylor said:
I don't think this approach would work anymore, although it depends on the particular client. For example, since Windows 7 randomised identifiers are used by default instead of EUI-64. This was introduced as part of the privacy extension for SLAAC.
Click to expand...
At least the OP has a possible solution and can ultimately decide if it is feasible for his environment/privacy requirements.

NOTE: You can override Micro$oft's default behaviour...
Code: 
PS C:\Users\admin> Get-NetIPv6Protocol

DefaultHopLimit               : 128
NeighborCacheLimit(Entries)   : 256
RouteCacheLimit(Entries)      : 4096
ReassemblyLimit(Bytes)        : 66145536
IcmpRedirects                 : Enabled
SourceRoutingBehavior         : DontForward
DhcpMediaSense                : Enabled
MediaSenseEventLog            : Disabled
MldLevel                      : All
MldVersion                    : Version2
MulticastForwarding           : Disabled
GroupForwardedFragments       : Disabled
RandomizeIdentifiers          : Disabled      <<====== Overidden
AddressMaskReply              : Disabled
UseTemporaryAddresses         : Enabled
MaxTemporaryDadAttempts       : 3
MaxTemporaryValidLifetime     : 7.00:00:00
MaxTemporaryPreferredLifetime : 1.00:00:00
TemporaryRegenerateTime       : 00:00:05
MaxTemporaryDesyncTime        : 00:10:00
DeadGatewayDetection          : Enabled
 
Last edited:
Thanks for all the replies
As I mentioned, it's Linux based so it might work.

As I'm a newbie, and guidance how to achieve my goal (I understand that it's not via GUI) would be appreciated.
 
omrij said:
Thanks for all the replies
As I mentioned, it's Linux based so it might work.

As I'm a newbie, and guidance how to achieve my goal (I understand that it's not via GUI) would be appreciated.
Click to expand...
I'd guess it would depend on the particular Linux distro you're using in your Docker container. It may already be using EUI-64 addresses so check for that before wasting time trying to change something that doesn't need changing.
 
Depending on what you want your rule to do, you might consider combining ip6tables and ipset to get a MAC-based solution.
  1. Create an inet6 hash:ip ipset with a 1-day timeout.
  2. Create an ip6tables PREROUTING rule that matches a specified MAC address and add the local address to the ipset created above.
  3. Create your desired rule matching on the ipset which will be updated as new prefixes or SLAAC addresses come and go.
This might not work, but demonstrates the idea:
Code: 
ipset -! create myip6device hash:ip family inet6 timeout 86400
ip6tables -A PREROUTING -i br0 -m conntrack --ctstate NEW -m mac --mac-source aa:bb:cc:dd:ee:ff -j SET --add-set myip6device src --exist
ip6tables -A FORWARD -i eth0 -m set --match-set myip6device dst -J ACCEPT
 
Sorry for the confusion
The current situation is that the my ipv6 "suffix" is fixed and based on Mac address of the container (actually macvlan)
So I don't need this change (I believe)

What I need is a way to make a rule in firewall which will take into account the dynamic prefix and the fixed suffix.

And a little guidance how to enable it.
 
omrij said:
What I need is a way to make a rule in firewall which will take into account the dynamic prefix and the fixed suffix.
Click to expand...
Follow the rule example in the article linked by Martineau, specifying your fixed suffix ::aaaa:bbbb:cccc:dddd/::ffff:ffff:ffff:ffff as the template for the host portion of the address. Leave the ffff’s as they are.
 
dave14305 said:
Depending on what you want your rule to do, you might consider combining ip6tables and ipset to get a MAC-based solution.
  1. Create an inet6 hash:ip ipset with a 1-day timeout.
  2. Create an ip6tables PREROUTING rule that matches a specified MAC address and add the local address to the ipset created above.
  3. Create your desired rule matching on the ipset which will be updated as new prefixes or SLAAC addresses come and go.
This might not work, but demonstrates the idea:
Code: 
ipset -! create myip6device hash:ip family inet6 timeout 86400
ip6tables -A PREROUTING -i br0 -m conntrack --ctstate NEW -m mac --mac-source aa:bb:cc:dd:ee:ff -j SET --add-set myip6device src --exist
ip6tables -A FORWARD -i eth0 -m set --match-set myip6device dst -J ACCEPT
Click to expand...
Could a script be made that dynamically update the firewall rules as the ipv6 prefix changes? simply define the rules up under a chain, as the prefix changes an event based script is triggered that simply updates the rules inside the chain?
 
SomeWhereOverTheRainBow said:
This is by far probably the simplest solution I have seen in a while. Awesome share @Martineau!
Click to expand...
Well.....only if it actually works? ;)

P.S. I was hoping that an IPv6 Guru would chime in to say beware!....a minor security issue with it as-is, is that it opens up all inbound subnets, so if you have say a /56 from your provider then you should really restrict it to just the relevant one of your /64 subnets.

eg. Only subnet 0x23
Code: 
::0023:a3a3:beff:fe89:93af/::00ff:ffff:ffff:ffff:ffff
Can't recall/find the relevant article/reference at the moment, but this does sound plausible?
 
Last edited:
Martineau said:
Well.....only if it actually works? ;)

P.S. I was hoping that an IPv6 Guru would chime in to say beware!....a minor security issue with it as-is, is that it opens up all inbound subnets, so if you have say a /56 from your provider then you should really restrict it to just the relevant one of your /64 subnets.

eg. Only subnet 0x23
Code: 
::0023:a3a3:beff:fe89:93af/::00ff:ffff:ffff:ffff:ffff
Can't recall/find the relevant article/reference at the moment, but this does sound plausible?
Click to expand...
No one said the easiest/simplest is the safest ;).
 
It turns out that if you enter the Local IP in the IPv6 firewall rule to start with ::, the firmware assumes it’s an eui64 address and adds the bitmask automatically.
1653503920709.png

Code: 
# ip6tables -S FORWARD | grep beef
-A FORWARD -d ::abcd:dead:beef:cafe/::ffff:ffff:ffff:ffff -p tcp -m state --state NEW -m tcp --dport 7695 -j ACCEPT
 
following your advice (but the simple way, as i'm newbie)
using GUI firewall using the template you provided ( ::aaaa:bbbb:cccc:dddd/::ffff:ffff:ffff:ffff) where ::aaaa:bbbb:cccc:dddd is using MAC-to-EUI64 conversion seems to work.

using port scanner showing the ports on the specific IPV6 are open (and not on other clients on the same network)
and the services using this ports work of course (few services using NGINX and adguard home)
is this safe/legit?

Thanks!!!
 
omrij said:
The clients are Linux based (actually docker containers)
Click to expand...
A bit off to the side but how are you dealing with ipv6 in docker containers with a dynamic prefix?
Sounds like you are going through figuring out the same stuff i need to with my setup. :)
 
Last edited:
Be more specific :)

No "dealing" is required
The docker is getting IPV6 based on the (dynamic) prefix and fixed suffix (based on Mac address).
And port opening is based on the suffix like suggested by the guys above.
 
omrij said:
Be more specific :)

No "dealing" is required
The docker is getting IPV6 based on the (dynamic) prefix and fixed suffix (based on Mac address).
And port opening is based on the suffix like suggested by the guys above.
Click to expand...
Well in the docker-compose.yml you have to specify the subnet for the network it creates.

Code: 
networks:
  lan:
    name: lan
    driver: macvlan
    enable_ipv6: true
    driver_opts:
      parent: eth0
    ipam:
      config:
        - subnet: 2600:1111:2222:3333::/64

But of course that can change at any time (usually on router reboot like the ipv4 address sometimes does).
 
You must log in or register to reply here.

Similar threads

M
wan dhcpv6 blocked by firewall
Replies
2
Views
775
M4tt
M
K
Have global ipv6 address but unable to access internet over ipv6
2 3
Replies
45
Views
3K
Fishwithadeagle
F
N
IPv6 6RD tunnel block/allow by mac/IP
Replies
3
Views
284
RMerlin
RMerlin
ollimoe
RT-BE88U and Dynamic WAN Port MAC?
Replies
0
Views
152
ollimoe
ollimoe
V
Local system fails to register address with DNS server
Replies
5
Views
436
RMerlin
RMerlin
Similar threads
Thread starter Title Forum Replies Date
John Tetreault How to open ipv6 firewall to a port on the router? Asuswrt-Merlin 7
A WireGuard client with IPv6 enabled Asuswrt-Merlin 10
M Can't ping ipv6 with all connected devices Asuswrt-Merlin 0
zquestz Dual WAN IPv6 Asuswrt-Merlin 2
N IPv6 6RD tunnel block/allow by mac/IP Asuswrt-Merlin 3
S How to obtain and change the IPv6 prefix Asuswrt-Merlin 3
J IPv6 WAN Prefix Length Setting in WebGUI (3004.388.8_2)? Asuswrt-Merlin 14
L Adaptive QoS support ipv6? Asuswrt-Merlin 0
L IPV6 and PPPoE Asuswrt-Merlin 9
Zigster IPV6 and OpenVPN on Asus Merlin on Asus GT-AXE11000 Asuswrt-Merlin 0

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 606 (members: 20, guests: 586)
Top