Always changing IPv6. How to set up firewall rule?

xcom169 · January 6, 2025, 5:55pm

How do you set up ipv6 firewall rules if the ipv6 prefix changing every day or so?

Cthulhu88 · January 6, 2025, 5:57pm

You set them based on the suffix, not the prefix.

krazeh · January 6, 2025, 6:03pm

If the full IPv6 address you want to use in a rule was (for example) 2001:db80:0:110:a00:27ff:fe67:cd9, then you'd use ::a00:27ff:fe67:cd9/-64 as the IP address in the rule.

xcom169 · January 6, 2025, 6:11pm

Thanks

How do you fix the end tail of the IPv6 address in Luci per mac address?
Firewall also working with destination mac addresses?

krazeh · January 6, 2025, 6:15pm

No idea. If I want a device to have a static IPv6 address I set it on the device.

Probably. Have you tried?

flygarn12 · January 6, 2025, 6:19pm

Read about DUID.

DUID Level 3 is based on the mac but in practical terms mac is not used in IPv6 like in IPv4. Usually Level 1 and 2 are used with more complex DUID than mac.

egc · January 7, 2025, 6:22am

The DUID of your LAN clients can be seen on the Status > Overview page under Active DHCPv6 Leases

You can just click the Static lease button in that page or setup a manual static lease which looks like this:
/etc/config/dhcp

config host
	option dns '1'
	option name 'EA8500'
	option mac 'C0:56:27:xx:xx:xx'
	option ip '192.168.0.6'
	option leasetime '6h'
	option duid '00030001c05627xxxxxx'
	option hostid '06'

This is a router doing VPN which gets the IPv6 address prefix::6

I noticed that even with only the MAC address and without DUID it seems to work

Open Up the firewall for this router with:
/etc/config/firewall:

config rule
	option name 'wg-server6-6'
	list proto 'udp'
	option src 'wan'
	option dest 'lan'
	option dest_port '51810'
	option target 'ACCEPT'
	option family 'ipv6'
	list dest_ip '::6/-64'

xcom169 · January 7, 2025, 7:11am

Thanks! This 'hostid' looks good.