Blocking a specific MAC address from IPV6 tunnel

My ISP has a 100x25 package and I am also running a he.net tunnel.

When my Samknows Whitebox measures upstream performance, some of the checks run via the he.net tunnel, which distorts the reading since the performance is quite lower than linespeed.

Could I somehow restrict this specific device from IPV6 traffic? I'm looking for ideas: better at the DNS level, at the DHCP level or just drop anything that comes from that MAC and heads out via the tunnel?

Probably a bit overkill, but maybe policy based routing (pbr)?

The other (easier) alternative would be to lock the samknows devices into a dedicated VLAN on one of your router's switch ports (without access to the HE tunnel, either filtering it out via ip6class or disabling IPv6 on that network altogether), if that device doesn't need access to any of your lan systems.

1 Like

A dedicated VLAN is not applicable: the device must be installed as passthrough for wired devices.
The checks are run when there is no network activity from legitimate sources, so the device monitors the wifi and checks traffic flowing through the switch. Relegating it to a standalone VLAN might fool it into thinking there is no traffic ever and run the checks even when the line is otherwise loaded... might be worth exploring how bad this would distort the results, though.

Can I use PBR to prevent the use of a protocol family? My "normal" upstream is IPV4-only and the he.net tunnel is IPV6-only.

Routing rules don't support L2, so a firewall rule for traffic marking by MAC would be required.
Instead, you can just create a prohibitive firewall rule for transit IPv6 traffic from a specific source MAC.

Thanks, I have just made such a rule, we shall soon see if it makes a difference :slight_smile:
Edit: it makes a TON of difference!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.