I want to block traffic to all CloudFlare IPv6 subnets and route to CloudFlare endpoints only using IPv4 as the routing to CloudFlare via IPv6 produces high latency compared to IPv4 due to my ISP routing IPv6 traffic to a different PoP which is very far from my location. This is not an issue with IPv4 and my ISP will not fix this.
These are the following IPv6 subnets that I got from here:
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32
Here's my current configuration:
Please guide where I went wrong as I can still ping 2606:4700:4700::1111
firewall.@rule[9]=rule
firewall.@rule[9].name='cfv6'
firewall.@rule[9].family='ipv6'
firewall.@rule[9].src='*'
firewall.@rule[9].src_ip='2407:cb00:xxxx:xxxx::/60' 'fe80::5e02:14ff:fe62:a3e8/64' 'fe80::5e02:14ff:fe62:a3e9/64'
firewall.@rule[9].dest='*'
firewall.@rule[9].dest_ip='2606:4700::/32'
firewall.@rule[9].target='DROP'
firewall.@rule[9].proto='all'
cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'alliance'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'cfv6'
option family 'ipv6'
option src '*'
list src_ip '2407:cb00:c518:f400::/60'
list src_ip 'fe80::5e02:14ff:fe62:a3e8/64'
list src_ip 'fe80::5e02:14ff:fe62:a3e9/64'
option dest '*'
list dest_ip '2606:4700::/32'
option target 'DROP'
list proto 'all'