Blocking ULA and link-local communications from and in a guest wifi network

I am trying to block any device on my guest wifi from accessing my ARRIS modem, whose IP is 192.168.100.1

The guest wifi has client isolation enabled, and I've disallowed any forwarding to any zone except WAN/WAN6 and DHCP/DNS on the router itself. I'm considering creating the following firewall rule, based on advice from here:

However, after doing a bit more research on isolating clients correctly, I came upon ULA and link-local connections. They are both somewhat confusing, and after researching both I found mixed info on how to block them. To disable these effectively, would client isolation on the guest wifi be enough? Or would I have to do something like adding the following extra destination addresses to the firewall rule shown in the above image:
fc00::/7
fe80::/10
(The top one being for ULA ipv6, and the bottom one being for link-local ipv6)

Would I then have to add a rule like this for every other interface I want to block from using ULA and link-local connections?

Client isolation means you can now use ebtables to block ip6 protocol.

You can remove ULA altogether if you are not using IPv6.

I do not think you can reach LLA addresses on other subnets as these are local but I could be wrong

2 Likes

Right.

On another note, if you disable the RAs and DHCP6 on the guest, you have achieved your goal. No need to globally disable ULA.

2 Likes

Thank you both for the info. The topic is making more sense to me now.

The guest interface's ipv6 settings seem to be all disabled, so I'm assuming it would be fine to just leave alone?

In my research, I came across something that said disabling ULA prefix assignment in the LAN interface would somehow affect the guest interface, even if ipv6 was turned off on the guest, but I wasn't sure if this was correct.

For the guest wifi, DHCP6 is disabled on the interface, and client isolation is enabled on the SSID. But I'd like to be 100% sure and disallow any devices on the guest wifi from communicating with each other using link-layer and ULA communications, even if they're not assigned by the router.

Would creating a firewall rule like the below be correct? Would it hurt anything if I enabled the rule even if it might not do anything?

(For clarity, the second one is for blocking ULA ipv6, and the third one is for blocking link-local ipv6)

Go to devices and disable ula too...

The firewall rule will not isolate the guest devices within guest network. It is blocking traffic from guest zone to other zones. It won't do much if you are not allocating ULA in guest, as LLA are not used for internetwork communication.
The default behaviour of OpenWrt is to block interzone traffic, so if you have not changed the policy, internetwork traffic from guest zone is allowed only if you have allowed a forwarding.

1 Like