I'm trying to block ICMPv6 with unwanted Router Advertisement from AppleTV, but I'm having trouble with that.
The setup is simple:
a "lan" interface with bridge and fd00::1/64 address with RA+DHCPv6 in a "lan" zone
AppleTV (MAC ec:a9:07:06:1f:05) is connected to the bridged ethernet port
The problem is that AppleTV is sending ICMPv6 Router Advertisement with its own fd08:xx prefix and other devices on a bridge are receiving this RA and self-assigning an address with fd08:xx prefix next to fd00:xx from OpenWRT. I certainly want ditch of AppleTV's RA.
I'm trying to block all ICMPv6 with RA that are coming from the LAN:
Your router's lan interfaces are bridged in hardware, there's nothing to filter there. The only way out (aside from fixing the rogue AppleTV device) would be giving the streaming client its own VLAN, in its own subnet, so you can do filtering.
AFAIK hw bridging is possible only when all devices on the same switch, right? But in my case, WiFi devices on the same lan bridged interface are also getting these RAs from AppleTV. Is it possible that hw bridging is still involved and allows bypassing a firewall?
I’m not insisting, I’m asking as I see something isn’t working according to my knowledge I’ve got from this page, which is outdated though but looks quite similar to what I see in my setup. Here is the pic from there:
Since my router’s hw didn’t get DSA support in the kernel yet so I was assuming the bridging is actually happening in CPU (at least for eth-wlan) as depicted above as all ethernet ports are already tagged in my setup:
I apologize I didn’t make it clear from the beginning and thank you for your suggestions!
It’s insanely hard for scraping a small pieces of actual info from around the internet. Does OpenWRT has any wiki pages that would explain actual state with switching/bridging and what’s actually offloaded to the hw?
From @slh comment I got the point that traffic is flowing beside the CPU that's why nothing can be filtered. Then you confirmed that:
The initial question with ICMPv6 was mainly closed for me since that moment. I realized that my current understanding how it's done in routers is outdated, like the picture I learned that from. My initial assumption was: bridging is done purely in sw (at least between eth and wlan) with firewall involvement like it was depicted and that's how it was done in pre-DSA era.
With the follow-up questions I was trying to learn from you which parts of traffic in my router are flowing solely through hw and what might bring it to the CPU. Tomorrow I'll be solving other tasks, so understanding is must. Just to update my knowledge and don't bother forum's guru with stupid questions.
Yeah, I've learned this when was trying to understand why it's acting like a router.
Thank you for detailed steps. I'll try to do like you have proposed. Then I'll think if this worth an effort, as I'm using AirPlay and HomeKit in my home network and not sure whether the new setup will bring troubles with them or not. Anyway, there is no better solution so far.