Cannot block ICMPv6 in LAN zone

Hello community,

I'm trying to block ICMPv6 with unwanted Router Advertisement from AppleTV, but I'm having trouble with that.

The setup is simple:

  • a "lan" interface with bridge and fd00::1/64 address with RA+DHCPv6 in a "lan" zone
  • AppleTV (MAC ec:a9:07:06:1f:05) is connected to the bridged ethernet port

The problem is that AppleTV is sending ICMPv6 Router Advertisement with its own fd08:xx prefix and other devices on a bridge are receiving this RA and self-assigning an address with fd08:xx prefix next to fd00:xx from OpenWRT. I certainly want ditch of AppleTV's RA.

I'm trying to block all ICMPv6 with RA that are coming from the LAN:

but firewall doesn't catch anything:

Note: forwarding_lan_rule target is empty.

My devices on the same bridge are still getting RA's from the AppleTV and autoconfiguring themselves for this prefix. Wireshark confirms this:

What I'm missing to block RAs coming from the LAN? How it can be blocked?

Your router's lan interfaces are bridged in hardware, there's nothing to filter there. The only way out (aside from fixing the rogue AppleTV device) would be giving the streaming client its own VLAN, in its own subnet, so you can do filtering.

1 Like

AFAIK hw bridging is possible only when all devices on the same switch, right? But in my case, WiFi devices on the same lan bridged interface are also getting these RAs from AppleTV. Is it possible that hw bridging is still involved and allows bypassing a firewall?

Incorrect. As slh noted, your Ethernet and Wifi would comprise a LAN bridge. I'm not sure why you're insisting the contrary (I assume because you believe the firewall rule should work).

Yes, that was already told to you. I'm not sure why you ask this question - given that you cannot block in the same LAN.

Your issue is that the device you wish to block is on the same LAN. The solution was given:

...and the Apple TV is giving out RA, or Neighbor Solicitations (the latter is normal)?

I’m not insisting, I’m asking as I see something isn’t working according to my knowledge I’ve got from this page, which is outdated though but looks quite similar to what I see in my setup. Here is the pic from there:


Since my router’s hw didn’t get DSA support in the kernel yet so I was assuming the bridging is actually happening in CPU (at least for eth-wlan) as depicted above as all ethernet ports are already tagged in my setup:

I apologize I didn’t make it clear from the beginning and thank you for your suggestions!

It’s insanely hard for scraping a small pieces of actual info from around the internet. Does OpenWRT has any wiki pages that would explain actual state with switching/bridging and what’s actually offloaded to the hw?

What does this inquiry have to do with blocking ICMPv6 on LAN?

Or is this a random inquiry?

Can you explain why you're making refrences to HW offloading?

It's still unclear.

I don't understand the conclusion you've made regarding DSA and non-DSA switches. Is this related to your ICMPv6 blocking inquiry?

AppleTV acts as IOT „thread protocol“ hub.

long time ago, hope I still remember correctly:
the steps for non-DSA, if you want firewall zones at home:

split off 1 port to a separate VLAN

  • create a VLAN 20 (dont use small numbers for custom vlans, there may be hard coded side effects)
  • VLAN 20: set lan4 as untagged to that new vland and set its cpu0 to tagged
  • VLAN 1: set lan4 to off
  • that effectively moves lan4 to a different VLAN
    appleTV then goes to this port

create a new interface IOT

  • link to VLAN 20
  • assign its own subnet
  • enable DHCP (and/or have a reasonable static IP concept)

create a new firewall zone IOT

  • link to IOT interface
  • dont enable NAT, except if you know what you are doing

create routing rules between LAN and IOT as needed

now you can set fine grained firewall rules at will between LAN and IOT.

If appleTV uses Wifi, skip the VLAN steps and create an additional Wifi SSID instead (if your router supports that) and put that Wifi into the IOT interface

Last step: decide, if its worth all that.


From @slh comment I got the point that traffic is flowing beside the CPU that's why nothing can be filtered. Then you confirmed that:

The initial question with ICMPv6 was mainly closed for me since that moment. I realized that my current understanding how it's done in routers is outdated, like the picture I learned that from. My initial assumption was: bridging is done purely in sw (at least between eth and wlan) with firewall involvement like it was depicted and that's how it was done in pre-DSA era.

With the follow-up questions I was trying to learn from you which parts of traffic in my router are flowing solely through hw and what might bring it to the CPU. Tomorrow I'll be solving other tasks, so understanding is must. Just to update my knowledge and don't bother forum's guru with stupid questions.

1 Like

Yeah, I've learned this when was trying to understand why it's acting like a router.

Thank you for detailed steps. I'll try to do like you have proposed. Then I'll think if this worth an effort, as I'm using AirPlay and HomeKit in my home network and not sure whether the new setup will bring troubles with them or not. Anyway, there is no better solution so far.

Thank you!

Traversing a network is causes routing/firewalling.

Routing/firewalling takes CPUs.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.