I'm trying to block ICMPv6 with unwanted Router Advertisement from AppleTV, but I'm having trouble with that.
The setup is simple:
a "lan" interface with bridge and fd00::1/64 address with RA+DHCPv6 in a "lan" zone
AppleTV (MAC ec:a9:07:06:1f:05) is connected to the bridged ethernet port
The problem is that AppleTV is sending ICMPv6 Router Advertisement with its own fd08:xx prefix and other devices on a bridge are receiving this RA and self-assigning an address with fd08:xx prefix next to fd00:xx from OpenWRT. I certainly want ditch of AppleTV's RA.
I'm trying to block all ICMPv6 with RA that are coming from the LAN:
Your router's lan interfaces are bridged in hardware, there's nothing to filter there. The only way out (aside from fixing the rogue AppleTV device) would be giving the streaming client its own VLAN, in its own subnet, so you can do filtering.
AFAIK hw bridging is possible only when all devices on the same switch, right? But in my case, WiFi devices on the same lan bridged interface are also getting these RAs from AppleTV. Is it possible that hw bridging is still involved and allows bypassing a firewall?
Incorrect. As slh noted, your Ethernet and Wifi would comprise a LAN bridge. I'm not sure why you're insisting the contrary (I assume because you believe the firewall rule should work).
Yes, that was already told to you. I'm not sure why you ask this question - given that you cannot block in the same LAN.
Your issue is that the device you wish to block is on the same LAN. The solution was given:
...and the Apple TV is giving out RA, or Neighbor Solicitations (the latter is normal)?
I’m not insisting, I’m asking as I see something isn’t working according to my knowledge I’ve got from this page, which is outdated though but looks quite similar to what I see in my setup. Here is the pic from there:
Since my router’s hw didn’t get DSA support in the kernel yet so I was assuming the bridging is actually happening in CPU (at least for eth-wlan) as depicted above as all ethernet ports are already tagged in my setup:
I apologize I didn’t make it clear from the beginning and thank you for your suggestions!
It’s insanely hard for scraping a small pieces of actual info from around the internet. Does OpenWRT has any wiki pages that would explain actual state with switching/bridging and what’s actually offloaded to the hw?
long time ago, hope I still remember correctly:
the steps for non-DSA, if you want firewall zones at home:
split off 1 port to a separate VLAN
create a VLAN 20 (dont use small numbers for custom vlans, there may be hard coded side effects)
VLAN 20: set lan4 as untagged to that new vland and set its cpu0 to tagged
VLAN 1: set lan4 to off
that effectively moves lan4 to a different VLAN
appleTV then goes to this port
create a new interface IOT
link to VLAN 20
assign its own subnet
enable DHCP (and/or have a reasonable static IP concept)
create a new firewall zone IOT
link to IOT interface
dont enable NAT, except if you know what you are doing
create routing rules between LAN and IOT as needed
now you can set fine grained firewall rules at will between LAN and IOT.
If appleTV uses Wifi, skip the VLAN steps and create an additional Wifi SSID instead (if your router supports that) and put that Wifi into the IOT interface
From @slh comment I got the point that traffic is flowing beside the CPU that's why nothing can be filtered. Then you confirmed that:
The initial question with ICMPv6 was mainly closed for me since that moment. I realized that my current understanding how it's done in routers is outdated, like the picture I learned that from. My initial assumption was: bridging is done purely in sw (at least between eth and wlan) with firewall involvement like it was depicted and that's how it was done in pre-DSA era.
With the follow-up questions I was trying to learn from you which parts of traffic in my router are flowing solely through hw and what might bring it to the CPU. Tomorrow I'll be solving other tasks, so understanding is must. Just to update my knowledge and don't bother forum's guru with stupid questions.
Yeah, I've learned this when was trying to understand why it's acting like a router.
Thank you for detailed steps. I'll try to do like you have proposed. Then I'll think if this worth an effort, as I'm using AirPlay and HomeKit in my home network and not sure whether the new setup will bring troubles with them or not. Anyway, there is no better solution so far.
