Extending IPV4 subnet rule to IPV6


I have been using IPV4, with a subnet for the kids devices, and specific FW rules targetting this IPV4 subnet to limit connexion times.

I am transitioning to IPV6, and now am wondering how to maintain the scheme with IPV6 adresses.

I have seen I can assign fixed IPV6 suffixes to given devices. I have assigned ::1:xx for the kids.

How do I set up an IPV6 rule to target these devices? Could I put that in the existing rules, since making a rule in lede is such a long work , adapting the existing would make my life so much easier....

Thank for your reading, and maybe helping :slight_smile:

Ummmm..."target" them how...?

(LOL, they're you kids, I get it's some safety thing - or a practical joke, LMFAO!)

If everything is in the same same zone, then the same rules apply, so long as "IPv4 and IPv6" is set in the rule:


Since you're not clear to us on what FW "rules" and what currently "exists" of them, it's hard to give you specifics. For example, I assume you know - that if your rule includes an IPv4 address or subnet; but is subsequently set as "IPv4 and IPv6", that only an IPv4 rule can be created.

The current rules are set as follows :

I tried using ::1/112 in source address, but this is not allowed.

Thus my question.

An easy way is this:

  • Just remove the IPV4 /28 subnet - leave it blank
  • Change to "IPv4 and IPv6"
  • BTW, I'd change Protocol to "Any"


  • Perhaps, we need to now more about your network's addressing?
  • Are you're kids' devices segregated on another VLAN or within the IPv4 range somehow?
    • If so, how did you do so on IPv6?

This would only prevent a single device in a subnet anyways...this is not a specified IP anyway...we definitely need more information you IPv6 addressing and how your kids are segregated on this network in IPv4 too.

Hummz,Not removing the IPV4 subnet.

So lets give more information :
IPV4 LAN 192.168.99/24
Kid subnet

Rules with subnet only apply to kids. This works fine for IPV4

IPV6 suffix for kids ::1:xxxx so unless I am mistaken about this, I set the last 32 bits of IP with last 16 being for each machine. So I need a kind ::1/112 netmask to filter out this specific subnet.

Thus my question, because, I do not know to describe an IPV6 subnet, unless I put the full IPV6 address, but wouldn't this defeat the

Ok while typing this reply, I tried using the full IPV6 subnet, and it works. But is this the proper way of doing?

ipv6 LAN subnet 2a01:abcd:efgh:ijk1/64
ipv6 kids subnet 2a01:abcd:efgh:ijk1::1/112

Rules accepting being applied to the above subnet

This is not a exactly what you want here.The :: means that this part of the address is zeros. So this is address 0000.0000.[...].0001, which is locahost, hence the mask is not right.
Moreover with IPv6 you can have different IP each time you want to access the internet.

Maybe you could explain a bit more in detail what does this rule do and we can see if there is some easier way.

This is also wrong.


Well the scheme is simple I have the following firewall rule set :

Allow weekday : allows kidsnet for a time period on week days
Allow Wedneday : Allows a time period specific for wednesday afternoon
Allow weekends : allows kidsnet for a time period on weekend
Kidsblock line : drop anything from kidsnet
other firewall rules

So I set rules to give some allowances, and a rule that will block is no allowing rule was previously seen.

This works fine with IPV4, and I need a way to make the same kind of rule set for IPV6.

Below a sample "allow" rule

You would do well to put all the kids devices on their own separate subnet via VLANs, and then just apply the rules to the whole zone...

You can do this for wired devices using a smart switch, or the switch built into an all-in-one device, and for wifi devices you can create a kids SSID and bridge it to the VLAN.

The only issue would be if you want to let the kids connect to devices on your personal network that isn't on the same VLAN, like if you have a media archive device or something.


You could try to apply the rule on source mac address. That will cover both v4/v6.
Because even if you managed to give out to the hosts specific v6 addresses (either SLAAC or via DHCPv6 with DUID), they won't be able to be grouped as you did in v4.

Hinted at above a few times is IPv6 subnetting. In general, a /64 is a subnet for IPv6.

An ISP is "supposed" to give you an IA_PD of at least a /56, though many choose to ignore this (Comcrap assigns a /60 on request, for example).

So an IPv6 subnet has at least 64 bits for hosts.

Looking at a /56 IA_PD

|   56 bits prefix   |sn|     host addresses    |

xx -- your prefix
yy -- your subnets
zz -- your host addresses in that subnet

@jeff : I read in th ipv6 literature that I should be using the dedicated part of the upper 64bits of my ip address for subnetting.
I did not do so, because :

  • I read about this after selecting subnetting in the host addresses part
  • I do not need 2**64 host addresses in any of my subnets :wink:
  • Which ever location of the address I choose for subnetting, it does not change my question.

(and it seems that my answer to my own question is a proper answer for IPV6 subnet filtering in firewall rules I.E. A full IPV6 address with / notation for network length definition).

I agree that the choice of subnets doesn't change the fundamental question of how to define a firewall rule to select a specific subnet.

Topology is more robust than IP-based, IPv4 or IPv6 (VLANs were suggested by previous posters), as hosts can choose their own IP addresses, no matter what you "tell" them. The multiplicity of IPv6 addresses on a single interface argues for topology-based firewalls as well. A host will generally prefer a link-local address over a global one (see https://tools.ietf.org/html/rfc6724), so you need at least two rules per host to perform IP-based filtering.

For IP-based filtering, the answer is the same for IPv4 and IPv6; address and mask or a set thereof (which may be single-hosts or ranges).

Whether you "need" what was, for very good reasons, defined as the address space for an IPv6 subnet or not, when possible, conformance with standard practice has benefits.

Operating systems do IPv6 based on the standards, if you decide to subnet the 64 host bits, you break it, you buy it... There are many technologies in use such as privacy addresses, stable privacy addresses, SLAAC, etc which assume that the 64 bits are host, not subnet.

Every device gets at an absolute minimum 2 ipv6 addresses per interface, one link level, and one according to the prefix assigned... most often there might also be a ULA prefix, and privacy addresses are standard on many operating systems. The idea that you can control which ipv6 address a device uses is misguided.

Instead, use VLANs it's the only reliable way to get what you want.


Yes. Use VLANs. And if you need local connectivity (media server etc.) across your VLAN zones, I think you'd need to use ULA addresses.

1 Like