I recently got a Guest Network with IPv6 working. I found that the Basic script worked great as a starting point, but I have one question there. The basic script has these lines when setting up the DHCP firewall rule for IPv4:
uci set firewall.guest_dhcp.src_port="68"
uci set firewall.guest_dhcp.dest_port="67"
but I found other examples online with only one line:
uci set firewall.guest_dhcp.dest_port="67-68"
Question 1: Why do both of these work, and is one preferred?
Then, when setting up IPv6, I tried to follow Guest Wifi Extras -- but found it assumed a lot of knowledge I didn't have. I got lost. After reading lots of forum posts, I found that adding three more firewall rules was necessary -- and then my Guest Wifi worked with IPv6:
config rule
option name 'Allow-Guest-Ping-v6'
list proto 'icmp'
list icmp_type 'echo-request'
option src 'guest'
option target 'ACCEPT'
config rule
option name 'Allow-Guest-MLD'
list proto 'icmp'
option src_ip 'fe80::/10'
option src 'guest'
option target 'ACCEPT'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
list icmp_type '151/0'
list icmp_type '152/0'
list icmp_type '153/0'
config rule
option target 'ACCEPT'
option name 'Allow-Guest-SLAAC'
option family 'ipv6'
option src 'guest'
option proto 'icmp'
list icmp_type 'router-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-solicitation'
list icmp_type 'neighbour-advertisement'
list icmp_type '141'
list icmp_type '142'
list icmp_type '148'
list icmp_type '149'
Question 2: I noticed each of these rules opens a different set of icmp types in the same icmp protocol. I also empirically found that just one rule with no types works fine. My question is: is there any risk in NOT limiting the icmp command by types -- given that this is a Guest network. Here is the candidate one rule replacement:
config rule
option name 'Allow-Guest-ICMP'
list proto 'icmp'
option src_ip 'fe80::/10'
option src 'guest'
option target 'ACCEPT'
Question 3: Then belatedly I found this code in the guest Wifi Extras. It is even more general, apparently allowing any zone to do anything it wants re ICMP. Is this riskier than either of the solutions in #2? If not, I guess it would be preferred solution, because its simplest.
uci rename firewall.@rule[1]="icmp"
uci rename firewall.@rule[5]="icmp6"
uci set firewall.icmp.src="*"
uci set firewall.icmp6.src="*"
uci commit firewall
/etc/init.d/firewall restart
To re-iterate, everything is working. I am just trying to understand and learn from what I did along the way.
thanks,
jeremy