IPV6 firewall single host rules between VLANs

Hello everyone. I'm learning my way through IPV6 configuration, but have a problem I can't seem to get past. I'm looking to create a firewall rule that allows a single host on one VLAN to connect to all clients on another VLAN using IPV6. Here's the rule I've tried, that doesn't work:

config rule
	option name 'PCtoIoT'
	option src 'lan'
	option dest 'IoT'
	option target 'ACCEPT'
	list proto 'all'
	list src_ip '::25/-64'
	list src_ip '192.168.1.25'

When the two networks are set to forward to each other I can ping / connect. When I restrict the zones I get "Destination port unreachable" for ping -6 but can get through on ping -4 with the rule above in place. I'm sure the rule above isn't right, but struggling to find anything else to try.

A more general point is that I found the IPV6 troubleshooting page useful, but only stumbled onto it as it's not easy to find. It's not referenced on the IPV6 Configuration page. Unless there's some reason not to I will add a link to that page. It would also be great to add something about firewall rules there if possible - and again happy to draft based on replies to this post.

Many thanks in advance!

I think that both IPv6 and IPv4 are targeted if you have not defined option family but otherwise specify both.

Try using a MAC address as source so that you are sure all IPv6 addresses are targeted.

Thanks, much appreciated - it does work if I use the MAC address. I'd not tried the MAC as I thought you needed to use the DUID if it was IPV6...but the MAC does seem to work.

That's probably all I need for this purpose, but out of curiosity, is '::25/-64' the right syntax to match an IPv6 address in that way?

I think so but your client usually has multiple IPv6 addresses (multiple GUA, LUA and LL addresses) not sure what is used.

Anyway glad it is working.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.