IPV6 help needed. Limiting port access issues

Hello everyone, another day another question. On my network have a few devices with static leases which I got some help to achieve and worked fine... However one of the devices has been replaced and now also uses ipv6 but doesn't seem to give a UDID as it doesn't show in the DHCP list, only 3 devices show, all of which I know what they are... However if I go onto the "routes" tab there's loads of ipv6 devices listed in the "neighbours tab".

When it comes to ipv6 how do you allocate a fixed address to it, and use the firewall to block port access?

Only by matching the client's DUID with a static IPv6 at the router's side, or if the client provisions the option to change from DHCP and set a static IPv6 that matches the network subnet.



Seems you asked that question already in another thread.


DUID, as opposed to MAC, is not necessarily hardcoded (MAC often being printed on sticker), but often soft generated during a device setup (reset). Hardcoded DUID are specified as per DUID-EN.

Some vendors may fail on proper DHCPv6 a/o DUID implementation.

Ive asked already, whoops sorry, must be loosing my mind!! Sorry, it's my brain struggling with all the openwrt info getting crammed into it the last few weeks.

The devices have been connected now a week but still no duid has appeared... Things like the PS4 and the dishwasher of all things use IPV6 and give the UDID instantly... Android doesn't seem to ever provide one and I can't find how to get one from anywhere in the system.

Are you reading the responses?


As potential workaround

For source ip filtering it requires the IPv6 which in turn you would want to be the client's static IPv6 but that does not work without the DUID, so catch22 ...

Afaik an IPv6 packet does not carry its source MAC or DUID but instead the EUI-64 identifier. You could perhaps run a packet capture and see whether the EUI-64 identifier for particular clients can be extracted.
Not sure if the EUI-64 identifier can be filtered in a firewall however.

So basically with Android and ipv6 I'm screwed lol.

Looks like I need to disable ipv6 then.

Such a learning curve.

Not necessarily.

Apparently netfilter provides EUI-64 filtering [1] and thus could be deployed in a firewall, least with ip6tables but probably also with nftables

It requires kernel conf

CONFIG_IP6_NF_MATCH_EUI64 = y | m

But then again Android may have not implemented EUI64

Plus there are privacy/security concerns about EUI64 that are partially being addressed by IPv6 privacy extensions and thus the EUI64 value may not be sustained over time, in which case rendering it potentially useless for packet filtering.


[1] https://netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-6.html#ss6.1