IPv6-PD from ISP - Incoming traffic for host

Hello,

I'm running OpenWrt 23.05.2 on a Netgear R8700 and I have IPv6 from my ISP via prefix-delegation. All machines in the network are getting working IPv6, their own subnet and whatnot.

Now, I've this situation where I want to "poke-a-hole" in the firewall so a specific host can get traffic from the internet on port 8444.

image

This rule makes it work, but it also opens the port on every IPv6 address on the network.

How can I restrict this in way that only a specific MAC address / hostname gets port 8444 open while other's don't?

Note that since my ISP does PD the prefix might change at any time and that machine will have a different IPv6 thus I can't just set the "Destination address" field to a specific IP.

Thank you.

The host needs a consistent last 64 (or more) IP. Then the notation ::1111:2222:3333:4444/-64 can be used to ignore the prefix on a dest_ip IP address match.

1 Like

And how can that be archived? The ISP is delegating a /56 and the interface on the machine currently looks like this:

2001:xxxx:xxxx:e500:yyyy:yyyy:yyyy:6ba9/64

And on the router it says the DHCPv6 lease is:

2001:xxxx:xxxx:e500::5b4/128

Considering your example, the following works:

::yyyy:yyyy:yyyy:6ba9/-64

The question is now: how likely is the last yyyy:yyyy:yyyy:6ba9 to change.

Thank you.

Instead of SLAAC you can use DHCPv6 only to assign manual IPv6 suffixies linked to device DUID. For example, in IPv4, you have 192.168.1.1, 192.168.1.100, 192.168.1.101, etc, on IPv6 you can achieve this with DHCPv6, and you'll have the same, PD::1, PD::101, PD::100, etc. And, the firewall rule will be ::101/-64 destionation LAN.

3 Likes

If you have multiple LANs you'd also want to configure them with ip6hint for consistent delegation.
Overall the address is XXXX:XXXX:XXXX:XXYY:ZZZZ:ZZZZ:ZZZZ:ZZZZ

  • X bits assigned by ISP-- out of your control and may change.
  • Y bits assigned to each LAN by ip6hints.
  • Z bits assigned to host by DHCPv6.
    Then the address match is ::YY:ZZZZ:ZZZZ:ZZZZ:ZZZZ/-72 to constrain to a single host on a specific LAN by matching the Y bits as well.
3 Likes

Thank you both for the information.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.