Is IPv6 too hard for me?

This isn't as helpful as it looks. For dynamic prefix forwarding to work, each receiving client must have a static address suffix. The only ways to do this are with DHCPv6 static addressing rules or by using tokenized identifiers and client-based static addresses.

Android doesn't do DHCPv6 or tokenized addressing, so dynamic prefix forwarding can't work with Android-based devices. Tokenized addressing is pretty much a Linux-only thing; it's not supported on Windows much less more consumer oriented devices. DHCPv6 static addressing generally defeats the purpose of DHCP because it means every system must have its address defined manually. Both methods to select a static IPv6 suffix disable IPv6 privacy addressing, which may be undesirable. As such, dynamic prefix forwarding is more of a niche thing for people who are running servers.

For IPv6 forwarding to be generally useful to the average user who just wants to get VOIP or gaming to work without NAT hassles, OpenWRT needs better IPv6 tooling. Some way to tie IPv6 rules to DUIDs, MACs, or other unique identifiers would make things far easier. I've filed an enhancement request on the bug tracker but it hasn't attracted any interest yet.

There are ways to prevent this; default-deny firewall policies that only open traffic to devices after they have authenticated through a captive portals is the most practical public and small-scale solution. This is how login-required public wifi networks work.

In the enterprise space, 802.1x addresses this problem.

Another option is a default-deny firewall policy combined with an internally-facing VPN server: any device that wants Internet access has to authenticate with the VPN server, which can impose its own access controls.

SLAAC IPv6 devices can be identified by unique identifiers: if the devices are on the same broadcast domain, the IPv6 neighbor protocol can obtain their MAC addresses. SLAAC devices in a different broadcast domain would need to be traced by other techniques, such as with 802.1x or by requiring them to identify themselves to a captive portal before they are allowed to connect to the Internet.

"work"
:rofl:

but yes you can go that route if so inclined.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.