N00b struggling with ipv6

DHCPv6 might not be necessary. Stable IPv6 addresses can also be generated by Stateless Address Autoconfiguration (SLAAC) with an interface identifier derived from the MAC address (Modified EUI-64) or a stable privacy address (RFC 7217). Quite likely the LAN hosts already have one of those addresses assigned.

Another point to consider is that ISPs often assign the IPv6 prefix dynamically, which causes all of the global IPv6 addresses in your LAN to change along with the prefix. This is independent of the address assigment mechanism used in your LAN (DHCPv6 or SLAAC). If your prefix is dynamic, the firewall rule must take this into account with a suitable address mask. Here is an example for a webserver:

config rule                                                                     
	option name 'webserver'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option dest_ip '::2345:67ff:fe89:abcd/-64'
	option dest_port '80 443'
	option family 'ipv6'
	option target 'ACCEPT'
3 Likes