Hello,

I am trying to extend my OpenWRT AP to support IPv6 on internal and guest network. The gateway router from my ISP gets a different /56 IPv6-Prefix every day.

My internal subnet runs at subnet <IPv6-Prefix>:0::/64. The gateway router runs a DHCPv6-server to ensure that.
My AP router running OpenWRT requests a /64 subnet via DHCPv6-PD. Wifi clients at the OpenWRT router should use the /64 subnet the router was assigned.

Now, how to protect my internal network? I would like to restrict traffic flowing from the internal subnet to the guest subnet and vice versa.

I already did some research. Some people are using DNS to solve this problem, but ip6tables only resolves a domain at the time the rule is set up. On some other website there was a hint to use ULA addresses. Well ok, but client on the guest network could still access my internal network  via the public IPv6-subnet, couldn't they?
Currently I set up IPv4-filtering to separate subnets, which works perfectly because of static addresses.

I have several problems with using ip6tables:
-The IPv6 prefix assigned from my ISP is unknown
-The IPv6 guest subnet is unknown (because requested via DHCPv6-PD)

What to do now? :-) Is there an elegant way to solve this problem?
 
Thanks for your help.

(Last edited by CSG on 31 Aug 2015, 11:38)