New Member
Posts: 10
Registered: ‎12-29-2016
Kudos: 7
Accepted Solution

Isolating Dynamic IPv6 on Guest VLAN

So I have native IPv6 from my cable provider, and as most people know it's not a static IP.  I can get a /56, however.  So I've set it up so my normal LAN gets one /64 and the Guest VLAN gets another /64.  That is all working and I can access external IPv6 sites successfully from both the normal LAN and Guest VLAN.  

 

Now, the problem is the Guest VLAN can access the normal LAN clients over IPv6.  All the guides I see about blocking the guest VLAN from my LAN say to implement a firewall rule based on subnet.  But without a static subnet that won't work long term.  I know I could just set the Guest network to IPv4 only and not worry about it, but where's the fun in that?

 

For reference, my normal LAN is on switch0, and my Guest VLAN is switch0.2.

 

For IPv4 (even though it's not dynamic) I was able to run `set firewall name GUEST_IN rule 1 destination group address-group NETv4_switch0` and it is successfully blocking access from the Guest VLAN to the normal LAN.

 

I figured I'd try the same thing for IPv6, but when I run `set firewall ipv6-name GUESTv6_IN rule 1 destination group address-group NETv6_switch0` it fails with the message "The specified configuration node is not valid" (it works fine if I run `set firewall ipv6-name GUESTv6_IN rule 1 destination address <my IPv6 subnet>::0/64` to set it to the specific subnet).

 

So is there some way I can set it to just block all IPv6 access from switch0.2 to switch0 (I don't neccessarily need switch0 to switch0.2 blocked, but if it is, that's fine as well)?  Or am I just stuck having to specify the subnet and keep it updated (in which case I'd just turn off IPv6 on the guest VLAN)

 

(I tried looking in to setting up zones, as that seems like it might work as I can apply it to the interface rather than a subnet, but I really don't understand it and the guides I found (like this one: https://help.ubnt.com/hc/en-us/articles/204952154-EdgeMAX-Zone-Policy-CLI-Example) really didn't really help.  It seems far to complex for what I need to do)

 

 

 


Accepted Solutions
Highlighted
Veteran Member
Posts: 7,822
Registered: ‎03-24-2016
Kudos: 2037
Solutions: 899

Re: Isolating Dynamic IPv6 on Guest VLAN

Only option I can come up with (without diving into zone based firewall)

 

Mark ipv6 packets entering on guest port with some value.

On LAN6_OUT, block packets having that mark, allow the rest

View solution in original post


All Replies
Highlighted
Veteran Member
Posts: 7,822
Registered: ‎03-24-2016
Kudos: 2037
Solutions: 899

Re: Isolating Dynamic IPv6 on Guest VLAN

Only option I can come up with (without diving into zone based firewall)

 

Mark ipv6 packets entering on guest port with some value.

On LAN6_OUT, block packets having that mark, allow the rest

New Member
Posts: 10
Registered: ‎12-29-2016
Kudos: 7

Re: Isolating Dynamic IPv6 on Guest VLAN

[ Edited ]

Thanks for the response.

 

Seems silly to have to set it to mark packets, isn't that what the VLAN is there for in the first place (well in addition to isolating the networks, which, well I don't get why EdgeOS doesn't do this by default, but that's another topic...)?  Confused  

 

Anyway, for posterity or if anyone ever tries to look for this here's what I did and it appears to be working:

 

To mark the incoming Guest VLAN's ipv6 packets:

 

set firewall ipv6-modify MARK_GUESTv6 rule 10 action modify
set firewall ipv6-modify MARK_GUESTv6 rule 10 modify mark 1
set interfaces switch switch0 vif 2 firewall in ipv6-modify MARK_GUESTv6

 

 

and to block them from the LAN:

set firewall ipv6-name LANv6_OUT default-action accept
set firewall ipv6-name LANv6_OUT rule 10 action drop
set firewall ipv6-name LANv6_OUT rule 10 mark 1
set interfaces switch switch0 firewall out ipv6-name LANv6_OUT

 

And this was much easier and simpler than trying to figure out the zones configuration, so thanks for the suggestion, 16again.

New Member
Posts: 14
Registered: ‎01-21-2015
Kudos: 11
Solutions: 1

Re: Isolating Dynamic IPv6 on Guest VLAN

Does "mark" still disable HW offload or has that been fixed in recent releases?