09-20-2013 08:07 AM - edited 09-20-2013 08:17 AM
I am just trying the Guest mode, and it seems to block access to IPv6 web sites, and I can't see why? Any clues.
Actually, it looks like no IPv6 at all when connected with guest access.
09-20-2013 08:52 AM
I assume this is a known issue ("it's not a bug, it's a feature"). IPv6 will be blocked on SSIDs designated as guest even if no subnet restrictions are in place. The only way I've found to allow IPv6 traffic on guest SSIDs is to not designate them as guest in the UniFi system, but rather to have the guest SSID on its own VLAN and perform the guest/LAN isolation using firewall rules in the router.
09-20-2013 08:56 AM
That makes the whole portal stuff in the UniFI useless, which is a shame. Hopefully it can be fixed soon!
I gather that the filtering is to allow for guests on a LAN not to be able to access other machines on the LAN. Is it possible to set a separate VLAN, and so not need these IP checks, but still have the portal for newly connected devices, and hence allow the IPv6 still?
09-21-2013 12:55 AM
Ah i didn't know that, thats is a shame, I hope they can fix this soon, the main reason I bought this AP was for the guest/hotspot features, if i wanted to do it with VLANS i would have bought a 25 quid TP Link AP
09-21-2013 01:15 AM
I have no problem with separate VLANs being used - the FireBricks we use these with can do that, on the same subnet with a common DHCP pool but with firewalling rules between the VLANs. The feature I want from the Unifi is the portal for new clients but without any attempt to do IP filtering. Not being able to work with IPv6 is a serious issue - and will impact sales for us as we have been providing IPv6 for over 11 years and selling a solution that does not work with IPv6 is not going to happen.
09-21-2013 02:36 AM
If you want to play arround with IPv6 on the guest SSIDs in your lab, you could manually edit the ebtables on an individual UAP. SSH into one and run ebtables -t nat -L to get started.
12-31-2013 04:27 PM
The problem is that since the UniFi routers don't even have ipv6 compiled into the kernel (which is imho inexcuseable), this rather screws up the whole 'guest network' thing - so their only option really is to disallow guests to access ipv6.
I'm going to try out the vlan thing, that sounds do-able!
07-15-2015 12:52 PM - edited 07-15-2015 12:54 PM
The main problem is not that the AP has no IPv6 support, but it's intentionally disabled in guest mode.
Here is how I could fix this on v3.2.10:
Connecting through SSH to the AP ebtables shows to following:
BZ.v3.2.10# ebtables -t nat -L Bridge chain: GUESTIN, entries: 16, policy: DROP [...] -p IPv4 --pkttype-type broadcast --ip-proto udp --ip-sport 68 --ip-dport 67 -j ACCEPT -p ARP -j ACCEPT -p IPv4 --ip-proto udp --ip-dport 53 -j ACCEPT -p IPv6 -j DROP --pkttype-type broadcast -j DROP [...] Bridge chain: GUESTOUT, entries: 6, policy: ACCEPT -p IPv4 --pkttype-type broadcast --ip-proto udp --ip-sport 67 --ip-dport 68 -j ACCEPT -p ARP -j ACCEPT -p IPv6 -j DROP --pkttype-type broadcast -j DROP -p IPv4 --ip-dst 18.104.22.168/4 -j DROP
The problematic lines are the ones "-p IPv6 -j DROP "
I wanted to keep the guest portal functionality in unifi, but the ipv6 should behave pretty much the same way as the ipv4 guest works: they should be able to negotiate an ipv6 address through statless autoconfiguration, but should be blocked until they are authorized.
Fortunately there's a method to insert custom rules into the ebtables rulelist. For details visit this page. I added 3 new rules:
ebtables.100.cmd=-t nat -I GUESTIN 1 -p IPv6 --dst 33:33:00:00:00:00/ff:ff:00:00:00:00 -j ACCEPT
This is the trickiest part. For SLAAC to work flawlessly unauthorized guests should be able to send router solicitation icmp messages. Unfortunately since ipv6 is not compiled into the AP's kernel, we can not filter by ipv6 protocol type. What I used here is that these messages are multicast messages, and thus are sent to a specific mac address range in 33:33:00-33:33:ff. This is specifically reserved for ipv6 multicast. So I just let multicast messages through so they can reach the router.
ebtables.101.cmd=-t nat -I GUESTIN 2 -p IPv6 -j AUTHORIZED_GUESTS
This rule is added to GUESTIN to simply send ipv6 packets to the AUTHORIZED_GUESTS chain, where they are filtered by mac addresses (authorized guests are accepted, others refused). It's important that we insert this rule above the "-p IPv6 -j DROP rule", this way simply bypassing it.
The last rule goes into GUESTOUT:
ebtables.103.cmd=-t nat -I GUESTOUT 3 -p IPv6 -j ACCEPT
This is pretty simpe: we just let any traffic reach the guest clients. In fact the ipv4 rules don't do much other than this (they filter sime malicious traffic but then they let everything else in)
This isn't perfect also, but "good enough" for me. These are the known problems:
- unauthorized guest can send any kind of multicast traffic, even global one. This could be filtered better, but you can safely do it on the router. (It's not a good idea to let guests send global multicast packages even if they are authorized)
- the guest portal is still accessed over ipv4. Becuase AP's lack ipv6 support, the only way to add the necessary exceptions toward the portal would be by specifying it's mac address, and it should be connected to the guest network.
- there's no guest portal redirection on ipv6 traffic. So if an unauthorized client tries to access an ipv6 enabled site, they won't get redirected to the portal. This is not big deal as long as most of the net is inaccessible over ipv6, but could be worst later. Still thinking on how this could be tricked out.
If anyone has some other ideas how to set up ipv6 enabled guest network on unifi property please share it, maybe the unifi maintainers get some hint and add support soon.