IPv4 LAN using IPv6 to bypass Ipv4 Firewall Rule
-
I have a device (an android tablet) on my LAN that I would like to block from internet access. I setup a firewall rule at the top to block all traffic under LAN with an alias. This alias contains a single ipv4 address which is the static address of the device I would like to limit. It was weird because only certain websites failed to load but others such as YouTube load and work without being blocked. I only have two other rules below this, and they are Ipv4 to any and Ipv6 to any. I turned on logging to try to track down the issue and all of the traffic seemed to be blocked on the local ipv4 address of this device. I then turned on logging for all rules and found that an Ipv6 address appeared to be going to these websites I was opening on that device. I then disabled the Ipv6 to any rule and all outbound traffic seems to be blocked from that device as I wanted. These Ipv6 address are not in my Ipv4 or Ipv6 DHCP leases tables. I don't understand what is happening here.
I have a basic understanding of networking and have searched to find information on what is happening with this for a few days with no luck. This is my first post to this forum and I hope it is in the correct section. I would like to understand what is happening and how to block just this device's outbound traffic.
-
Android tablet and DHCPv6???
Android doesn't support DHCPv6. Normally, SLAAC is used to provide IPv6 addresses. Perhaps that's where the addresses are coming from.
-
@automate_it said in IPv4 LAN using IPv6 to bypass Ipv4 Firewall Rule:
how to block just this device's outbound traffic.
Just continue to block all IPv6.. There is most likely zero anything you would need to access that is only ipv6..
Then you can easy do your blocking via its IPv4 address that you can easy to control..
You could prob just turn off IPv6 on your wan, and set up lan not to use it as well.. Until such time that your ready to start the learning curve on how IPv6 is different than IPv4 and how to manage it on your network.. Its more secure and simpler to just turn it off.
And before our resident ipv6 cheerleader chimes in - I am sure amazon just waiting to hear automate_it has IPv6 before they you know let people go to amazon.com via IPv6 ;) That was the one thing they were waiting on before they enable it ;) We should prob let ebay.com and twitter know as well you have IPv6 as well, because they have yet to enable it either.
-
Thank you for the reply. I will keep ipv6 blocked and manage it with ipv4. I have little knowledge about ipv6 so I like your suggestion just to turn it off, at least for now.
