ipv6 works, how do I vlan?
-
I have ipv6 yay! It works fine on my local lan. The question I have is how do I take the /58 from my isp and give addresses to my 4 vlans while keeping them isolated from my other networks? What do I need to setup?
Currently only my lan network picks up an ipv6 address from track wan address setting. dhcp6 dishes out the addresses.
On each vlan do I set to track wan interface but give it a different ipv6 prefix id? After I do this what do I need to do to keep the vlan's isolated from each other?
Thanks!
-
Each LAN or VLAN interface needs a unique IPv6 Prefix ID. With a /56, your choices are 0 - ff. What do you mean by isolated? Can't get from one to another? You just don't create rules that allow it.
-
@jknott ty for your reply. Exactly, I want them to have internet access but not access to the other vlans. I'll give it a shot and do some testing.
Thanks!
-
Here's my rules for my guest WiFi. It allows access to the Internet only and pinging the guest interface.
-
This post is deleted! -
@jknott What is your "Prefix" alias?
-
It's my entire /56 prefix. This is to prevent guests from even attempting to connect to anything within that range.
-
@jknott Thanks for the reply. Sorry, I should have asked a better question--do you manually enter your prefix (is it static) or can the firewall update it if it changes via DHCPv6? I am using the "suffix" part of the capability to address individual devices (let's say ::0102:0304:0506 for MAC address 01:02:03:04:05:06) but is there a way to use that dynamically updated prefix in an alias?
-
If there is a dynamic method, I don't know what it is. However, my prefix hasn't changed for years.
-
So I updated my vlan interface to track the wan and assigned the prefix id to 1. My lan has prefix id 0. I also enabled the dhcp6 and ra for that vlan. I am not getting an ipv6 address though. I did this roughly 6 hours ago, thought maybe it needed more time. Did I miss something? Maybe this isn't assigned till my lease is up?
Thanks!
-
@cyth Power cycle first your modem and then your router, if you haven't already, and you may need to change the last two settings under "DHCP6 Client Configuration" for your WAN interface depending on your ISP.
-
@cyth said in ipv6 works, how do I vlan?:
My lan has prefix id 0. I also enabled the dhcp6 and ra for that vlan.
Why are you using DHCPv6 on the VLAN? Unless you have a specific need for it, I recommend against it. SLAAC is the easiest way to provide device addresses. You can add RDNSS to provide DNS info and if and only if you need more, you can use stateless DHCPv6. Also, Android devices won't work with DHCPv6, thanks to some genius at Google.
-
@jknott thx for the info. Do I need the dhcp6 server running for clients to pickup the gateway, dns, and ntp server addresses? I see under the ra section I can set the dns, but what about the gateway and ntp? Would you suggest I disable the dhcp6 server and switch the ra mode to Unmanaged, is this slaac? Also I made a prefix alias but I am not sure where I get my prefix from, so I copied from the lan's dhcp6 info at the top of the screen. I have set my fw rules up like so:
Goal was to allow any communication within the vlan, internet access, and allow a few other exceptions to some internal services I have going on.
Thanks again for your help.
-
The gateway is part of the basic RA. The DNS server is an optional part of it and NTP server would require stateless DHCPv6. If needed, you could still rely on IPv4 for those too. However, using DHCPv6 for device addresses will fail for Android devices. Unmanaged is fine, unless you need stateless DHCPv6. The prefix for the alias is the first 56 bits of the addresses (assuming /56).