ipv6 works, how do I vlan?
-
Here's my rules for my guest WiFi. It allows access to the Internet only and pinging the guest interface.
-
This post is deleted! -
@jknott What is your "Prefix" alias?
-
It's my entire /56 prefix. This is to prevent guests from even attempting to connect to anything within that range.
-
@jknott Thanks for the reply. Sorry, I should have asked a better question--do you manually enter your prefix (is it static) or can the firewall update it if it changes via DHCPv6? I am using the "suffix" part of the capability to address individual devices (let's say ::0102:0304:0506 for MAC address 01:02:03:04:05:06) but is there a way to use that dynamically updated prefix in an alias?
-
If there is a dynamic method, I don't know what it is. However, my prefix hasn't changed for years.
-
So I updated my vlan interface to track the wan and assigned the prefix id to 1. My lan has prefix id 0. I also enabled the dhcp6 and ra for that vlan. I am not getting an ipv6 address though. I did this roughly 6 hours ago, thought maybe it needed more time. Did I miss something? Maybe this isn't assigned till my lease is up?
Thanks!
-
@cyth Power cycle first your modem and then your router, if you haven't already, and you may need to change the last two settings under "DHCP6 Client Configuration" for your WAN interface depending on your ISP.
-
@cyth said in ipv6 works, how do I vlan?:
My lan has prefix id 0. I also enabled the dhcp6 and ra for that vlan.
Why are you using DHCPv6 on the VLAN? Unless you have a specific need for it, I recommend against it. SLAAC is the easiest way to provide device addresses. You can add RDNSS to provide DNS info and if and only if you need more, you can use stateless DHCPv6. Also, Android devices won't work with DHCPv6, thanks to some genius at Google.
-
@jknott thx for the info. Do I need the dhcp6 server running for clients to pickup the gateway, dns, and ntp server addresses? I see under the ra section I can set the dns, but what about the gateway and ntp? Would you suggest I disable the dhcp6 server and switch the ra mode to Unmanaged, is this slaac? Also I made a prefix alias but I am not sure where I get my prefix from, so I copied from the lan's dhcp6 info at the top of the screen. I have set my fw rules up like so:
Goal was to allow any communication within the vlan, internet access, and allow a few other exceptions to some internal services I have going on.
Thanks again for your help.
-
The gateway is part of the basic RA. The DNS server is an optional part of it and NTP server would require stateless DHCPv6. If needed, you could still rely on IPv4 for those too. However, using DHCPv6 for device addresses will fail for Android devices. Unmanaged is fine, unless you need stateless DHCPv6. The prefix for the alias is the first 56 bits of the addresses (assuming /56).
