LAN net doesn't include IPv6 address space

kpswalin

So I am finally trying to get IPv6 working correctly on my firewall. I have a multi zone configuration which includes WAN, LAN, DMZ and OPT1. I have been subnetting IPv4 for a long time and I also tend to be restrictive in my outbound rule sets. For example I do not have an 'ALLOW ANY from LAN net to ANY' rule, but create specific rules for every service I need leaving my local LANs. I have been working the rule set for a long time and have that working fine. What I am seeing now is that IPv6 traffic gets blocked unless I have an associated 'ALLOW Service Name from ANY to Service Name' rule. It appears as though my IPv6 addresses are not considered part of the 'LAN net' range.

My interface configuration looks like this:

Interface Description
LAN

IPv4 Configuration Type
Static IPv4

IPv6 Configuration Type
Track Interface

MTU
1500

MSS
1500

Speed and Duplex
Default

Static IPv4 Configuration
IPv4 Address
10.1.1.1/26

Track IPv6 Interface
IPv6 Interface
WAN

IPv6 Prefix ID
1

I have successfully tested IPv6 with http://test-ipv6.com/ but am wondering how I can more accuratly control IPv6 traffic. I do receive a lot of '@7(1000000105) block drop in log inet6 all label "Default deny rule IPv6"' in my logs and can't seem to pass the traffic unless I create an 'ANY' rule as opposed to my typical 'LAN net' rule.

How do I make IPv6 part of my 'LAN net' on the LAN interface?

What am I missing?

Thanks in advance for any suggestions.