IF NOT fw-rules



  • Hi,

    for blocking some traffic that does not belong to the segment i'm using "IF-NOT-ALIASES".

    Traffic that may go to another segment goes through the rule, other (local) traffic that is not allowed gets blocked and finally traffic that may go out to the internet gets an allow rule to *

    Now i want to add ranges of IPV6 in those Aliases but it does not seem to work.

    How can i put ranges of ipv6 blocks? So i can block different ranges of ipv6 from getting out of that segment.


  • Rebel Alliance Global Moderator

    what are you doing?  Can you post your rules so we are clear.  Why would you be seeing traffic on an interface that is not from that network segment?



  • "what are you doing? " … Hehe... i hear that a lot.

    never mind.

    i founf a page which helped me define the ipv6 ranges.

    What i want is just a /112 piece from the /64 to be assigned to the vlan segment.
    The rest it cannot reach. So i had to define it.

    Looks like this:

    2001:444:1234:ab6:0:0:0:0/103
    2001:444:1234:ab6:0:0:200:0/107
    2001:444:1234:ab6:0:0:220:0/108
    2001:444:1234:ab6:0:0:230:0/109
    2001:444:1234:ab6:0:0:238:0/111

    segment IF-NOT-240

    2001:444:1234:ab6:0:0:241:0/112
    2001:444:1234:ab6:0:0:242:0/111
    2001:444:1234:ab6:0:0:244:0/110
    2001:444:1234:ab6:0:0:248:0/109
    2001:444:1234:ab6:0:0:250:0/108
    2001:444:1234:ab6:0:0:260:0/107
    2001:444:1234:ab6:0:0:280:0/105
    2001:444:1234:ab6:0:0:300:0/104
    2001:444:1234:ab6:0:0:400:0/102
    2001:444:1234:ab6:0:0:800:0/101
    2001:444:1234:ab6:0:0:1000:0/100
    2001:444:1234:ab6:0:0:2000:0/99
    2001:444:1234:ab6:0:0:4000:0/98
    2001:444:1234:ab6:0:0:8000:0/97
    2001:444:1234:ab6:0:1:0:0/96
    2001:444:1234:ab6:0:2:0:0/95
    2001:444:1234:ab6:0:4:0:0/94
    2001:444:1234:ab6:0:8:0:0/93
    2001:444:1234:ab6:0:10:0:0/92
    2001:444:1234:ab6:0:20:0:0/91
    2001:444:1234:ab6:0:40:0:0/90
    2001:444:1234:ab6:0:80:0:0/89
    2001:444:1234:ab6:0💯0:0/88
    2001:444:1234:ab6:0:200:0:0/87
    2001:444:1234:ab6:0:400:0:0/86
    2001:444:1234:ab6:0:800:0:0/85
    2001:444:1234:ab6:0:1000:0:0/84
    2001:444:1234:ab6:0:2000:0:0/83
    2001:444:1234:ab6:0:4000:0:0/82
    2001:444:1234:ab6:0:8000:0:0/81
    2001:444:1234:ab6:1:0:0:0/80
    2001:444:1234:ab6:2:0:0:0/79
    2001:444:1234:ab6:4:0:0:0/78
    2001:444:1234:ab6:8:0:0:0/77
    2001:444:1234:ab6:10:0:0:0/76
    2001:444:1234:ab6:20:0:0:0/75
    2001:444:1234:ab6:40:0:0:0/74
    2001:444:1234:ab6:80:0:0:0/73
    2001:444:1234:ab6:100:0:0:0/72
    2001:444:1234:ab6:200:0:0:0/71
    2001:444:1234:ab6:400:0:0:0/70
    2001:444:1234:ab6:800:0:0:0/69
    2001:444:1234:ab6:1000:0:0:0/68
    2001:444:1234:ab6:2000:0:0:0/67
    2001:444:1234:ab6:4000:0:0:0/66
    2001:444:1234:ab6:8000:0:0:0/65

    With ipv4 the aliases page was able to calculate this for me :-)


  • Rebel Alliance Global Moderator

    "What i want is just a /112 piece from the /64 to be assigned to the vlan segment."

    That is not a good idea unless you just want to use that cidr as way to create firewall rules.  The min prefix in ipv6 is really /64 you should not have any hosts on a /112 your going to have issues plain and simple if that is what your trying to do.

    Your statement seems like you want to subnet down your /64 into smaller chunks - that is not how ipv6 is designed to work.  If you want another ipv6 vlan then you need to use a different /64..  I have multiple /64's in my own network all subnets of the /48 I have.  You can not subnet your /64 into smaller subnets/prefixes without major problems.



  • Yeah, i have read that before but i cannot understand the stupidity behind it.

    There should be 1 ip for every piece of sand in the world (use the fantasy i guess). But if get a "chunk" with the size of the present internet i'm stunned about how quick it could be finished again….? Or am i mistaken?

    Also chopping my /64 down to /112's seem to work when i try to route it inside the house through different vlan's.
    Even applying firewall  rules on the segments work flawless.

    So actually i don't see the problem... am i missing something stupid? I've read this before and i still have my HE /48 assigned.


  • Rebel Alliance Global Moderator

    Yeah your missing something stupid ;)  Your apply what you know of ipv4 to ipv6 - which is a completely different ball game..

    Here is a quick article that points out the RFC and what you break when you try and assign a host something other than /64

    http://etherealmind.com/allocating-64-wasteful-ipv6-not/
    Using a subnet prefix length other than a /64 will break many features of IPv6, amongst other things Neighbor Discovery (ND), Secure Neighborship Discovery (SEND) [RFC3971], privacy extensions [RFC4941], parts of Mobile IPv6 [RFC4866], PIM-SM with Embedded-RP [RFC3956], and SHIM6 [SHIM6]. A number of other features currently in development, or being proposed, also rely on /64 subnet prefixes.

    https://tools.ietf.org/html/rfc5375

    As the article touches on yes you can use subnets of a /64 for say point to point links, routing, etc.  But your host is going to have a hard time finding his router via RA.. While you can set this stuff up manually.  Your going to break clients finding each other that are suppose to be in the same prefix if you don't use /64 plus other stuff.

    So the min address space given if you are say a provider and ask for a block of ipv6 would be a /32, now calculate how many /32 their are in the global unicast space currently assigned which is 2000::/3 your looking at what 536 Million plus /32's in the current assigned space for global unicast.  So you get a /32 how many /48 can you hand out? 65K of them..

    The problem is the space is so freaking huge, that it takes a while to get your head around it.. And yes, if you try and apply ipv4 think to ipv6 your going to think its wasteful ;)  When it reality it makes sense to use /64