IF NOT fw-rules
-
Hi,
for blocking some traffic that does not belong to the segment i'm using "IF-NOT-ALIASES".
Traffic that may go to another segment goes through the rule, other (local) traffic that is not allowed gets blocked and finally traffic that may go out to the internet gets an allow rule to *
Now i want to add ranges of IPV6 in those Aliases but it does not seem to work.
How can i put ranges of ipv6 blocks? So i can block different ranges of ipv6 from getting out of that segment.
-
what are you doing? Can you post your rules so we are clear. Why would you be seeing traffic on an interface that is not from that network segment?
-
"what are you doing? " … Hehe... i hear that a lot.
never mind.
i founf a page which helped me define the ipv6 ranges.
What i want is just a /112 piece from the /64 to be assigned to the vlan segment.
The rest it cannot reach. So i had to define it.Looks like this:
2001:444:1234:ab6:0:0:0:0/103
2001:444:1234:ab6:0:0:200:0/107
2001:444:1234:ab6:0:0:220:0/108
2001:444:1234:ab6:0:0:230:0/109
2001:444:1234:ab6:0:0:238:0/111segment IF-NOT-240
2001:444:1234:ab6:0:0:241:0/112
2001:444:1234:ab6:0:0:242:0/111
2001:444:1234:ab6:0:0:244:0/110
2001:444:1234:ab6:0:0:248:0/109
2001:444:1234:ab6:0:0:250:0/108
2001:444:1234:ab6:0:0:260:0/107
2001:444:1234:ab6:0:0:280:0/105
2001:444:1234:ab6:0:0:300:0/104
2001:444:1234:ab6:0:0:400:0/102
2001:444:1234:ab6:0:0:800:0/101
2001:444:1234:ab6:0:0:1000:0/100
2001:444:1234:ab6:0:0:2000:0/99
2001:444:1234:ab6:0:0:4000:0/98
2001:444:1234:ab6:0:0:8000:0/97
2001:444:1234:ab6:0:1:0:0/96
2001:444:1234:ab6:0:2:0:0/95
2001:444:1234:ab6:0:4:0:0/94
2001:444:1234:ab6:0:8:0:0/93
2001:444:1234:ab6:0:10:0:0/92
2001:444:1234:ab6:0:20:0:0/91
2001:444:1234:ab6:0:40:0:0/90
2001:444:1234:ab6:0:80:0:0/89
2001:444:1234:ab6:00:0/88
2001:444:1234:ab6:0:200:0:0/87
2001:444:1234:ab6:0:400:0:0/86
2001:444:1234:ab6:0:800:0:0/85
2001:444:1234:ab6:0:1000:0:0/84
2001:444:1234:ab6:0:2000:0:0/83
2001:444:1234:ab6:0:4000:0:0/82
2001:444:1234:ab6:0:8000:0:0/81
2001:444:1234:ab6:1:0:0:0/80
2001:444:1234:ab6:2:0:0:0/79
2001:444:1234:ab6:4:0:0:0/78
2001:444:1234:ab6:8:0:0:0/77
2001:444:1234:ab6:10:0:0:0/76
2001:444:1234:ab6:20:0:0:0/75
2001:444:1234:ab6:40:0:0:0/74
2001:444:1234:ab6:80:0:0:0/73
2001:444:1234:ab6:100:0:0:0/72
2001:444:1234:ab6:200:0:0:0/71
2001:444:1234:ab6:400:0:0:0/70
2001:444:1234:ab6:800:0:0:0/69
2001:444:1234:ab6:1000:0:0:0/68
2001:444:1234:ab6:2000:0:0:0/67
2001:444:1234:ab6:4000:0:0:0/66
2001:444:1234:ab6:8000:0:0:0/65With ipv4 the aliases page was able to calculate this for me :-)
-
"What i want is just a /112 piece from the /64 to be assigned to the vlan segment."
That is not a good idea unless you just want to use that cidr as way to create firewall rules. The min prefix in ipv6 is really /64 you should not have any hosts on a /112 your going to have issues plain and simple if that is what your trying to do.
Your statement seems like you want to subnet down your /64 into smaller chunks - that is not how ipv6 is designed to work. If you want another ipv6 vlan then you need to use a different /64.. I have multiple /64's in my own network all subnets of the /48 I have. You can not subnet your /64 into smaller subnets/prefixes without major problems.
-
Yeah, i have read that before but i cannot understand the stupidity behind it.
There should be 1 ip for every piece of sand in the world (use the fantasy i guess). But if get a "chunk" with the size of the present internet i'm stunned about how quick it could be finished again….? Or am i mistaken?
Also chopping my /64 down to /112's seem to work when i try to route it inside the house through different vlan's.
Even applying firewall rules on the segments work flawless.So actually i don't see the problem... am i missing something stupid? I've read this before and i still have my HE /48 assigned.
-
Yeah your missing something stupid ;) Your apply what you know of ipv4 to ipv6 - which is a completely different ball game..
Here is a quick article that points out the RFC and what you break when you try and assign a host something other than /64
http://etherealmind.com/allocating-64-wasteful-ipv6-not/
Using a subnet prefix length other than a /64 will break many features of IPv6, amongst other things Neighbor Discovery (ND), Secure Neighborship Discovery (SEND) [RFC3971], privacy extensions [RFC4941], parts of Mobile IPv6 [RFC4866], PIM-SM with Embedded-RP [RFC3956], and SHIM6 [SHIM6]. A number of other features currently in development, or being proposed, also rely on /64 subnet prefixes.https://tools.ietf.org/html/rfc5375
As the article touches on yes you can use subnets of a /64 for say point to point links, routing, etc. But your host is going to have a hard time finding his router via RA.. While you can set this stuff up manually. Your going to break clients finding each other that are suppose to be in the same prefix if you don't use /64 plus other stuff.
So the min address space given if you are say a provider and ask for a block of ipv6 would be a /32, now calculate how many /32 their are in the global unicast space currently assigned which is 2000::/3 your looking at what 536 Million plus /32's in the current assigned space for global unicast. So you get a /32 how many /48 can you hand out? 65K of them..
The problem is the space is so freaking huge, that it takes a while to get your head around it.. And yes, if you try and apply ipv4 think to ipv6 your going to think its wasteful ;) When it reality it makes sense to use /64