I’m totally new to VyOS and I apologize if this has been answered already: Does anyone have a working ipv6 firewall example for rolling 1.4.x?
All the examples I find are for previous releases - and I can’t seem to make one that works that doesn’t just stop all traffic.
seconded. also would be useful to include basic ipv6 functionality in the documentation quick start page
For the documentation you may refer to the following:
Docs for 1.4: Firewall — VyOS 1.4.x (sagitta) documentation 1
Docs for 1.3: Firewall — VyOS 1.3.x (equuleus) documentation
We still improving the usability level and preparing a list of explanations, examples, and recommendations for the new firewall.
Hope this helps.
forward {
filter {
default-action drop
rule 1 {
action accept
state {
established enable
}
}
rule 2 {
action drop
state {
invalid enable
}
}
rule 3 {
action accept
state {
related enable
}
}
rule 10 {
action jump
inbound-interface {
interface-group inside
}
jump-target inside_outside_ipv6
outbound-interface {
interface-group outside
}
}
rule 20 {
action jump
inbound-interface {
interface-group outside
}
jump-target ouside_inside_ipv6
outbound-interface {
interface-group inside
}
}
}
}
input {
filter {
default-action drop
rule 1 {
action accept
state {
established enable
}
}
rule 2 {
action drop
state {
invalid enable
}
}
rule 3 {
action accept
state {
related enable
}
}
rule 10 {
action accept
inbound-interface {
interface-group inside
}
}
rule 20 {
action accept
icmpv6 {
type 1
}
protocol ipv6-icmp
}
rule 21 {
action accept
icmpv6 {
type 2
}
protocol ipv6-icmp
}
rule 22 {
action accept
icmpv6 {
type 3
}
protocol ipv6-icmp
}
rule 23 {
action accept
icmpv6 {
type 4
}
protocol ipv6-icmp
}
rule 24 {
action accept
icmpv6 {
type 128
}
protocol ipv6-icmp
}
rule 25 {
action accept
hop-limit {
eq 1
}
icmpv6 {
type 130
}
protocol ipv6-icmp
}
rule 26 {
action accept
hop-limit {
eq 255
}
icmpv6 {
type 134
}
protocol ipv6-icmp
}
rule 27 {
action accept
hop-limit {
eq 255
}
icmpv6 {
type 135
}
protocol ipv6-icmp
}
rule 28 {
action accept
hop-limit {
eq 255
}
icmpv6 {
type 136
}
protocol ipv6-icmp
}
rule 30 {
action accept
destination {
port 546
}
hop-limit {
eq 255
}
protocol udp
source {
port 547
}
}
rule 40 {
action accept
destination {
address ::/0
}
log enable
}
}
}
name inside_outside_ipv6 {
default-action accept
}
name ouside_inside_ipv6 {
default-action drop
rule 10 {
action accept
icmpv6 {
type 1
}
protocol ipv6-icmp
}
rule 11 {
action accept
icmpv6 {
type 2
}
protocol ipv6-icmp
}
rule 12 {
action accept
icmpv6 {
type 3
}
protocol ipv6-icmp
}
rule 13 {
action accept
icmpv6 {
type 4
}
protocol ipv6-icmp
}
rule 14 {
action accept
icmpv6 {
type 128
}
protocol ipv6-icmp
}
}
output {
filter {
default-action accept
}
}
Do you mind using “show config commands | strip-private” for the config dump instead? 
set firewall ipv6 forward filter default-action ‘drop’
set firewall ipv6 forward filter rule 1 action ‘accept’
set firewall ipv6 forward filter rule 1 state established ‘enable’
set firewall ipv6 forward filter rule 2 action ‘drop’
set firewall ipv6 forward filter rule 2 state invalid ‘enable’
set firewall ipv6 forward filter rule 3 action ‘accept’
set firewall ipv6 forward filter rule 3 state related ‘enable’
set firewall ipv6 forward filter rule 10 action ‘jump’
set firewall ipv6 forward filter rule 10 inbound-interface interface-group ‘inside’
set firewall ipv6 forward filter rule 10 jump-target ‘inside_outside_ipv6’
set firewall ipv6 forward filter rule 10 outbound-interface interface-group ‘outside’
set firewall ipv6 forward filter rule 20 action ‘jump’
set firewall ipv6 forward filter rule 20 inbound-interface interface-group ‘outside’
set firewall ipv6 forward filter rule 20 jump-target ‘ouside_inside_ipv6’
set firewall ipv6 forward filter rule 20 outbound-interface interface-group ‘inside’
set firewall ipv6 input filter default-action ‘drop’
set firewall ipv6 input filter rule 1 action ‘accept’
set firewall ipv6 input filter rule 1 state established ‘enable’
set firewall ipv6 input filter rule 2 action ‘drop’
set firewall ipv6 input filter rule 2 state invalid ‘enable’
set firewall ipv6 input filter rule 3 action ‘accept’
set firewall ipv6 input filter rule 3 state related ‘enable’
set firewall ipv6 input filter rule 10 action ‘accept’
set firewall ipv6 input filter rule 10 inbound-interface interface-group ‘inside’
set firewall ipv6 input filter rule 20 action ‘accept’
set firewall ipv6 input filter rule 20 icmpv6 type ‘1’
set firewall ipv6 input filter rule 20 protocol ‘ipv6-icmp’
set firewall ipv6 input filter rule 21 action ‘accept’
set firewall ipv6 input filter rule 21 icmpv6 type ‘2’
set firewall ipv6 input filter rule 21 protocol ‘ipv6-icmp’
set firewall ipv6 input filter rule 22 action ‘accept’
set firewall ipv6 input filter rule 22 icmpv6 type ‘3’
set firewall ipv6 input filter rule 22 protocol ‘ipv6-icmp’
set firewall ipv6 input filter rule 23 action ‘accept’
set firewall ipv6 input filter rule 23 icmpv6 type ‘4’
set firewall ipv6 input filter rule 23 protocol ‘ipv6-icmp’
set firewall ipv6 input filter rule 24 action ‘accept’
set firewall ipv6 input filter rule 24 icmpv6 type ‘128’
set firewall ipv6 input filter rule 24 protocol ‘ipv6-icmp’
set firewall ipv6 input filter rule 25 action ‘accept’
set firewall ipv6 input filter rule 25 hop-limit eq ‘1’
set firewall ipv6 input filter rule 25 icmpv6 type ‘130’
set firewall ipv6 input filter rule 25 protocol ‘ipv6-icmp’
set firewall ipv6 input filter rule 26 action ‘accept’
set firewall ipv6 input filter rule 26 hop-limit eq ‘255’
set firewall ipv6 input filter rule 26 icmpv6 type ‘134’
set firewall ipv6 input filter rule 26 protocol ‘ipv6-icmp’
set firewall ipv6 input filter rule 27 action ‘accept’
set firewall ipv6 input filter rule 27 hop-limit eq ‘255’
set firewall ipv6 input filter rule 27 icmpv6 type ‘135’
set firewall ipv6 input filter rule 27 protocol ‘ipv6-icmp’
set firewall ipv6 input filter rule 28 action ‘accept’
set firewall ipv6 input filter rule 28 hop-limit eq ‘255’
set firewall ipv6 input filter rule 28 icmpv6 type ‘136’
set firewall ipv6 input filter rule 28 protocol ‘ipv6-icmp’
set firewall ipv6 input filter rule 30 action ‘accept’
set firewall ipv6 input filter rule 30 destination port ‘546’
set firewall ipv6 input filter rule 30 hop-limit eq ‘255’
set firewall ipv6 input filter rule 30 protocol ‘udp’
set firewall ipv6 input filter rule 30 source port ‘547’
set firewall ipv6 input filter rule 40 action ‘accept’
set firewall ipv6 input filter rule 40 destination address ‘::/0’
set firewall ipv6 name inside_outside_ipv6 default-action ‘accept’
set firewall ipv6 name ouside_inside_ipv6 default-action ‘drop’
set firewall ipv6 name ouside_inside_ipv6 rule 10 action ‘accept’
set firewall ipv6 name ouside_inside_ipv6 rule 10 icmpv6 type ‘1’
set firewall ipv6 name ouside_inside_ipv6 rule 10 protocol ‘ipv6-icmp’
set firewall ipv6 name ouside_inside_ipv6 rule 11 action ‘accept’
set firewall ipv6 name ouside_inside_ipv6 rule 11 icmpv6 type ‘2’
set firewall ipv6 name ouside_inside_ipv6 rule 11 protocol ‘ipv6-icmp’
set firewall ipv6 name ouside_inside_ipv6 rule 12 action ‘accept’
set firewall ipv6 name ouside_inside_ipv6 rule 12 icmpv6 type ‘3’
set firewall ipv6 name ouside_inside_ipv6 rule 12 protocol ‘ipv6-icmp’
set firewall ipv6 name ouside_inside_ipv6 rule 13 action ‘accept’
set firewall ipv6 name ouside_inside_ipv6 rule 13 icmpv6 type ‘4’
set firewall ipv6 name ouside_inside_ipv6 rule 13 protocol ‘ipv6-icmp’
set firewall ipv6 name ouside_inside_ipv6 rule 14 action ‘accept’
set firewall ipv6 name ouside_inside_ipv6 rule 14 icmpv6 type ‘128’
set firewall ipv6 name ouside_inside_ipv6 rule 14 protocol ‘ipv6-icmp’
set firewall ipv6 output filter default-action ‘accept’
Yes agree ipv6 is basic these days
Or, if that’s not clear enough… I’m new too, maybe I still speak enough outsider to translate to/from VyOS.
There’s really not much difference between IPv4 and IPv6 rules, except that if you didn’t paid much attention to source address before, now you have to given it’s likely you will be using global addresses because they can be on any interface.
As rules go, if you haven’t done v4 either, you should start by putting everything into groups. This will allow you make modifications later without actually changing your ruleset. Groups are somewhat analogous to IP sets, aliases and/or address lists in OpenWRT, pfSense/OPNsense and RouterOS/Cloud Hosted Router, respectively.
So far, they are the biggest part of my config and I’ve not yet started with the resolvable ones even or IPv6, I actually had to do some in order to post these. It might feel like a nuisance but you’ll be thankful for it. Back in pfSense this were the largest part of my config too, and the only thing I bothered to back up, but they’re so useful updating things that I even created replacements for the ones built-in*.
After you have a few, export and continue working in an IDE, such as VSCode, and reload the whole thing each time, that’ll keep your rule set tidy.
# CLEAR, SET DEFAULTS, & PASTE THE WHOLE SECTION EACH TIME
del firewall
set firewall ipv6 input filter default-action drop # ← LAST RULE; WHEN NOTHING ELSE MATCHED
set firewall ipv6 forward filter default-action drop # ← LAST RULE; WHEN NOTHING ELSE MATCHED
set firewall ipv6 output filter default-action drop # ← 'ACCEPT' IS FINE IF NOTHING ELSE RUNS IN FIREWALL
# SAY, YOU HAVE A /48 FROM HE & WANT TO ROUTE YOUR OWN SUBNETS, DECLARE THEM:
# ALL: "rfc1918" in IPv6 even if all kinds of wrong, it means intranet for me, plus it's easier to search&replace
set firewall group ipv6-network-group rfc1918 network '2001:470:b9dd::/48' # ← YOUR V6 BLOCK, OBVIOUSLY
set firewall group ipv6-network-group rfc1918 network 'fc00::/7' # ← ULAs, I ONLY USE THIS FOR ROUTER-ROUTER LINKS
# BY SUBNET:
set firewall group ipv6-network-group z0100 network '2001:0470:b9dd:0100::/64'
set firewall group ipv6-network-group z0200 network '2001:0470:b9dd:0200::/64'
set firewall group ipv6-network-group z0300 network '2001:0470:b9dd:0300::/64'
set firewall group ipv6-network-group z0300 network 'fced:0470:b9dd:0300::/64'
# BY USER: ↓↑ MATCH NET VS ADDR ↑↓
set firewall group ipv6-address-group uMIKE address '2001:470:b9dd:100::e'
set firewall group ipv6-address-group uMIKE address '2001:470:b9dd:100::f'
set firewall group ipv6-address-group uMIKE address '2001:470:b9dd:100::10'
set firewall group ipv6-address-group uMIKE address '2001:470:b9dd:100::11'
set firewall group ipv6-address-group uMIKE address '2001:470:b9dd:100::11'
set firewall group ipv6-address-group uRSLV address '2001:470:b9dd:900::1'
set firewall group ipv6-address-group uRSLV address '2001:470:b9dd:900::2'
set firewall group ipv6-address-group uRSLV address '2001:470:b9dd:900::3'
# …AND EXTERNAL GROUPS MAYBE? (HARD PASS FOR ME)
set firewall group ipv6-address-group 'dns_opendns' address '2620:0:ccc::2'
set firewall group ipv6-address-group 'dns_opendns' address '2620:0:ccd::2'
set firewall group ipv6-address-group 'dns_cloudflare' address '2606:4700:4700::1111'
set firewall group ipv6-address-group 'dns_cloudflare' address '2606:4700:4700::1001'
set firewall group ipv6-address-group 'dns_quad9' address '2620:fe::fe'
set firewall group ipv6-address-group 'dns_quad9' address '2620:fe::9'
set firewall group ipv6-address-group 'dns_quad9raw' address '2620:fe::10'
set firewall group ipv6-address-group 'dns_quad9raw' address '2620:fe::fe:10'
# …THOUGH SOMETHING LIKE THIS MIGHT BE USEFUL - I HAVE NOT TESTED YET
set firewall group domain-group acme_renewal address 'api.cloudflare.com'
set firewall group domain-group acme_renewal address 'lencr.org'
set firewall group domain-group acme_renewal address 'o.lencr.org'
set firewall group domain-group acme_renewal address 'r3.o.lencr.org'
set firewall group domain-group acme_renewal address 'acme-v02.api.letsencrypt.org'
set firewall group domain-group acme_renewal address 'api.letsencrypt.org'
set firewall group domain-group acme_renewal address 'letsencrypt.org'
set firewall group domain-group acme_renewal address 'acme-staging-v02.api.letsencrypt.org'
# BY TCP&|UDP PORTS
set firewall group port-group pdef_webports port '443'
set firewall group port-group pdef_webports port '80'
set firewall group port-group pdef_websec port '443'
set firewall group port-group pdef_webstd port '80'
set firewall group port-group pdef_dsm port '5001'
set firewall group port-group pdef_dsm port '5002'
set firewall group port-group pdef_dsm port '5003'
# ANTILOCKOUT
set firewall ipv6 input filter rule 9 action 'accept'
set firewall ipv6 input filter rule 9 source group network-group 'rfc1918'
# OR
set firewall ipv6 input filter rule 10 action 'accept'
set firewall ipv6 input filter rule 10 icmpv6 type-name 'echo-request'
set firewall ipv6 input filter rule 10 icmpv6 type-name 'echo-request'
# AND
set firewall ipv6 input filter rule 11 action 'accept'
set firewall ipv6 input filter rule 11 icmpv6 type-name 'echo-request'
# EDGE RULES — PING HOSTS
set firewall ipv6 forward filter rule 13 action 'accept'
set firewall ipv6 forward filter rule 13 icmpv6 type-name 'echo-request'
# EDGE RULES — INTERVLAN ROUTING
set firewall ipv6 forward filter rule 11 action 'accept'
set firewall ipv6 forward filter rule 11 destination group network-group 'rfc1918'
set firewall ipv6 forward filter rule 11 source group network-group 'rfc1918'
# EDGE RULES - ALLOWING SERVERS GET CERTS
set firewall ipv6 forward filter rule 9200 action 'accept'
set firewall ipv6 forward filter rule 9200 protocol tcp
set firewall ipv6 forward filter rule 9200 source group network-group z0900
set firewall ipv6 forward filter rule 9200 destination group port-group pdef_websec
# EDGE RULES - WEB
set firewall ipv6 forward filter rule 9500 action 'accept'
set firewall ipv6 forward filter rule 9500 protocol tcp
set firewall ipv6 forward filter rule 9500 source group network-group z0900
set firewall ipv6 forward filter rule 9500 destination group port-group pdef_webports
# EDGE RULES - NEGATE/BLOCK THE NEXT RULE FROM APPLYING TO AN SPECIFIC MEMBER OF "uRSLV"
set firewall ipv6 forward filter rule 9501 action 'reject'
set firewall ipv6 forward filter rule 9501 protocol udp
set firewall ipv6 forward filter rule 9501 source address '2001:470:b9dd:900::2'
set firewall ipv6 forward filter rule 9501 destination group port-group pdef_webports
# EDGE RULES - WEB: QUIC, DOH, SMB3… - THIS IS NOT ENCRYPTED FOR "YOUR SECURITY"
set firewall ipv6 forward filter rule 9502 action 'accept'
set firewall ipv6 forward filter rule 9502 protocol udp
set firewall ipv6 forward filter rule 9502 source group address-group uRSLV
set firewall ipv6 forward filter rule 9502 destination group port-group pdef_webports
# NOW, COMMIT, & IF STILL IN CONFIG MODE RUN
run show config commands
# OR IF IN BLACKOPS MODE OR WHATEVER, TAKE OUT THE "run"
show config commands
The IDE was great to help me figuring out the numbering scheme; mine matches my VLANs which match my IPv4, IPv6 and even my MAC addressing a bit. Each list has it’s its own BTW, I just treat it as one bc it’s easier.
# ORDER ----- RULESET -------- USE CASE ----------------------------------------
000001-000003 in/out/fwd - preset state matchers
#--- must pass -----------------------------------------------------------------
000010 input filter - emergency musts, icmp, router access
000020-ish input filter - intervlan rules
#--- blocks --------------------------------------------------------------------
000200 forward filter - outbound geoblocks
000300 forward filter - inbound geoblocks
#--- pass rules ----------------------------------------------------------------
000400-000999 forward filter - in/out network-wide blocks; social, DNSBL…
001001⇢ forward filter - vlan 1/0 rules
#- low 1000s⇢ forward filter - explicit —singled-out— blocks -------------------
#- mid 1000s⇢ forward filter - super targeted passes ---------------------------
# high 1000s⇢ forward filter - what's left passes ------------------------------
002000⇢ forward filter - vlan 3, or 20, or 200 rules
003000⇢ forward filter - vlan 3, or 30, or 300 rules
# ↑ VLAN
There a big flaw with this, obviously; I can only do from VLAN 1 to VLAN 999, but that works for me.
VyOS doesn’t seem to support address 0 of an IPv6 block, intead of “2001:db8::” you’ll have to settle with “2001:db8::1”.
And, as a reminder about IPv6: the only easy, sure way to assign address so you can enforce policies is with RADIUS, otherwise with link-local and SLAAC and some multi-homed devices somehow using DHCP6-gotten addresses as anycast addresses, you’ll go insane.
Also, unrelated, but close enough; IDK why there are different sets of aliases–groups for v6 and v4 if rules themselves the first thing they do is specify the stack, they could just ignore the addreses for the v4 stack.
If a rule could target both stacks, like they do sometimes in other platforms, then this would likely force it into two rules. 
Hopefully they figure this out at some point.
…which, in tandem with pfSense nomeclature limitations resulted din pdef_xxx for ports, def_xxx = hosts, zdef_xxx = subnets, g = location-based, u = single-user devices… I don’t remember what does “def” meant though. But the on the bright side it means if I need more characters, I can just take those three.
Also, unrelated, but close enough; IDK why there are different sets of aliases–groups for v6 and v4 if rules themselves the first thing they do is specify the stack, they could just ignore the addreses for the v4 stack.
Yes! This is a great point and I would love to see this change in future.
Can you submit a bug report or feature request in https://vyos.dev explaining the issue and what would you expect from cli?
Yess, I’ll submit a feature request.