Dualstack firewall rules

Hi there,

we run a dualstack (IPv4, IPv6) enviroment. All our servers have at least one IPv4 and one IPv6 address. The firewall is required to behave the same for IPv4 and IPv6. We currently use UBNT Edgerouter. These use EdgeOS which is a VyOS fork. With the current setup we have to copy the rules for IPv4 and IPv6. This is time consuming and error-prone.

I Propose a feature that allows to specify rules for both IPv4 and IPv6.

I think of a solution that allows to specify both IPv4 and IPv6 addresses in address/network groups and source/destination. For a dual stack rule one would specify both addresses in a address-group and then reference this address group in a rule. The rules would then be cloned to iptables and ip6tables with the respective addresses. I don’t know if the best implementation is to extend the “firewall name” subtree to allow both protocols or to add a whole new “firewall ipv46-name” tree from a backward compatibility point of view.

I know that there are problems in the details. For example ICMPv4 and ICMPv6 are very different and finding a way to implement both in one tree is not trivial but I think it is worth the effort.

I think the best strategy to fix our problem this is by implementing this in VyOS and then asking UBNT to merge this change into EdgeOS. I would be willing to invest a little bit of time for a first POC but I have no experience in VyOS development. It would be cool if some experienced developer could be found to assist me with the first steps.

Waterside over at the UBNT Forum noted that IPv4 and IPv6 are independent implementations of Layer 3 and that a implementation that tries to map both on one set of settings might get complex fast.

I would love to see this implemented in VyOS. With the ever increasing popularity of IPv6, it seems like a pretty core feature for a modern router / network security appliance.

JunOS allows you to mix IPv4 and IPv6 addresses in policy rules:

from-zone untrust to-zone dmz {
    policy myserver-http {
        match {
            source-address any;
            destination-address [ myserver myserver-ipv6 ];
            application [ junos-http junos-https ];
        then {

In the meantime I have been working on a script to generate dual-stack VyOS configurations from a source JSON file: