Firewall rules for ipv6

wiu · November 5, 2023, 1:30pm

Hi,

i have a vmware server from Hetzner and use vyos for routing. ipv4 nat and firewall rules work us aspected but i have some trouble with ipv6.

vyos 1.4 - create with docker

Routing over eth0 for vyos# (WAN) - fe80::1
ipv6 address on Lan and default gateway for the clients.

I set the ipv6 address for the clients, so no dhcpv6, slacc etc.

Without any ipv6 rule i can reach anything from outside and the clients have internet access. What i want ist to allow just ports/protocolls and icmp to some clients and drop the rest.

When i follow the quick start guide and adjust this to ipv6, i have no internet access and nothing is reachable.

There are some starting point for ipv6 anywhere?

Edit: Got ist working. Some icmp stuff that was missing i think.

Viacheslav · November 5, 2023, 6:10pm

Use logs/reject to detect which rule block your traffic

Thisistheoldplan · November 6, 2023, 4:17am

can you please expand on this comment, what are the commands for this? thank you

Apachez · November 6, 2023, 3:52pm

“show logs firewall ipv6” or so…

Thisistheoldplan · November 6, 2023, 6:36pm

this is odd, im running 1.5-rolling-202309170024 and theres no logs at all when running show logs firewall ipv4/ipv6 …

n.fort · November 6, 2023, 9:33pm

Did you enable logs on desired rule? Also, some fixes were added recently to firewall logs: ⚓ T5513 Anomalies in show firewall command after refactoring

blex · November 7, 2023, 12:05am

Hi,

first you need to build your ipv6 rules and assign them. And on the lan and wan port you need to allow icmp neighboar discovery protocol. This is the replacement for arp in ipv4. If you did not allow at least neightboar discovery on icmpv6 in and out you will hardly getting ipv6 running.

You can start with this command: show ipv6 neighbors

Compare the output with the firewall rules active and if they are inactive.