ER605 IPv6 ACL not working when adopted to controller
I am unable to get IPv6 ACL's to allow [WAN] IN traffic to one of my hosts.
I have configured the ACL using an IPv6-port Group specific to the /128 address for this host, and the ports specific to the service I need to expose, however no external hosts are able to connect to this.
I have also tried with an IPv6 Group to this hosts /128 IP allowing all protocols, and the built in IPv6 Any group, however none of these allow external hosts access to my exposed IP.
I should note that I am able to browse IPv6 content, and I am able to connect to this devices IPv6 address from other local VLAN's, just anything from WAN to LAN does not work.
This has historically worked when the ER 605 was in standalone mode, however once I adopted to my software controller IPv6 inbound is not working. I am running version 5.12.7 of the software controller in docker, using the images provided by https://hub.docker.com/r/mbentley/omada-controller
Hi @cakemix
Thanks for posting in our business forum.
Any incoming traffic is blocked by default settings when you upgrade to V2.2.2 or V2.1.5 beta. This was a security risk before so the dev patched this.
If you initiate an IPv6 connection, that should not be blocked at all.
So now you are talking about the IPv6 ACL is not effective for your device. I need you to tell me if you allow all the IPv6 addresses to access the LAN, will it work? I am verifying whether the ACL is working or not which also seems to be your concern.
I am inclined to believe that this is a config issue.
Try this DST with this and your own range. I need to see your verification results.
Hi @Clive_A ,
I am aware of the changes to implicit deny on IPv6 traffic, I was not using the ER605 to perform firewalling until this was the case. I have since removed my hardware firewall and am trying to get the ports I require opening towards my LAN devices, however this does not appear to work.
When communicating between LAN VLANs I am able to connect to this server on the IPv6 address as expected.
The WAN In rule is configured to permit IPv6 towards this host - whether I use the IPv6 group and allow all TCP (or even all protocols as per the screenshot below) or us an IPv6-Port group limiting access to only the ports I require, I still see these as closed/ filtered when trying to connect from external addresses.
The below screenshot was taken from ipv6scanner (dot) com when the ACL was configured using the haos_v6 IPv6 Group.
When I run nmap against this host from thge LAN side, I see ports open as expected:
EDIT:
I have tried this with the IPv6 Group_Any as the destination and receive the same output from the external port scan
Hi @Clive_A ,
I can see the ingress packets when mirroring the WAN port to my laptop, but the only egress packets for this IPv6 address are ones sourced from this server.
Likewise, I could not see any egress packets towards the server when I packet captured on the LAN. I can provide these captures if you wish, however I am not comfertable with uploading them to a publically accessible forum, as these include my publically routable IP details.
At present, I do not have any other ACL's configured
Kind regards,
Keith Summers