3
Votes

Feature Request | Variable support in ACLs for IPv6 prefix

 
3
Votes

Feature Request | Variable support in ACLs for IPv6 prefix

Feature Request | Variable support in ACLs for IPv6 prefix
Feature Request | Variable support in ACLs for IPv6 prefix
2024-05-30 15:01:55 - last edited 2024-06-05 08:21:41
Tags: #ACL
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.2.4 Build 20240119 Rel.44368

I've deployed successfully IPv6 on my network, although my ISP sometimes changes the IPv6 scope, which impacts the ACLs so some systems are not accessible from the Internet over IPv6.

 

So for example I currently have a group profile with the systems that are allowed to have inbound SSH traffic (TCP/22), but this is hard coded:

 

2001:c0ff:ee:5838::1:241 / 128

 

So as you can see the prefix is 2001:c0ff:ee:5838::, would be nice to have a 'variable' to use in groups that will auto-populate the prefix, so when it changes it still works.

 

So I was thinking about (for example) to use [IPv6_PREFIX], so it looks like:

 

[IPv6_PREFIX]1:241 / 128

 

To update the DNS Records with Cloudflare, I wrote a small script that does an update of the AAAA record using the API of them.

#1
Options
7 Reply
Re:Feature Request | Variable support in ACLs for IPv6 prefix
2024-06-05 02:04:29

Hi @paderijk 

Thanks for posting in our business forum.

Where will this prefix come from? WAN or LAN?

LAN can do it. ACL supports IPv6 LAN. The IPv6 Group will change to the WAN v6 prefix if the WAN prefix changes.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#2
Options
Re:Feature Request | Variable support in ACLs for IPv6 prefix
2024-06-05 07:56:14

 Hi @Clive_A,

 

The IPv6 prefix will come from the WAN (via the ISP) and "pushed" to the LAN, the LAN is configured this way:

 

 

I indeed found the IPv6 group for ACLs applicable to the whole subnet (2001:c0ff:ee:5838::/64), but I have not found a solution whereby I can have an ACL for a specific IPv6 address, that takes into count a potential prefix change.

 

In my case I want to have one system (2001:c0ff:ee:5838::1:241/128) over SSH accessible from the Internet over SSH (TCP/22) and all the other systems that do offer SSH should not be accessible. So I currently have an ACL that blocks everything incoming and another one that only allows inbound SSH to that specific system.

 

The system Berrystone is the one that should be accessible from the Internet using SSH.

 

 

The IPv6 Group:IPv6 berrystone looks like:

 

So if the provider pushes a new prefix to me (for example) 2001:b4b4:aa:1234::/64, the IPv6 Group:IPv6 berrystone needs to be changed.

 

Hope I clarified the feature request more, if not, please let me know.

 

I looked if there was already something in place, but was not able to find it.

 

DISCLAIMER: The IPv6 prefixes showed are not the actual ones I have in use due to privacy.

#3
Options
Re:Feature Request | Variable support in ACLs for IPv6 prefix
2024-06-05 08:21:25

Hi @paderijk 

Thanks for posting in our business forum.

paderijk wrote

 Hi @Clive_A,

 

The IPv6 prefix will come from the WAN (via the ISP) and "pushed" to the LAN, the LAN is configured this way:

 

 

 

I indeed found the IPv6 group for ACLs applicable to the whole subnet (2001:c0ff:ee:5838::/64), but I have not found a solution whereby I can have an ACL for a specific IPv6 address, that takes into count a potential prefix change.

 

In my case I want to have one system (2001:c0ff:ee:5838::1:241/128) over SSH accessible from the Internet over SSH (TCP/22) and all the other systems that do offer SSH should not be accessible. So I currently have an ACL that blocks everything incoming and another one that only allows inbound SSH to that specific system.

 

The system Berrystone is the one that should be accessible from the Internet using SSH.

 

 

 

The IPv6 Group:IPv6 berrystone looks like:

 

 

So if the provider pushes a new prefix to me (for example) 2001:b4b4:aa:1234::/64, the IPv6 Group:IPv6 berrystone needs to be changed.

 

Hope I clarified the feature request more, if not, please let me know.

 

I looked if there was already something in place, but was not able to find it.

 

DISCLAIMER: The IPv6 prefixes showed are not the actual ones I have in use due to privacy.

Got you. Our dev also took a look at this request.

So, it does not seem to be a mainstream request yet. We will keep an eye on this request if they are more feedback on this, we let the PM take a look and evaluate this feature.

 

BTW, is this for the business environment or home? If this is for business, how many users do you have requesting this feature?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#4
Options
Re:Feature Request | Variable support in ACLs for IPv6 prefix
2024-06-05 08:26:15

  @Clive_A 

 

This is in my home-lab (as professional IT Engineer, I would like to have good stuff).

 

Understand it's not a mainstream request, at my work at a big international company IPv6 is unfortunately not yet on the roadmap to be deployed in the Datacenters/Office LAN. sad

#5
Options
Re:Feature Request | Variable support in ACLs for IPv6 prefix
2024-06-05 09:12:42

Hi @paderijk 

Thanks for posting in our business forum.

paderijk wrote

  @Clive_A 

 

This is in my home-lab (as professional IT Engineer, I would like to have good stuff).

 

Understand it's not a mainstream request, at my work at a big international company IPv6 is unfortunately not yet on the roadmap to be deployed in the Datacenters/Office LAN. sad

Understand that. If others vote on this, our dev can pull this to the request pool for further evaluation. wink

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#6
Options
Re:Feature Request | Variable support in ACLs for IPv6 prefix
2 weeks ago

  @paderijk I think i am running into the same problem. I'm getting a 56 prefix from my ISP. When i enter the whole IPv6 from my Device to a ACL Rule everything works fine. If the prefix changes i have to manually enter the new prefix in the group for the ACL. The IPv6 IP-Port-Group has the setting prefix set to 64. Shouldn't the ACL ignore the first 64 bits of the IPv6 then? It knows the lenghts of the might changing prefix. On the WAN side there is only one prefix, so it isnt relevant for safety in the ACL, right?

 

I am still learning about IPv6, but this problem prevents Omada from being usable for every private Server that should be available over the Internet if there are prefix changes.

 

Or am I missing something?

#7
Options
RE:Feature Request | Variable support in ACLs for IPv6 prefix
2 weeks ago
ignore prefix in ACL or add variable support
#8
Options