IPv6 block incoming traffic
Hello,
I just set up an IPv6 WAN connection and managed to get a server accessible from the internet. Now, I would like to block all incoming IPv6 traffic (apart from 2 ports to two different servers) from the internet but still allow all outgoing traffic. (pretty much simulating a NAT in terms of allowed traffic).
How would I go about it?
As a start, I set up a Switch ACL with Source "IPv6Group_Any" denying to destination "Network: VLAN100".
Afterwards, I cannot ping the server in VLAN100 from VLAN200. So test 1 is fine. Unfortunately, the server cannot ping outside for example to a device on VLAN200.
So it seems I misunderstand something here.
My hardware:
- Controller OC300 FW 5.12.9
- Router ER7206 v1.0 FW1.3.0
- SwitchTL-SG2428P v5.0 FW 5.0.5
Thanks a lot,
sb0373
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Summary:
1. To block WAN incoming traffic but not outgoing traffic, you have to use Gateway ACL policies. This feature becomes available with ER7206 firmware >= 1.4.0 (at time of writing, use the beta firmware).
2. Using the ACLs on the switch possibly blocks incoming traffic and allows outgoing traffic. But as both directions are required for a two way communication, this ACL does not work "for outgoing traffic only".
3. To achieve "outgoing traffic only", a stateful policy setting would need to be used. This is currently not available on the switch ACL settings (only Gateway ACL).
Thank you for your prodiving the solution, @Tedd404 and @Hank21.
- Copy Link
- Report Inappropriate Content
Thank you for your reply @Hank21 .
I have seen that thread but am not really sure it is similar.
1. At the moment ER7206 FW 1.3.0 does not seem to have the option of Gateway ACLs as shown on the screenshots.
2. In my case, there is ALWAYS traffic going to the servers; not NEVER. So I guess my case is before an upcoming FW update?
I thought I saw in a post somewhere that it is possible to block IPv6 traffic on the switches. Unfortunately, I cannot find the post right now.
Either way, it would be nice to understand why my ACL rule is not working as expected. Or is it? I find these rules generally a complex topic so any learning would be great.
PS: I just noticed that an early access firmware for the router is available that contains ACL IPv6 and actually one of my VPN topics. Let me try that one.
EDIT: After updating to the beta firmware 1.4.0 Build 20230828 Rel.58568 of the router, I can confirm that it is more similar but I would like to keep this topic open for the ACL rule explanation
- Copy Link
- Report Inappropriate Content
Hi @sb0373,
May I double confirm whether you have the IPv6 ACL issue like this thread mentioned?
So your issue appear to be that you have configured IPV6 and WAN-IN ACLs on the ER7206 to allow all IPV6s to access a specific address in the LAN, however, in fact, your local test shows that some IPv6 addresses cannot access the local Server at all. Am I correct?
- Copy Link
- Report Inappropriate Content
Hello @Hank21,
I don't think so.
Let's rule out a product issue for time being and call it understanding or user error :)
1. On stock ER7206 router firmware 1.3.0 connected to an Omada controller.
2. Pretty basic IPv6 is configured and all is working fine in all directions (no rules at all, multiple VLANs). WAN <--> VLAN 100 as well as VLAN100 <--> VLAN200.
3. Set up a Switch ACL with Source "IPv6Group_Any" -------denying to destination-------> "Network: VLAN100".
Test 1 (successful): Server A in VLAN200 cannot ping Server B in VLAN100. All works as expected.
Test 2 (fail): Server B in VLAN100 cannot ping Server A in VLAN200. My expectation is, that this should be possible because this direction is not denied.
Best wishes,
sb0373
- Copy Link
- Report Inappropriate Content
so communication is bidirectional, if you block any to vlan 100, why would the server in vlan 100 be able to ping another? icmp needs to be replied.
your rule blocks the reply, that should be the reason why you fail to ping another in another vlan.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Summary:
1. To block WAN incoming traffic but not outgoing traffic, you have to use Gateway ACL policies. This feature becomes available with ER7206 firmware >= 1.4.0 (at time of writing, use the beta firmware).
2. Using the ACLs on the switch possibly blocks incoming traffic and allows outgoing traffic. But as both directions are required for a two way communication, this ACL does not work "for outgoing traffic only".
3. To achieve "outgoing traffic only", a stateful policy setting would need to be used. This is currently not available on the switch ACL settings (only Gateway ACL).
Thank you for your prodiving the solution, @Tedd404 and @Hank21.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 562
Replies: 8
Voters 0
No one has voted for it yet.