IPv6 Subnetting


#1

Good Evening Everyone!

I’ve been delving into the world of IPv6 for no other reason than because I started down the rabbit hole out of curiosity and it keeps sucking me in.

I’m starting to wrap my head around the basics (although at this point I still haven’t managed to fully understand everything, like how my EdgeRouter’s firewall can block stuff, but I did figure out how to punch holes in the IPv6 firewall.

I have two of my VLAN’s requesting and receiving /64 subnets and they are accessible to one another. How would I actually segment them and keep them from talking to one another? Right now I can access services across the subnets without any issue so my router’s firewall isn’t stopping them. I’m sure I could find a way to do it in each individual device via a firewall on each device, but I’d prefer to find a way to isolate the various subnets like I currently am with IPv4, only allowing certain things through.


#2

Although IPv6 essentially operates using the same principles as IPv4, I agree that it appears more complicated due to the larger numbers, and unfamiliar vocabulary. Also, putting your IPv6 subnets on VLANs certainly complicates the issue further (as far as visualizing your network structure). But if all your looking to do is write some LAN firewall rules to block or allow traffic between your VLANs, you do it the same way as IPv4. I’ll try to outline an example.

VLAN1 /64 Subnet: 2001:348:5f18:777::
VLAN2 /64 Subnet: 2001:348:5f18:888::

You could set up the firewall rule to be
Pass, Addr Family: IPv6, Protocol: *, From: VLAN1 Net, To: VLAN2 Net
Or use the network address notation
Pass, Addr Family: IPv6, Protocol: *, From: 2001:348:5f18:777:: /64, To: 2001:348:5f18:888:: /64

One aspect of IPv6 that is of particular importance is that IPv6 relies on ICMP for orchestrating network connectivity, even from the WAN side. In your case, say you want to allow some types of traffic between your IPv6 VLANs, but not all traffic, you will need to add a rule to explicitly allow IPv6 ICMP, in addition to TCP on Port 3000 (as an example)

The setup would be the same for blocking traffic, just change to rule to Block or Reject instead of Pass and place it above your Pass VLAN Net to * rule that enables internet access.

Does that answer your question?


#3

It certainly does! It confirms what I suspected was happening. The inter-VLAN routing on the IPv4 side of things is being handled by my EdgeSwitch 24L and managed by the access control lists. Its sounds to me like I would have to handle the Subnet Routing in my ERL (mainly because I think the IPV6 support of the ES24L is limited) and restrict the flow to what I want to allow from there. That is what I needed to know so that is perfect! Thank you very much!


#4

Your welcome, good luck && Happy Networking!