firewall4 icon indicating copy to clipboard operation
firewall4 copied to clipboard
verified publisher icon openwrt

config: add dest addr restrictions for DHCPv6 rules

Open RickLiuM2A1T90MQ-9 opened this issue 4 months ago • 6 comments

Some ISPs may use a GUA or other non-LLA as the source addr for the DHCPv6 response, but the destination addr is always LLA (fe80::/10). Therefore, adding a dest addr restriction improves security. See https://forum.mikrotik.com/t/xfinity-comcast-dhcpv6-configuration-change/156031/10

RickLiuM2A1T90MQ-9 avatar Oct 27 '25 01:10 RickLiuM2A1T90MQ-9

Just cross-referncing with other restriction bc changing same lines. https://github.com/openwrt/firewall4/pull/62

brada4 avatar Oct 27 '25 10:10 brada4

For DHCPv6, just limiting the dest addr to a LLA is sufficient to ensure security and compatibility.

RickLiuM2A1T90MQ-9 avatar Oct 27 '25 11:10 RickLiuM2A1T90MQ-9

Mine is read directly from RFC, but yours indeed is more precise.

brada4 avatar Oct 27 '25 13:10 brada4

dhcp clients discard otherbsource ports leaving dangling ct unreplied state for them, so both complement eachother

brada4 avatar Oct 27 '25 20:10 brada4

firewall3 is complete (https://github.com/openwrt/openwrt/commit/4ad22d03429d45f9f5769af58c4521b3ff26815a) now only firewall4 needs to be merged.

RickLiuM2A1T90MQ-9 avatar Nov 10 '25 15:11 RickLiuM2A1T90MQ-9

@jow- @nbd168 PTAL

RickLiuM2A1T90MQ-9 avatar Nov 12 '25 17:11 RickLiuM2A1T90MQ-9