Bug Report/Feature Suggestion: ACL show all IPv6 addresses for each client

Router
1

When adding/modifying an ACL rule, we can pick a LAN address to apply it to. Clients with IPv6 addresses have more than 1 address, generally at least 2: the link-local address and the normal inet address.

Currently, the ACL setup page only shows the first IPv6 address for each client, when picking the address. This is very unhelpful, as typically the first (chronological order) address to be assigned is the link-local, and the link-local address cannot be used to reach the device from WAN. See below:

image
image571×162 8.75 KB

In the Clients > View details > IPv6, you can see there are multiple addresses:

image
image641×159 5.01 KB

So, in the situation of wanting to allow a local device to be reachable from the internet, for example to access a home lab/server, the destination addresses suggested by the ACL setup page are entirely unhelpful.

There should be an entry for each address of each client.

Furthermore, it is unclear to me whether LAN IPv6 inet addresses are static or dynamic, and if they are dynamic, how to configure the ACL to refer to a MAC address so that IPv6 inet address changes do not affect the ACL rule and it will always refer to that MAC address’ current IPv6 inet address.

2

Some can be static when the device uses mac to derive ipv6 from the ula or gua.

But not all devices do that, there is of course ipv6 hint which works as a network identifier in the middle of the address before the client space happens but that is not client specific, but would be nice if they implement it right in their vlan management update.

So clients need to be static and set with a DUID, based on this you can rely on the ipv6 but you have no control if the ipv6 is from isp and they change things.

So I had to google how people approach this, and what they especially do is dhcpv6 static suffix masking based on DUID.

Please see Google Search

It has some usefull pointers, I think GL ui can take examples from this awnser to improve their ipv6 support with ACL and probably also on different sections in their firmware :slight_smile:

5

Hi,

Thank you for the detailed description and suggestions.
We will report this feedback and discuss with our product team for further evaluation.

1 Like