IPv6 ACLs not working
Hi,
I want to be able to reach a service on a server through IPv6.
The server is connected to a TL-SG3428MP v4.0 which is connected to an ER707-M2.
With no ACL configured I can reach it (and all other services).
I want to limit to exaclty one port and one IPv6.
On Gateway ACL Level neither IPv6 Group nor IPv6-Port Group are working. Both are just ignored.
On Switch ACL Level I can block the communication / accessibility in general through IPv6, but the Permit IPv6-Port Group Rule (which is before the Deny rule) is not hit. It is going straight to Deny.
It does not matter if I set an IPv6 within the IPv6-Port Group or just a port. It is being ignored.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @bsz
Thanks for posting in our business forum.
If you could post screenshots of your config, that'd be helpful.
- Copy Link
- Report Inappropriate Content
Gateway ACL.
I tried to deny Ports and IPs, but traffice goes through, even Permit Rules are disabled.
Switch ACL.
Deny works, but Permit not
Permit Rule Port (same for Gateway and Switch)
truenas IP = Plex IP
- Copy Link
- Report Inappropriate Content
Hi @bsz
bsz wrote
Gateway ACL.
I tried to deny Ports and IPs, but traffice goes through, even Permit Rules are disabled.
Switch ACL.
Deny works, but Permit not
Permit Rule Port (same for Gateway and Switch)
truenas IP = Plex IP
Require the following information:
WAN and LAN IPv6 details, screenshots. You can mosaic the last part of your v6 address.
Is it under the Passthrough mode?
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Any ideas?
- Copy Link
- Report Inappropriate Content
Hi @bsz
Thanks for posting in our business forum.
bsz wrote
Any ideas?
About the TCP allowing rules, #1 and 2, it might not be enough for it. Can you test it with the TCP UDP and ICMP enabled?
I think you should try to ping it to verify if it can work or not from a specific IPv6 device. Be sure this device pings in v6 mode.
You are trying to access its web? Or did you use nmap to scan its v6 and TCP ports? If they are open, TCP and v6, it means the ACL is working.
Or what did you test it and concluded it did not work?
- Copy Link
- Report Inappropriate Content
I did - I use nmap to check a specific port.
Even will all protocols allowed, it is not working.
It is just ignoring the allow rules.
The deny rules work.
Can you please confirm - just to be very sure - that it really needs to be the Switch ACL and not the Gateway ACL in general.
Sounds somehow odd to me.
But even if it should be on Gateway ACL, it is not working either.
- Copy Link
- Report Inappropriate Content
I will answer myself.
I connected an AVM Fritz!Box Fiber and it just working with the port rule on the AVM so it should be definitly on the gateway!
@Clive_A can I somewhere fill a bug report?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 280
Replies: 8
Voters 0
No one has voted for it yet.