To Dark Mode
Featured Images
Photo by Jordan Harrison on Unsplash

More on IPv6 Firewall - EUI-64

Errata for Previous DDNS Tutorial, And Some New Knowledge

Zhenghao Wu

Status: Finished Confidence: likely Importance: 8

Post Details

This post is part 2 of 8 in the HomeLab series.

Prev: Making Synology NAS accessible from the Internet using IPv6 and DDNS | Next:Homelab:我的赛博积木

Table of Contents

Background

In the Synology DDNS Tutorial, I have a section on setting up firewall on an ASUS AC68U Router.

For a recent update on my home network, the Asus router has been replaced with two Linksys WI-FI 6 tri-band mesh routers (two MX5300 or it’s SKU MX10600-CN)。

I thought it will be easy to set up since I already have some experience and documentation, but the firewall is not working as intended.

My Attempts

Setting UI retrived from Linksys Support

The IPv6 wirewall settings are located in Router Settings > Security > IPv6 Port Services. It has three crucial fields: Protocol (协议), IPv6 Address (IPv6 地址), Allow (允许). The first two are quite straightforward; “allow” meanings which range of port(s) will be open.

I find that I can’t set up the “IPv6 Address” field as I intended. I can’t fill in an address with mask-like strings together with a /. WebUI prompts that it is such a string is not a valid IPv6 address.

I tried some “valid” addresses:

  1. The local IPv6 address starts with fe80, external requests cannot make it to the destination.
  2. The IPv6 address that been set to the Synology DDNS service. Fill in the full address allow access from WAN.

Up to now, the solution seems clear: use the full address instead of the kind mentioned in the first article. but it is a little bit complicated…

More background

The IPv6 address for my devices is changing on a regular basis. So it will be annoying if I use full address: I need to update the IPv6 Address regulary.

There still exists some “pattern”. In fact, the IPv6 address is generated based on EUI-64 (RFC2373) derive from IEEE 802 48 bit MAC.

EUI-64

For Example, your MAC address for the device is 00:00:5E:00:53:AF. EUI-64 inserts hex values of 0xFF and 0xFE in the middle of the MAC address. Then flip the 7th bit from 0 to 1. The result should be 0200:5EFF:FE00:53AF. And this address will keep not change unless you change your MAC address or network card.

|0              1|1              3|3              4|
|0              5|6              1|2              7|
+----------------+----------------+----------------+
|cccccc0gcccccccc|ccccccccmmmmmmmm|mmmmmmmmmmmmmmmm|
+----------------+----------------+----------------+

insert 0xFF and 0xFE (1111111111111110).

|0              1|1              3|3              4|4              6|
|0              5|6              1|2              7|8              3|
+----------------+----------------+----------------+----------------+
|cccccc1gcccccccc|cccccccc11111111|11111110mmmmmmmm|mmmmmmmmmmmmmmmm|
+----------------+----------------+----------------+----------------+

The EUI-64 result together with ISP IPv6 Prefix(/64), can form the final IPv6 address.

Assuming IPv6 Prefix is `2001:2002:2003:2004`

The final IPv6 address should be:

2001:2002:2003:2004:0200:5EFF:FE00:53AF
-------Prefix------ -EUI-64 Generated--

Masking

Usually, subnet masking separates the IP into network and host addresses. Under IPv4, it defines the number of allowed hosts on a subnet. Or in other words, Only bits with their mask of 0 are allowed to change.

In the previous Synology DDNS Tutorial. ::0000:8a2e:0370:7334/::ffff:ffff:ffff:ffff is similar to subnet masking but masking backward. Double colon :: omit the continuous 0s.

This is well suited for my use case since my ISP will change the prefix assigned to me but my EUI-64 address will keep unchanged. But such masking from the back (or should I call it arbitrary masking?) is not fully implemented for different systems or a standard. According to the source I found, such masking is supported by Netfilter/iptables 1 and no easy notice documentation is available.

Solution?

According to what I explored, Linksys Velop system doesn’t have such implementation for changing IPv6 Address with fixed suffix. I already contacted their tech support and still waiting for a reply. So my less convent solution may be to move the firewall to my devices or simply ignore it for now and uses another way to access my devices (like FRP).

Article Card

For "More on IPv6 Firewall - EUI-64"

Author Zhenghao Wu
Publish & Update Date 2022-02-13
Tags Synology Linksys Asus Networking Firewall EUI-64
Extra Materials
  • IP Version 6 Addressing Architecture
  • Overview of the Security Tool in Linksys Smart Wi-Fi
  • 正确地配置 IPv6 防火墙和 DDNS 以在公网访问设备
  • 家庭拨号动态前缀 IPv6 环境下的内部设备 IPv6 地址的端口放通
Comment Section disabled in draft mode

Related Posts