Table of Contents
Background
In the Synology DDNS Tutorial, I have a section on setting up firewall on an ASUS AC68U Router.
For a recent update on my home network, the Asus router has been replaced with two Linksys WI-FI 6 tri-band mesh routers (two MX5300 or it’s SKU MX10600-CN)。
I thought it will be easy to set up since I already have some experience and documentation, but the firewall is not working as intended.
My Attempts
Setting UI retrived from Linksys Support
The IPv6 wirewall settings are located in Router Settings > Security > IPv6 Port Services. It has three crucial fields: Protocol (协议), IPv6 Address (IPv6 地址), Allow (允许). The first two are quite straightforward; “allow” meanings which range of port(s) will be open.
I find that I can’t set up the “IPv6 Address” field as I intended. I can’t fill in an address with mask-like strings together with a /. WebUI prompts that it is such a string is not a valid IPv6 address.
I tried some “valid” addresses:
- The local IPv6 address starts with
fe80, external requests cannot make it to the destination. - The IPv6 address that been set to the Synology DDNS service. Fill in the full address allow access from WAN.
Up to now, the solution seems clear: use the full address instead of the kind mentioned in the first article. but it is a little bit complicated…
More background
The IPv6 address for my devices is changing on a regular basis. So it will be annoying if I use full address: I need to update the IPv6 Address regulary.
There still exists some “pattern”. In fact, the IPv6 address is generated based on EUI-64 (RFC2373) derive from IEEE 802 48 bit MAC.
EUI-64
For Example, your MAC address for the device is 00:00:5E:00:53:AF. EUI-64 inserts hex values of 0xFF and 0xFE in the middle of the MAC address. Then flip the 7th bit from 0 to 1. The result should be 0200:5EFF:FE00:53AF. And this address will keep not change unless you change your MAC address or network card.
|0 1|1 3|3 4|
|0 5|6 1|2 7|
+----------------+----------------+----------------+
|cccccc0gcccccccc|ccccccccmmmmmmmm|mmmmmmmmmmmmmmmm|
+----------------+----------------+----------------+
insert 0xFF and 0xFE (1111111111111110).
|0 1|1 3|3 4|4 6|
|0 5|6 1|2 7|8 3|
+----------------+----------------+----------------+----------------+
|cccccc1gcccccccc|cccccccc11111111|11111110mmmmmmmm|mmmmmmmmmmmmmmmm|
+----------------+----------------+----------------+----------------+
The EUI-64 result together with ISP IPv6 Prefix(/64), can form the final IPv6 address.
Assuming IPv6 Prefix is `2001:2002:2003:2004`
The final IPv6 address should be:
2001:2002:2003:2004:0200:5EFF:FE00:53AF
-------Prefix------ -EUI-64 Generated--
Masking
Usually, subnet masking separates the IP into network and host addresses. Under IPv4, it defines the number of allowed hosts on a subnet. Or in other words, Only bits with their mask of 0 are allowed to change.
In the previous Synology DDNS Tutorial. ::0000:8a2e:0370:7334/::ffff:ffff:ffff:ffff is similar to subnet masking but masking backward. Double colon :: omit the continuous 0s.
This is well suited for my use case since my ISP will change the prefix assigned to me but my EUI-64 address will keep unchanged. But such masking from the back (or should I call it arbitrary masking?) is not fully implemented for different systems or a standard. According to the source I found, such masking is supported by Netfilter/iptables 1 and no easy notice documentation is available.
Solution?
According to what I explored, Linksys Velop system doesn’t have such implementation for changing IPv6 Address with fixed suffix. I already contacted their tech support and still waiting for a reply. So my less convent solution may be to move the firewall to my devices or simply ignore it for now and uses another way to access my devices (like FRP).