Hi noyeske,
I cant insert this: 3ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, but if I modified to 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff its okey but nothing changes, I cant access the internet, I left the address on ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff but the same...
well, one "f" too much, it was already late yesterday evening...
According to the settings of your first screenshot it should work meaning it should be possible to access the Internet and to be protected against unsolicited traffic WAN-->LAN.
Obviously your firewall is broken as in some other D-Link routers.I remember one case, where the firewall worked only if the Source IP Address Range was smaller than a /64, look
here. Given it is the same problem in your case and that your LAN prefix 2a02:2f08:30e7::/64 you get via DHCP-PD is fixed (=never changes), you could solve the problem via the following two rules:
Turn IPv6 Filtering ON and ALLOW rules listed(1st active rule):Name: AllowLowerHalf
Schedule: Always
Source Interface: LAN
Source IP Address Range:
2a02:2f08:30e7::
-
2a02:2f08:30e7:0:7fff:ffff:ffff:ffff
Protocol: ALL
Dest Interface: WAN
Dest IP Address Range:
2000::
-
3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
(2nd active rule):Name: AllowUpperHalf
Schedule: Always
Source Interface: LAN
Source IP Address Range:
2a02:2f08:30e7:0:8000::
-
2a02:2f08:30e7:0:ffff:ffff:ffff:ffff
Protocol: ALL
Dest Interface: WAN
Dest IP Address Range:
2000::
-
3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
I have a question, the first firewall rule required if I want only to access the internet only 2 computer ? Its not enough to make 2 rules for two computer to access the internet with ipv6?
On the second picture you can view, I had to modify the addressees because the router says its incorrect ..., but no internet from ipv6
Yes, of course the first rule is
not required! In contrast it has to be deleted or at least deactivated if you want the second and third rule to become effective! However you specified a wrong Dest IP Address Range 2a02:2f08:30e7:0:: - 2a02:2f08:30e7:0:: in both rules which makes no sense!
To be precise you would have to configure the following:
Turn IPv6 Filtering ON and ALLOW rules listed(1st active rule):Name: AllowComputer1
Schedule: Always
Source Interface: LAN
Source IP Address Range:
2a02:2f08:30e7::3
-
2a02:2f08:30e7::3
Protocol: ALL
Dest Interface: WAN
Dest IP Address Range:
2000::
-
3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
(2nd active rule):Name: AllowComputer2
Schedule: Always
Source Interface: LAN
Source IP Address Range:
2a02:2f08:30e7::4
-
2a02:2f08:30e7::4
Protocol: ALL
Dest Interface: WAN
Dest IP Address Range:
2000::
-
3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
But once again as I already said in my first post: You have to make sure that 2a02:2f08:30e7::3 for Computer 1 and 2a02:2f08:30e7::4 for Computer 2 are the only global addresses these computers can use to communicate with the IPv6-Internet! This means:
- Otherwise, for any other global but fixed IPv6 address one of these computers has (e.g. resulting from SLAAC) you would have to specify an additional rule as described above configuring a Source IP Address Range that corresponds to this other fixed IPv6 address.
- The computers you want to allow Internet access must not have dynamically changing additional addresses because you can't configure IPv6 firewall rules for changing source addresses. Those dynamically changing addresses may result from active "Privacy Extensions" and they are preferred when the computers initiate communication. Hence this case wouldn't be covered by your firewall rules. So if active please deactivate Privacy Extensions on your computers you want to allow Internet Access. E.g. for a Windows PC you can do this via the command
netsh int ipv6 set priv dis
within a command prompt you started with administrative rights (run as administrator).
PacketTracer