Bug #10201
closed
IPv6 rule is not created if only a link-local address is present
0%
Description
fw rules is not created if source/destination is an interface address ('WAN address') without IPv6 address ('none')
you can create fw rule on such interfaces with using 'any' instead of interface address
sometime you need to create fw rules on such link-local only interfaces for some protocols (OSPF6)
Updated by Jim Pingle about 4 years ago
- Status changed from New to Not a Bug
Since the interface doesn't technically have an IP address assigned here, I'm not sure it's behaving improperly. I know IPv6 LL is a special case, but this is also what the "This Firewall (self)" target can be used for rather than "any". Also rules for link-local traffic should probably have reply-to forced to off, which you normally don't want on non-link-local rules for WANs, which means it is best to have them in their own separate rules.
So while it may not be obvious for a user that it would behave the way it does, I think automatically doing this would be worse. Not only for the POLA violation but also because the code to detect and set it up would add unnecessary complication.
We could maybe consider, as a new feature, a new target in the drop-down specifically for IPv6 Link Local.