- Difficulty level
- Easy (less than an hour)
Firewall groups used ipset, it would be cool to use these groups in the nat rules too and soone (wlb test rules target address etc).
It is necessary to make global address groups based on ipset.
How about making firewall groups IPvAgnostic and have VyOS figure out which the correct IPvN is (depending on where you use it) in a somewhat systematic way. In FW it would be both in parallel, etc. The user would still be able to setup groups per IPvN as-is currently.
I'd like to get some clarity on this, if possible. Will VyOS's firewall features just not work at all with IPv6? Or will it work, but you have to use something other than groups? Importantly: Is it still possible for me to secure my network if I enable IPv6?
Note: This appears to be a sufficient migration of this Bugzilla issue.
IPv6 firewall works fine on VyOS 1.1.X and 1.2.X, it is just that you can't use the GROUPS on IPv6 like you can on IPv4.
+1 for adding the groups to IPv6 to give more feature parity with IPv4.