Add IPv6 firewall network groups
Open, NormalPublic


Difficulty level
Easy (less than an hour)
afics created this task.Mar 31 2016, 5:27 PM
syncer triaged this task as Wishlist priority.

Firewall groups used ipset, it would be cool to use these groups in the nat rules too and soone (wlb test rules target address etc).
It is necessary to make global address groups based on ipset.

How about making firewall groups IPvAgnostic and have VyOS figure out which the correct IPvN is (depending on where you use it) in a somewhat systematic way. In FW it would be both in parallel, etc. The user would still be able to setup groups per IPvN as-is currently.

voip and mail server behind vyos
log parser on both servers create black list on shared resouce
vyos (in all branches of company) have firewall rule with this black list

rps awarded a token.Sep 15 2016, 10:19 AM
rps added a subscriber: rps.
rps added a comment.Sep 15 2016, 10:24 AM

After VRRPv3 (with some intelligent way to handle radvd) this is the major blocker for using VyOS as a production IPv6 firewall in my environment.

beamerblvd added a subscriber: beamerblvd.EditedOct 11 2017, 7:37 PM

I'd like to get some clarity on this, if possible. Will VyOS's firewall features just not work at all with IPv6? Or will it work, but you have to use something other than groups? Importantly: Is it still possible for me to secure my network if I enable IPv6?

Note: This appears to be a sufficient migration of this Bugzilla issue.

IPv6 firewall works fine on VyOS 1.1.X and 1.2.X, it is just that you can't use the GROUPS on IPv6 like you can on IPv4.

+1 for adding the groups to IPv6 to give more feature parity with IPv4.

syncer assigned this task to dmbaturin.Nov 4 2017, 10:57 AM
syncer raised the priority of this task from Wishlist to Normal.
syncer set Version to 1.2.
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2.x (VyOS 1.2.0 LTS Lithium) board.
syncer changed the edit policy from "Public (No Login Required)" to "Custom Policy".Nov 4 2017, 11:13 AM

Just сheсked with @dmbaturin and it seems ipset loads v6 just fine.
So we will be implementing that soon