config: add dest addr restrictions for DHCPv6 rules #81
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some ISPs may use a GUA or other non-LLA as the source addr for the DHCPv6 response, but the destination addr is always LLA (fe80::/10). Therefore, adding a dest addr restriction improves security. See https://forum.mikrotik.com/t/xfinity-comcast-dhcpv6-configuration-change/156031/10 Signed-off-by: Andy Chiang <AndyChiang_git@outlook.com>
|
Just cross-referncing with other restriction bc changing same lines. #62 |
Author
|
For DHCPv6, just limiting the dest addr to a LLA is sufficient to ensure security and compatibility. |
|
Mine is read directly from RFC, but yours indeed is more precise. |
|
dhcp clients discard otherbsource ports leaving dangling ct unreplied state for them, so both complement eachother |
brada4
approved these changes
Oct 27, 2025
Author
|
firewall3 is complete (openwrt/openwrt@4ad22d0) |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Some ISPs may use a GUA or other non-LLA as the source addr for the DHCPv6 response, but the destination addr is always LLA (fe80::/10).
Therefore, adding a dest addr restriction improves security.
See https://forum.mikrotik.com/t/xfinity-comcast-dhcpv6-configuration-change/156031/10