Hi everybody, I’m giving IPv6 dualstack over PPPoE, everything its working normaly but I wonder if could be posible to filter IPv6 native connectivity where PPPoE tunnel isn’t dial up yet.
I mean, when customer put the wire (from the ONU) directly on the computer ethernet (not router) and the PPPoE Tunnel isnt realeased yet, Windows takes an IPv6 address, and give IPv6 connectivity without doing the PPPoE setup on the router. How could be posible to filter this? I want the customer take Internet (v4 and v6) only having dial up the PPPoE.
I supouse than this could be fixed with a couple of rules in IPv6 firewall filter, but I dont know where I could start.
Thanks
Nicolas From Argentina.
So there’s ethernet used for PPPoE, but on the same ethernet there’s IPv6 advertised, and you want to prevent it from being used? Why is it even there in the first place? It seems simple, don’t put it there and nobody will be able to use it.
I want ALL customers be able to use IPV6 dualstack dialing the PPPoE Tunnel from his “Router”. But I dont want they could use IPV6 puting their wire directly in his computer’s ethernet nic card interface.
Both are working, the only diference is the following:
The router give both conectivity Ipv4 and Ipv6, meantime puting the wire in the nic card only give Ipv6. (only v6 sites are reachable).
And I want to filter this last one.
I still don’t understand. You’re the one in control of PPPoE server side, correct? So if you start from scratch, at the beginning there’s ethernet interface with no config, no IPv4 and no IPv6 (apart from fe80::something link-local address, but it doesn’t advertise any IPv6 connectivity to connected devices), nothing. Then you attach PPPoE server to this ethernet interface and configure whatever you want for PPPoE. But this ethernet interface still doesn’t advertise any IPv6. If yours does, it means that in another step you added such config. And the question is why, if you do not want users to use it. So don’t add it and they won’t use it, because it won’t exist.
Now I understand your point.
I have advertising enabled on all my ipv6 local interfaces becouse I suposed it must be enabled for giving subnets like /42 or similar to the customers.
Now than You have opened My mind, I Will try!!
Thanks
You may want it on some interfaces, but probably not on this one.
maybe make that interface a port of a bridge, and using bridge filter rules (by software) filtering by mac protocol (ethertype) to allow only pppoe
if the interface is on bridge hardware accelerated maybe using switch chip ACL rules you can do that kind of filtering