Solved Any way to programmatically update the ipv6 firewall?

[tytso]

Hi, I'm using a consumer-grade FIOS, which means they don't offer a stable IPv6 address. From what I can tell, it changes every few days, which is unfortunate. I've figured out how to update DNS entries via ddclient, but the problem I now have is that whenever the IPv6 address gets updated, I need to update the IPv6 Firewall on my Asus XT9 router. I'd like to be able to do this automatically, so the question is there some way I can update the Ipv6 firewall allow list by, say, running some set of commands via ssh to the router?

This isn't a problem with IPv4, since ASUS WRT uses NAT, and the port forwarding rules is specified by client name. IPv6 doesn't work that way; I need to put an explicit IPv6 address into the allow list. Any suggestions about the best way to do that?

Thanks!!

 

[omrij]

Assuming you're IPV6 is using SLAAC the prefix may change but your suffix doesn't change and it is based on your Mac address.
You open port by entering address like this in the IPV6 firewall screen

::1234:56ff:fe78:90ab/::ffff:ffff:ffff:ffff

Where 1234:56ff:fe78:90ab is your "fixed" suffix

 

[tytso]

Ah, hah! Thanks for the tip! I'm used to thinking about using netmasks to specify subnets; I didn't realize they could be used in this context by matching on the suffix as opposed to matching on the prefix (when you are specifying a subnet).

 

[jdevrie]

This is an excellent support answer to prevent having to change the IP adres of my NAS server every time the prefix changes.
I have been looking for this for some time.
The Asus site provides very little details on how to provide generic IP addresses like this.
Other routers use the MAC adres for firewall pin holing, which is much better since a mac address never changes.