Em 17-08-2015 17:05, Claus Lensbøl escreveu: > Ok, I'll try it out tomorrow and return with results. Thank you for now.
I was re-reading your e-mail and the following come to my attention: # ping6 fe02::1%vlan710 ping6: no address associated with name Do you have a link-local address on that vlan interface? If not, then it might not be a firewall problem, after all. Also, when I said for you to allow the entire link-local range, I meant to allow then to perform router solicitation and DHCPv6 requests. Do not allow everything from link-local. Also, you can enforce a boundary by dropping NDP messages (rtsol, rtadvd, neighrsol, etc) that do not have a hop limit of 255. See [0]. By the way, it is equally important, specially for machines that have IPv6 global addresses, that they also have a firewall enabled. Remember, IPv6, by default, do not have edges anymore. So, unless told otherwise, your OpenBSD firewall will happily route any incoming packets directly to their intended destination. Keep that in mind when writing your ruleset. Cheers, Giancarlo Razzolini [0] https://tools.ietf.org/html/rfc4861