Add private network exclusions to default IPv6 bogons#10125
Conversation
Allows ULA and link-local access on new systems where the bogons haven't been updated yet.
|
It might be better to split the ranges, these exclusions have side affects when stacking aliases, which can then lead to unexpected behavior when the bogons aren't updated later on. If I'm not mistaken, our distributed list doesn't use the exclusions anymore, because otherwise that would also be an item still on the list somewhere. |
|
Yes, see #9048 |
|
@fichtner I remembered there was "something" ;) when needed, I can still pre-process the list on our server to simplify handling, but no rush at all. |
|
@AdSchellevis @fichtner Alright, I split 8000::/1 instead (and didn't bother with ::/128). |
|
Ping @AdSchellevis @fichtner |
3 participants
Issue fixed by this: When setting up a new system with only a single interface (WAN only), 'block bogon networks' is enabled by default on this interface. Since bogonsv6.sample blocks 8000::/1, accessing the web GUI from ULAs and link-local addresses isn't possible. If the WAN is IPv6-only and doesn't have GUAs (yet), you're essentially locked out from the start.