Configure ACL Firewall for IPv6 Security on iKuai OS

## 1. Introduction This video demonstrates how to achieve precise access control and solve IPv6 public network security issues by configuring the ACL (Access Control List) firewall in iKuai OS. This video is a beginner's tutorial that includes the complete configuration and testing process. Welcome to watch. Disclaimer: Released with DP_IT videos, free to use. Any resale or commercial activities are prohibited. If someone sold this to you, please request a refund. Website: https://dpit.lib00.com ## 2. Websites Used in the Video > 1. Port Testing Website http://www.ipv6scanner.com/cgi-bin/main.py

# Configure ACL Firewall for IPv6 Security on iKuai OS ## 📋 Video Overview This comprehensive tutorial demonstrates how to configure ACL (Access Control List) firewall rules in iKuai OS router system to ensure IPv6 network security. The creator DP combines theoretical explanations with practical demonstrations to help users understand IPv6 security vulnerabilities and master the method of controlling external network access through firewall rules. --- ## 🔐 Core Issue: IPv6 Security ### IPv6 Characteristics and Risks - **Public Network Nature**: Every IPv6 device has a public IP address; anyone knowing the address can access it directly - **Address Leakage Risk**: Despite long IPv6 addresses, they can be easily obtained through BT downloads, proxies, etc. - **Default Vendor Policies**: Most router manufacturers either disable IPv6 by default or block external-to-internal network access ### Why IPv6 Firewall Is Needed Traditional "blanket blocking" approaches prevent using IPv6's public network access features. The ideal solution is implementing **controlled access** through firewalls, enjoying IPv6 convenience while maintaining security. --- ## 📚 IPv6 Fundamentals ### IPv4 vs IPv6 Comparison - **IPv4**: 4 blocks (0-255), approximately 4.2 billion addresses, facing shortage issues - **IPv6**: 8 blocks (4 hexadecimal digits each), approximately 340 undecillion addresses, sufficient globally ### IPv6 Address Structure ``` Prefix (ISP-assigned, changes per connection) + Suffix (device-generated, relatively stable) ``` - **Prefix**: Dynamically allocated by ISP - **Suffix**: Generated by internal network devices through algorithms, remains relatively stable --- ## 🛡️ ACL Firewall Configuration Principles ### Typical Network Scenario ``` Router ├── NAS (Port 51304 - Synology HTTPS) ├── iMac (Port 55202 - Nginx HTTPS) └── Other Devices ``` ### Security Policy Design 1. **Default Deny Rule**: Block all IPv6 external-to-internal network requests 2. **Precision Allow Rules**: Use suffix matching technology to open access for specific devices and ports ### Advantages of Suffix Matching Since IPv6 prefixes change with reconnections, direct full-address matching is unreliable. **Suffix matching** only matches the latter portion (device-generated part), remaining effective even when ISPs change prefixes. --- ## 🔧 Practical Implementation Steps ### Step 1: Obtain Device IPv6 Address Using Synology NAS as example: 1. Open **Control Panel** → **Network** → **Network Interface** 2. View IPv6 addresses (typically shows 3 addresses) 3. Record the suffix of addresses available for external access ### Step 2: Configure ACL Rules **Rule 1: Default Block** - Protocol Stack: IPv6 - Protocol: All - Action: Block - Direction: Forward - Connection Direction: Original Direction - Ingress: WAN Port - Egress: LAN Port - Source/Destination Address: Empty - Time: All Day **Rule 2: Allow Specific Service (Synology Example)** - Protocol Stack: IPv6 - Protocol: TCP - Action: Allow - Destination Address: **Enable Suffix Matching** ``` Format: ::suffix_address/::ffff:ffff:ffff:ffff Example: ::1234/::ffff:ffff:ffff:ffff ``` - Destination Port: 51304 (Synology HTTPS port) - Ingress: WAN Port - Egress: LAN Port ### Step 3: Testing and Verification 1. Use online port scanning tools for testing 2. Should show "blocked" when rule is disabled 3. Should show "open" after enabling rule (wait ~30 seconds) --- ## 💡 Key Points 1. **Multiple IPv6 Addresses Per Device**: Routers may assign multiple IPv6 addresses to one device; identify externally accessible ones 2. **Suffix Format Explanation**: - Prefix represented by `::` (ignored) - Suffix specified to required precision - Mask uses `ffff` for parts that must match 3. **Use with DDNS**: Due to dynamic prefix changes, configure IPv6 DDNS service to bind domain names 4. **Need-Based Access Principle**: Only open necessary service ports, block everything else --- ## 🎯 Applicable Scenarios - Remote access to home NAS storage - Remote access to home servers (web services, media servers, etc.) - Requiring IPv6 public network functionality with security concerns - Using iKuai OS or similar router systems supporting ACL --- ## ⚠️ Important Notes - First-time configuration recommended in local network environment to avoid access loss from misconfigurations - Allow grace period after rule modifications (typically 30 seconds to 1 minute) - Regularly verify rule effectiveness to prevent ISP network changes from causing failures - Combine with strong passwords, two-factor authentication, and other security measures --- ## 📖 Related Tutorial Recommendations - Enabling IPv6 Internet Support in iKuai OS - IPv6-Based DDNS Domain Binding Technology --- ## SEO Keywords IPv6 Security, iKuai OS Tutorial, ACL Firewall Configuration, IPv6 Firewall Setup, Router Security, Suffix Matching, NAS Remote Access, IPv6 DDNS, Network Security Configuration, Home Network Security