IPv6 Prefix Delegation and Firewall Rules

Many service providers will supply their customers with a block of IPv6 addresses using DHCP based Prefix Delegation. This is described in RFC 3315.

When configuring your traffic filter or firewall on your router, you will need to remember to allow DHCPv6 traffic on your outside interface.

DHCPv6 uses UDP port 546 client side, and UDP port 547 on the server side. As it will be your WAN interface that is behaving as the DHCP client, you will need to:

  • allow OUTBOUND traffic with a SOURCE port of 546 and a DESTINATION port of 547;
  • allow INBOUND traffic with a SOURCE port of 547 and a DESTINATION port of 546.

Without these rules, you won't get a prefix and there'll be no IPv6 for you!