|
There are cases where IPv6 traffic is configured on interfaces with the Captive Portal enabled, necessitating the exemption of certain IPv6 addresses.
There are cases where IPv6 traffic is configured on interfaces with the Captive Portal enabled, necessitating the exemption of certain IPv6 addresses.
For example, an interface with the following IPv6 configuration:
edit "IT_Firewall"
set vdom "root"
set ip 10.0.2.251 255.255.255.248
set allowaccess ping https ssh snmp http radius-acct
set explicit-web-proxy enable
set security-mode captive-portal
set security-exempt-list "IT_Firewall-exempt-list"
set security-groups "automation_user" "Bobby_team" "CMU_care" "COSI_Lab_Blr" "Device_Testing" "Guest" "LaaS-Bengaluru" "south_korea_team" "Temp"
set device-identification enable
set role lan
set snmp-index 20
config ipv6
set ip6-address 2a00:8a03:19f:4::1/64
set ip6-allowaccess ping https ssh snmp http
end
set interface "x2"
set vlanid 514
next
end
In such cases, it is necessary to use an IPv6 policy to exempt the source, as IPv6 does not support adding exempt sources under the Captive Portal.
The IPv6 policy can be created as follows, with the option 'captive-portal-exempt' enabled.
config firewall policy
edit 4
set name "TEST1"
set uuid a568475e-9089-51ef-0b7f-f41c5a017550
set srcintf "port3"
set dstintf "port1"
set action accept
set srcaddr6 "aaaaa"
set dstaddr6 "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set captive-portal-exempt enable
next
end
IPV6 Address:
config firewall address6
edit "aaaaa"
set uuid 61037408-9089-51ef-ad54-66407dc02682
set ip6 2600:5000:9830:200::/64
next
end
This approach allows the IPv6 address to be exempted from the Captive Portal.
Related document:
config system interface
|
