Better control of IPv6 firewall rules
I rely on IPv6 to allow external access to services within my home network without the need for port forwarding. Furthermore, when several devices offer the same service (such as SSH), IPv6 allows each to be picked up without requiring the use of nonstandard ports to avoid conflicts. eero correctly picks up a 64-bit IPv6 subnet from my ISP using DHCP-PD, and devices on my network correctly pick stateless addresses on the advertised subnet. Unfortunately, the IPv6 firewall does not allow enough control over rule creation to effectively grant external access to these devices.
The eero iOS app requires me to create a rule based on the MAC address of a destination device within my network. The app then shows IPv6 address associated with the device, which I assume is automatically updated by eero whenever the ISP-delegated network prefix changes. (If IPv6 addresses in the firewall are fixed at rule creation and do not change to reflect potential changes in stateless addresses chosen by destination devices, the firewall will break the first time my ISP changes my subnet.)
There are two problems with this approach:
1. Some devices, like macOS systems, create a single stable address on the subnet, and then one or more temporary addresses . The temporary addresses are valid for one day and are preferred by the operating system for outbound connections; this improves user privacy. The stable address allows convenient inbound access. I use dynamic DNS software to update an AAAA record for each device on my network to reflect the current stable address (which may still change if my subnet changes), without the frequent update traffic and cache invalidation issues that would arise from a daily change in records pointing to the currently preferred temporary address.
The problem is that, because the operating system prefers temporary addresses for outbound traffic, the eero IPv6 firewall only captures the current temporary address when mapping the MAC address of one of its rules to a destination IPv6 address. Thus, while inbound requests to the temporary address would be passed through, inbound requests to the stable address are still blocked.
2. Generally, I want every device on my network to offer SSH access on the IPv6 network. (Devices that don't support SSH will, obviously, not respond to connections on port 22.) There is currently no mechanism to open up specific ports to *any* IPv6 address on the internal subnet.
The simple solution to both of these problems would be to allow firewall rules that pass packets to specific inbound ports on any internal address (i.e., ::/0). Note that problem (1) cannot be resolved by allowing rule creation for specific IPv6 addresses, because these addresses may change when either: (a) the ISP changes the subnet, or (b) the device is using privacy addresses (i.e., addresses that do not rely on the interface MAC address to make the lower bits unique) and the link has been "reset" in some sense (Linux systems can be configured to always use the same secret to seed privacy addresses, but the seed may be changed at any time).
In the absence of "to any" IPv6 firewall rules, the eero should, at a minimum, be capable of discovering *all* IPv6 addresses currently associated with a given MAC, and converting each MAC-based rule into separate rultes for each of these addresses.
To work around this problem, I have disabled temporary addresses on my devices so that the eero maps MAC addresses to the stable address. However, I've increased my tracking footprint with this workaround.