shouldn't fc00::/8 also be blocked from WAN?

Started by drosophila, April 08, 2026, 04:45:00 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 08, 2026, 04:45:00 PM Last Edit: April 08, 2026, 04:50:27 PM by drosophila
If I enable "Block private networks from WAN", the rule gets generated with the following contents: "fd00::/8, fe80::/10, ::/128". Shouldn't that be either "fd00::/7" or have an additional "fc00::/8" in it? They're both private with the only difference being that fc:: is supposedly assigned by the IANA. AFAIK, this process never materialized but still...?
Plus, even though deprecated, wouldn't the site-locals (fec::/10) also be considered "private"?

Also, the description of the checkbox in the interface config only mentions RFC1918, there is no mention of IPv6 at all so which ranges will get blocked won't be known unless you look at the rules.

Am I missing something again?
April 08, 2026, 05:31:46 PM #1
You will find the answers here: https://en.wikipedia.org/wiki/Unique_local_address

Site-local-adresses (fec::/10) have been deprecated and are in the global allocation block, so potentially could be routeable at any point.

fc00::/8 is proposed to be managed, but is not at this time. So, only fd00::/8 is truly locally administered and thus "private" in some sense.

Not that it matters much if you do not have explicit allow rules and also use such ranges, which would go against specifications, anyway.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 450 up, Bufferbloat A+
Today at 04:51:34 AM #2
I am certain to have read somewhere that while site-locals technically are deprecated, existing deployments are not required to re-address, so they'd still be reserved for legacy environments, and given the available address space probably will not be re-purposed any time soon. However, RFC 4291 actually demands that "The special behavior of this prefix defined in [RFC3513] must no longer be supported in new implementations (i.e., new implementations must treat this prefix as Global Unicast).", so they're indeed no longer special.

However, https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml lists the entirety of "fc00::/7" as "Unique Local Unicast".

If these rules make no difference, then I must wonder why they can be created at all, maybe it is for logging only? Even if that is the case, I'd prefer these to be logged as "private" instead of being lumped in with all other denials.
Print
Go Up Pages1
User actions