Configure IPv6 - Ruleset for VLANS

[Mayo132]

Hey everybody,

I do not know if it is the right place. But i would like to ask for some help by setting up an IPv6 config. Everything seems working flawless but there a some strange things, wich I do not understand. So i hope, you can help me.

First: There is no fix IPv6 prefix delegated, so it could be possible that these could change.

My networksetup:

• Main LAN:
  - IP 192.168.20.0/24
  - fd85:xx:feb8:9820::1/64
  - 2003:xx:xx:20::/64
  IOT Net
  - IP 192.168.60.0/24
  - fd85:xx:feb8:9860::1/64
  - 2003:xx:xx:60::/64
  Guest Net:
  - IP 192.168.50.0/24
  - fd85:xx:feb8:9850::1/64
  - 2003:xx:xx:50::/64

If I get it right, so the internetacces is only possibel via the Global address "2003::".
>> This works fine > an IPV6 testsite shows me IPv4 and IPv6 compatibility

I set up an Pihole and provide this DNS via DHCPv6
> So every client gets an IPV4 DNS and IPV6 DNS Server (here - i provide the FD85:: adress, because these should be always the same)

And now to the part - i do not understand.

When i connect to the Guest or IOT net
> I only get the configured IPv6 adress. There is no "20" / "50" adress

But when i Connect to the Main LAN.
-> Every V6 Adress is provided "20" / "50" / "60"


I dont know why getting the other subnets at my main Lan .  Maybe someone can explain it ? Or is there an configuration error?

Now one question to the Ruleset:
For Example the GUEST net.
> I added an allow rule for the DNS Server (fd85:XX:feb8:9820::2)
> I added an Block Rule for "LAN NET" and "IOT NET"
> I added an Block Rule for the Private IPv6 Ranges (fd85:XX:feb8:9820::/64 and fd85:XX:feb8:9860::/64)

Is this the right way, or can it blocked by another way ?

Thanks a lot for helping me

Mario