TL> I get a dialog box where you put in the "interface ID", which is the TL> host part of the IPv6 address.
Having to enter only the host part instead of the entire 128 bit address makes sense.
TL> There's also options to select ports, TL> or you can click the "exposed host" button, which disables the TL> firewall entirely for that host.
That too makes sense.
MvV>> The internal IPv6 address defaults to ::. Which in a way also MvV>> makes sense. Interesting is the option "MACV6". Instead of the MvV>> IPv6 addres,
TL> That is an interesting option. I don't have that one that I know of, TL> but I can see it being quite useful.
It would be useful fot IPv4 too, I'd say.
MvV>> I can understand why they do it this way, but I find it MvV>> undesirable from an edecucational POV. While it hase the same MvV>> goal: having an uncoming packet reach its inteded destination, MvV>> the mechanism is completely different. As you say for IPv6 it is MvV>> not NAPT, it is a packet filter.
TL> Yes, it will lead to confusion for the average punter.
It confused me...
TL> Only way ICMP echo (ping) is allowed to hosts behind the router is if TL> I use the exposed host option.
That is not good. In IPv6 ICMP should never be turned of completely. Some parts of it are essential for the proper operation of IPv6. "Packet too large comes to mind". Even if you have all ports closed or stealthed, ICMP should not be disabled completely.
TL> There is another option in the firewall setup to allow ICMP echo, but TL> that's for the router itself, and I'm unsure if that affects IPv6 as TL> well as IPv4.
You can test it using one of the looking glass servers.