So I have native IPv6 from my cable provider, and as most people know it's not a static IP. I can get a /56, however. So I've set it up so my normal LAN gets one /64 and the Guest VLAN gets another /64. That is all working and I can access external IPv6 sites successfully from both the normal LAN and Guest VLAN.
Now, the problem is the Guest VLAN can access the normal LAN clients over IPv6. All the guides I see about blocking the guest VLAN from my LAN say to implement a firewall rule based on subnet. But without a static subnet that won't work long term. I know I could just set the Guest network to IPv4 only and not worry about it, but where's the fun in that?
For reference, my normal LAN is on switch0, and my Guest VLAN is switch0.2.
For IPv4 (even though it's not dynamic) I was able to run `set firewall name GUEST_IN rule 1 destination group address-group NETv4_switch0` and it is successfully blocking access from the Guest VLAN to the normal LAN.
I figured I'd try the same thing for IPv6, but when I run `set firewall ipv6-name GUESTv6_IN rule 1 destination group address-group NETv6_switch0` it fails with the message "The specified configuration node is not valid" (it works fine if I run `set firewall ipv6-name GUESTv6_IN rule 1 destination address <my IPv6 subnet>::0/64` to set it to the specific subnet).
So is there some way I can set it to just block all IPv6 access from switch0.2 to switch0 (I don't neccessarily need switch0 to switch0.2 blocked, but if it is, that's fine as well)? Or am I just stuck having to specify the subnet and keep it updated (in which case I'd just turn off IPv6 on the guest VLAN)
(I tried looking in to setting up zones, as that seems like it might work as I can apply it to the interface rather than a subnet, but I really don't understand it and the guides I found (like this one: https://help.ubnt.com/hc/en-us/articles/204952154-EdgeMAX-Zone-Policy-CLI-Example) really didn't really help. It seems far to complex for what I need to do)
