This page explains how IPv6 traffic is controlled and filtered in Digi Wi-SUN networks using firewalls and access control lists (ACLs). Both the XBee Hive for Wi-SUN and XBee for Wi-SUN nodes may participate in traffic filtering to secure the mesh and manage external access.

Why control IPv6 traffic?

In a typical Wi-SUN deployment, many devices are automatically assigned global IPv6 addresses and may become reachable from external networks (e.g., the internet or cloud). Controlling inbound and outbound traffic is essential for:

  • Preventing unauthorized access to devices in the mesh.

  • Limiting traffic to only allowed upstream services.

  • Reducing attack surface in industrial or smart city deployments.

Border router firewall behavior

The XBee Hive for Wi-SUN includes a built-in firewall that applies to upstream interfaces (e.g., Ethernet or Wi-Fi) and to Wi-SUN mesh traffic. By default:

  • Outgoing IPv6 traffic from mesh nodes is allowed.

  • Link-local and mesh-internal traffic (fe80::/10, ff02::/16) is not forwarded upstream.

  • Incoming IPv6 traffic from upstream is blocked unless:

    • It matches an established session initiated by a node.

    • It is explicitly permitted by a firewall rule or ACL.

Administrators can modify these defaults to open ports, whitelist external services, or implement drop/reject policies.

IPv6 ACLs for device-level filtering

In addition to firewall rules, ACLs may be applied to specific interfaces or device roles. These can be used to:

  • Allow or block traffic from specific IPv6 subnets.

  • Restrict traffic to trusted service endpoints (e.g., cloud platforms).

  • Enforce policies for multicast or service discovery traffic.

ACL rules typically operate on:

  • Source and destination IPv6 address.

  • Port numbers (TCP/UDP).

  • Protocol type (e.g., ICMPv6, UDP).

  • Use ULA (e.g., fd11::/64) prefixes for mesh-only networks to reduce exposure.

  • Block unsolicited inbound IPv6 traffic at the border router by default.

  • Allow access to known external service addresses using explicit ACLs.

  • Use diagnostics and logs to verify rule behavior.