This page explains how IPv6 traffic is controlled and filtered in Digi Wi-SUN networks using firewalls and access control lists (ACLs). Both the XBee Hive for Wi-SUN and XBee for Wi-SUN nodes may participate in traffic filtering to secure the mesh and manage external access.
Why control IPv6 traffic?
In a typical Wi-SUN deployment, many devices are automatically assigned global IPv6 addresses and may become reachable from external networks (e.g., the internet or cloud). Controlling inbound and outbound traffic is essential for:
-
Preventing unauthorized access to devices in the mesh.
-
Limiting traffic to only allowed upstream services.
-
Reducing attack surface in industrial or smart city deployments.
Border router firewall behavior
The XBee Hive for Wi-SUN includes a built-in firewall that applies to upstream interfaces (e.g., Ethernet or Wi-Fi) and to Wi-SUN mesh traffic. By default:
-
Outgoing IPv6 traffic from mesh nodes is allowed.
-
Link-local and mesh-internal traffic (
fe80::/10,ff02::/16) is not forwarded upstream. -
Incoming IPv6 traffic from upstream is blocked unless:
-
It matches an established session initiated by a node.
-
It is explicitly permitted by a firewall rule or ACL.
-
Administrators can modify these defaults to open ports, whitelist external services, or implement drop/reject policies.
IPv6 ACLs for device-level filtering
In addition to firewall rules, ACLs may be applied to specific interfaces or device roles. These can be used to:
-
Allow or block traffic from specific IPv6 subnets.
-
Restrict traffic to trusted service endpoints (e.g., cloud platforms).
-
Enforce policies for multicast or service discovery traffic.
ACL rules typically operate on:
-
Source and destination IPv6 address.
-
Port numbers (TCP/UDP).
-
Protocol type (e.g., ICMPv6, UDP).
Recommended practices
-
Use ULA (e.g.,
fd11::/64) prefixes for mesh-only networks to reduce exposure. -
Block unsolicited inbound IPv6 traffic at the border router by default.
-
Allow access to known external service addresses using explicit ACLs.
-
Use diagnostics and logs to verify rule behavior.