Cannot get from wan to lan via ipv6

kotrfa · October 14, 2024, 1:10pm

Hi.

I have an ipv6 prefix from my ISP provider, and ipv6 working in my local network. But I cannot get in from outside despite allowing it in firewall.

E.g. I have this in my firewall, allowing various protocols on my ipv6 machines:

root@archerc6:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Test-Allow-8000-From-Internet'
	option dest 'lan'
	option dest_port '8000'
	option target 'ACCEPT'
	option src 'wan'
	list dest_ip '[my-ipv6-prefix]::203'
	option src_port '8000'

config rule
	option name 'Allow-ipv6-homassistant-access'
	option src '*'
	option dest 'lan'
	list dest_ip '[my-ipv6-prefix]::3e5'
	option dest_port '8123'
	option target 'ACCEPT'

config rule
	option name 'test'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	list proto 'igmp'
	list proto 'esp'
	option src 'wan'
	option dest 'lan'
	list dest_ip '[my-ipv6-prefix]:8de7:9f02:e5b:5c36'
	option target 'ACCEPT'

and it works on my local network when I ping or curl -6 my test server on :8000 via ipv6. But nothing from outside. E.g. this works locally but not from my outside server (in which pinging google via ping6 works fine):

ping6 [my-ipv6-prefix]:8de7:9f02:e5b:5c36

My network config:

root@archerc6:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd49:e5fc:83af::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '192.168.0.202'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 3 4 5'
	option vid '1'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '848'
	option name 'eth0.848'

config interface 'wan'
	option proto 'pppoe'
	option device 'eth0.848'
	option username 'wia'
	option password 'wia'
	option ipv6 'auto'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 1t'
	option vid '848'

Any help is appreciated!

krazeh · October 14, 2024, 1:13pm

Get rid of that.

mk24 · October 14, 2024, 2:01pm

Yes src_port will break this, since for most services the client machine uses a random port to originate the connection.

Your allow homeassistant rule should explicitly have 'wan' as the source.

There is an allow ICMPv6 (including pings) in the default firewall, you don't need to add that.

The prefix needs to be the specific prefix delegated to the LAN, not the general /56 or /48 that you have from the ISP. Setting ip6hint on the LAN(s) will make this deterministic. The /-64 (or /-48 etc) syntax can be used to match only the final bits of the IP that are not assigned by the ISP. This is useful if the ISP is going to change your prefix.

kotrfa · October 14, 2024, 3:41pm

OK, thanks! However, it doesn't seem to help. I will try again. Let's focus on just one specific machine and rule. I have only this:

config rule
	option name 'testing-ipv6'
	option src 'wan'
	option dest 'lan'
	option target 'ACCEPT'
	list dest_ip '[my-ipv6-prefix]::16d/128'

so no src_port, nor dest_port, and I scoped the address with /128.

Now I run this on a server:

python -m http.server -b [my-ipv6-prefix]::16d
Serving HTTP on [my-ipv6-prefix]::16d port 8000 (http://[[my-ipv6-prefix]::16d]:8000/) ...

and I can access it from my LAN just fine, i.e. I get listed files on http://[[my-ipv6-prefix]::16d]:8000/

However, when I am outside LAN, I get ERR_ADDRESS_UNREACHABLE despite having that rule above. What am I doing wrong?

And thanks for the tip about the hints, I should have a static prefix, so hopefully fine.

egc · October 14, 2024, 3:55pm

Not sure why it is not working for you but this is how I can connect to my WG server on IPv6:

config rule
	option name 'wg-server6-6'
	list proto 'udp'
	option src 'wan'
	option dest 'lan'
	option dest_port '51810'
	option target 'ACCEPT'
	option family 'ipv6'
	list dest_ip '::6/-64'

I use the negative netmask as I have a dynamic prefix although it stays the same as long as I do not reboot the router

kotrfa · October 14, 2024, 6:02pm

yeah, that's not working, but thanks . Anyone has any idea what might be going on or how I could debug it?

I found out that I can ping my router from outside:

[I] admin@robert ~ [2]> ping6  [my-prefix]::1
PING [my-prefix]::1 ( [my-prefix]::1) 56 data bytes
64 bytes from  [my-prefix]::1: icmp_seq=1 ttl=64 time=0.109 ms

mk24 · October 14, 2024, 6:25pm

If this latest test were really pinging from outside, the latency time would be more than 0.1 ms.

It is possible that the ISP is blocking incoming connections. Test this by running tcpdump on wan to match a particular address which is inside your prefix, then ping and/or port scan that address from outside. The ping will not be answered of course, but you should see the incoming packet in the capture.

Also you should be able to ping any host (which is configured to answer pings) on the LAN from outside using the default firewall.

kotrfa · October 14, 2024, 6:43pm

Oh shoot, it was all because of my "testing environment"

The causewas because I used that prefix on docker network in the past. Ignore it please. After deleting that network, I was able to ping my router:

[I] admin@robert ~> traceroute6 [my-ipv6-prefix]::1
traceroute to [my-ipv6-prefix]::1 ([my-ipv6-prefix]::1), 30 hops max, 80 byte packets
 1  2605:a140::b (2605:a140::b)  101.485 ms  52.682 ms  36.461 ms
 2  fd06:3595:a0f:50::a (fd06:3595:a0f:50::a)  36.194 ms  0.651 ms  0.476 ms
 3  2001:550:2:1c::45:1 (2001:550:2:1c::45:1)  10.970 ms  1.775 ms  1.592 ms
 4  be2635.rcr21.stl03.atlas.cogentco.com (2001:550:0:1000::9a18:4d89)  1.466 ms  1.355 ms  1.241 ms
 5  * be2349.ccr41.ord01.atlas.cogentco.com (2001:550:0:1000::9a36:50b5)  25.125 ms *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  centronet.demarc.cogentco.com (2001:978:2:4::1c:2)  122.069 ms  122.163 ms 2001:978:2:4::21:2 (2001:978:2:4::21:2)  122.091 ms
14  2a01:6400:1:4::447 (2a01:6400:1:4::447)  135.644 ms  135.363 ms  135.482 ms
15  prg-cecolo-dsl-nni.wia.cz (2a01:6400:11:ffff::1)  156.276 ms  156.048 ms  155.928 ms
16  * * *
17  [my-ipv6-prefix]::1 ([my-ipv6-prefix]::1)  155.437 ms  155.150 ms  155.020 ms
[I] admin@robert ~> ping6 [my-ipv6-prefix]::1
PING [my-ipv6-prefix]::1 ([my-ipv6-prefix]::1) 56 data bytes
64 bytes from [my-ipv6-prefix]::1: icmp_seq=1 ttl=49 time=213 ms
64 bytes from [my-ipv6-prefix]::1: icmp_seq=2 ttl=49 time=138 ms

and also access the site. Thanks a lot!

system · October 24, 2024, 6:43pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.