I read in internet that, with this IPv6 my problem "self hosting cannot be done behind CGNAT ISP" can be solved. But not understanding how?
If some one here can educate me on this please? For the sake of discussion, lets say I have another rpi in this network and want to host a website on it and expose to internet.
The short of it is that what is on the other end also needs to have an ipv6 address or an ipv4 to ipv6 translation service on the other end?
The other part is you're probably going to be doing proper routing /firewalling rather than NAT and port forwarding or using reverse proxies?
I haven't hosted ipv6 only stuff behind openwrt so I won't be able to help you there. But I do host a number of ipv6 only services which I then get ipv4 via cloudflare.
Regarding if you're doing DNS, it's effectively just AAAA records instead of A records?
Of note regarding ipv6. Depending on your carrier and other things you can still end up with inbound ipv6 services blocked by carrier weirdness.... For example one of my 4G carriers I had a 4G modem in bridge mode and public ipv6, whilst another carrier provided modem I put in no firewall no nat mode but I couldn't host any services =( (reminds me of ages ago having to go into my (wired) ISP settings and enable inbound ports otherwise the carrier firewall took care of it)
How can I test this?
Can I take IPv6 address found on wan interface and try to access it from browser from another network (Iphone with mobile data) will it land on OpenWrt router page?
I think that would be right yeah. Just try to host something on your external ipv6 address. I'd do SSH (maybe not on port 22.....) or wireguadr first rather than http(s) on your WAN port listening on ipv6.
If you can get your phone on ipv6 (i.e. an independent ipv6 address not internal to your network) to talk to your home internet then you've confirmed inbound ipv6 through to the ports you want. Then you can go with dns or whatever.
I'd suggest almost anything instead of setting your router's http(s) server directly to the internet. Maybe for a short duration for testing you'll be fine....
That looks fine, but I think the main thing is making sure it's TCP and ipv6, as well as the internal IP adress probably needs to be the ipv6 internal IP address?
I haven't done ipv6 port forwards on openwrt.... But looks very similar to when I've done an ipv4 port forward.
I think you should start with an ssh client on your phone and port forward something like 22222 to port 22. (Plus probably set up SSH private key auth)
And yeah that phone looks like you have an ipv6. So then the next thing is also that browsers usually want square brackets when typing an ipv6 address. like [aaaa:bbbb:cccc::1]
In this example you may need an alias to get wan_6 to be in the wan firewall group?
And then I guess you would be forwarding to your internal lan ipv6 address.
What I'd do eventually is create another firewall group on another network interface and try to get the routing/firewall correct rather than doing an ipv6 port forward.
Anyway. I have to go for today. I hope someone else can help take over and this is sufficient for the moment.
So your router's IPv6 address is the one listed under the wan_6 section as IPv6.
The second line gives the prefix assigned to your router by the ISP, the router will give smaller prefixes out of this to all devices asking for an IPv6 address (in your case you only got a /64 which will cause issues with delegating prefixes further down, but that is not your most pressing issue). Side note: your internal hosts will self assign IPv6 addresses out of the /64 and likely rotate these quickly (google ipv6 privacy extensions) so if you want to reach an internal host via IPv6 from the wan side you need to assign a static (enough) interface identifier to that host... and then add an firewall route to allow wan access to that IP (with potential port restrictions as well if you want). With changing IPv6 prefixes that can be a bit tricky, but OpenWrt allows to mask out the prefix in firewall rules, so a static interface identifier should suffice, assuming your remote devices can learn the prefix some other way.
That IPv6 address is a public wan-side address and IIRC OpenWrt defaults to not serving its web GUI to the wan side so simply trying to access this via a browser on your cell phone will not work. But I bet the router is willing to respond to ICMP echo requests, so maybe try a IPv6 ping or traceroute from your mobile (for android hurricane electric offer a network tool app that offers ping/traceroute via IPv4 and IPv6). That should allow to quickly check whether routing works. Since that is the first necessary step, why not confirm that first?
lan interface got two IPv6 address, why is that?
Within my lan I can ping 2406:XXXX:XX:XXXX::1 and get replies also within my lan I am able to access openwrt router page as http://[2406:XXXX:XX:XXXX::1]
The second IPv6 address fdb2:XXXX:XXXX::1 also I am able to ping and access router page as http://[fdb2:XXXX:XXXX::1]
Then in wan interface I got another IPv6 address fe80::xxxx:xxxx:xxxx:xxxx
Within lan Which is ping failing as well router page not accessible via browser
Then in wan_6 O got IPv6 as 2406:XXXX:XX:XXXX::1 and IPv6-PD as 2406:XXXX:XX:XXXX:: (This is what I believe you explained me I believe, is it like a subnet?) This also pingable from LAN and router page accessible.
Then outside my home network, I can reach router page as http://[2406:XXXX:XX:XXXX:dd6d:cf53:c17b:4bf4] in this if you see, the first part is same as my lan and wan address, I dont know what is that second part.
Is there a concept of Private IP and Public IP in IPv6?
The one starting with 2 is a GUA or global unique address IIRC than can and should be used for accessing to/from the internet, the second starting with fdb2 is a ULA a unique link-local address that can be used to access that interface from within your own network. The GUA will change when ever you get a new prefix from your ISP (mine forces a prefix change every 24 hours) so using the ULAs you can access devices even if you do not know the GUA or if the there is no GUA at all.
From within your LAN that is the expected/architected behaviour , so this is a good sign.
Another link local address that is not intended/guaranteed to by globally reachable, you router uses this to request GUE/prefixes from the upstream router, so this needs to by unique on the local link...
As it should, this again is expected behaviour (this is a wan side address and the OpenWrt GUI by default will not be served on the wan side for security reasons).
Again, as intended. So far, so good.
That is somewhat unexpected, did you change the defaults somehow?
I am able to access my router page with wan_6's IPv6-PD address as well IPv6-PD:dd6d:cf53:c17b:4bf4
I should be using IPv6-PD address ideally to access my home from outside?
In IPv4 we ran out of addresses long ago, so we resorted to NAPT/masquerading, so essentially a home network has a set of internal ip addresses and typically a single external address and the router needs to translate between these, which is a shipload of work, especially since we not only need to exchange IP addresses but also TCP/UDP port numbers as well and that means we have to recalculate packet checksums as well. With IPv6 we have IP addresses a plenty, so no need to do this NAPT at all, but we now have the issue that occasionally the IPv6 prefix changes and that change needs to be propagated to all devices using GUAs with a the old prefix...
But in case you really really want, you can still use NAPT with IPv6, say only assign ULAs in your LAN and the then have the router use NAT66 to convert these to GUAs, this is even better than IPv4 NAT as you only need to change IPv6 addresses in the IPv6 header (which has no checksums covering the IP addresses) no need to touch the L4 port and hence no need to recalculate the L4 checksums.
Good, than this is also as expected, just keep in mind that this is not best security practise to expose the GUI to the internet as that increases your attack surface.
For the router that is really your choice internal hosts will only have GUAs starting with the prefix...
One thing to remember is, with IPv6 it is normal and expected to have multiple IPv6 addresses even on the same interface... the address space is so ridiculously large that we do not be frugal wqith addresses...
Now that I tested I can reach my home network via IPv6 wan address, will below plan work?
In dynv6 (which support IPv6 mapping) I create an account and create a domain name.
Install necessary packages for dynamic dns service in openwrt router.
Configure dynamic dns service in openwrt to fetch IPv6 address from wan_6 interface and update the domain name in dynv6. So that my domain name in dynv6 is always mapped to latest wan address of my network,
I will have a raspberry pi in my LAN
Which I assume will get an IPv6 address via DHCP (I saw other devices in my LAN got IPv6 address)
Do a reservation in my DHCP config based on the MAC address of raspberry pi, so that IPv6 address of raspberry pi stays same.(I dont know how to do this in openwrt, but I hope its simple)
Install Apache and host a website via port 443 in raspberry pi
Add a port forward rule in Network->Firewall->Port Forwards as
Protocol - TCP
Source zone -wan
External Port - 443
Destination zone - lan
Internal IP address - raspberry pi's IPv6
Internal port - 443
Now if I access dynv6 domain name from external network, it should open my website right?
Remove ula_prefix as there is no need for ULAs in this use case and it is just adding confusion.
Set ip6assign on lan to 64 and see if your /64 GUA PD gets assigned to lan. The ISP will route any IPv6 destined to inside that /64 (first 64 bits match, with any last 64 bits) to your wan connection, and then your router can (firewall permitting) forward it further to a specific device on the LAN. Each device on the LAN will have the same first 64 bits but different last 64 bits.
The device on the LAN which offers an external service (not the router) should run a DDNS client and register its full 128 bit GUA into the public DNS system. Then the clients on the v6 Internet can reach the server directly by name. The router's IP address is not involved here since anything inside the PD goes directly without any addressing changes. The DNS record should not contain a v4 address in order to force the use of v6.
The firewall needs a rule to allow forwarding from wan to lan at least for that IP, and possibly only for certain port(s). The /-64 syntax can be used to make the prefix bits don't care in case the ISP changes your prefix.
You can try wan reqprefix settings of 60, 56, or 48 to see if the ISP may give you a larger PD prefix. A /64 can only be used for one LAN. Ideally you should put servers into a DMZ LAN which is separate from your trusted LAN.
Here is the catch, in IPv6 your network really does not have a single address anymore, all devices you want to reach from the outside need an individual dynamic DNS entry. If you just want to reach the router, the router's address will suffice, if you want an internal host, you need to assign a static interface identifier to that host and add a firewall rule.
Potentially, or it more likely will self assign IPv6 addresses, but that depends on the details.
