I've recently found out that several high risk ports like TCP 445, TCP 3389 and others are directly available over the WAN with v6 according to https://ipv6.chappell-family.com/ipv6tcptest/, these should only be available on the LAN. I thought that the default firewall/IPv6 rules would block these requests, but this doesn't appear to be happening, so I've potentially got a misconfiguration or need to adapt my existing firewall. My IPv6 is through a HE.net tunnel, I've configured it as an interface (henet) and assigned it to the wan zone. I have seen other examples setup the HE tunnel on the wan6 interface instead, but I didn't think it would matter. IPv6 all works fine, but realising that several ports are open when they shouldn't makes me think the config isn't correct.
This is my firewall currently:
config defaults
option syn_flood '1'
option output 'ACCEPT'
option forward 'REJECT'
option input 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan henet'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option network 'guest'
option input 'REJECT'
config rule
option name 'Block guest Wi-Fi cable modem access'
option src 'guest'
option dest 'wan'
option dest_ip '192.168.100.1'
option family 'ipv4'
option proto 'all'
option target 'REJECT'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option src 'guest'
option name 'Allow guest Wi-Fi DNS'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option src 'guest'
option name 'Allow guest Wi-Fi DHCP'
config rule
option target 'ACCEPT'
option proto 'udp'
option name 'Allow guest Wi-Fi DHCPv6'
option family 'ipv6'
option src 'guest'
option src_port '546'
option dest_port '547'
config rule
option target 'ACCEPT'
option name 'Allow guest Wi-Fi SLAAC'
option family 'ipv6'
option src 'guest'
option proto 'icmp'
list icmp_type 'router-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-solicitation'
list icmp_type 'neighbour-advertisement'
list icmp_type '141'
list icmp_type '142'
list icmp_type '148'
list icmp_type '149'
config rule
option target 'ACCEPT'
option name 'Allow guest Wi-Fi ping'
option family 'ipv6'
option proto 'icmp'
option icmp_type 'echo-request'
option src 'guest'
config rule
option name 'Allow guest Wi-Fi MLD'
option src 'guest'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
list icmp_type '151/0'
list icmp_type '152/0'
list icmp_type '153/0'
option family 'ipv6'
option target 'ACCEPT'
config forwarding
option dest 'lan'
option src 'wan'
config forwarding
option dest 'wan'
option src 'guest'
That's a very good question! I just had a look at the config again just before you posted, mainly just to reorder the statements so it was a bit more logical with zones and accompanying forwarding rules and noticed that. That's definitely not default, I can only imagine it's either a typo I may have inversed the src and dest values or some really bad debugging?! Very sloppy from me there.
No surprise removing that now doesn't show the ports as open, now showing as RFSD, a refused indication (TCP RST/ACK or ICMPv6 type 1 code 4).
Massive config error there, thanks for spotting it!
I've gone back through and understood why that forward zone was there. It's because I've got a couple of services over v6 which are externally accessible. That needs to be there so the traffic can flow properly. However, it seems to expose all ports that have services listening which isn't great.
I thought there would be a default reject rule for v6 and only when you make a specific forward rule to a client in the LAN would the port be then open, however it appears all v6 clients behind the router are showing as open.
I've just tried implementing a reject/drop rule in fw3 followed by allowing specific ports, but now I can't seem to get any of the ports to be open after implementing the drop rule!
Thanks for confirming that @jow, I did wonder what the ordering was. I've got 2 allow rules before my added drop rule for all any IPv6 TCP/UDP:
config rule
option src_port '32400'
option proto 'tcp'
option dest 'lan'
option target 'ACCEPT'
option dest_port '32400'
list dest_ip '2001:470:xxxx::xx'
option family 'ipv6'
option name 'Allow-Plex'
option src 'wan6'
config rule
option src_port '80 443'
option proto 'tcp'
option dest 'lan'
option target 'ACCEPT'
option dest_port '80 443'
option family 'ipv6'
list dest_ip '2001:470:xxxx::xx'
option name 'Allow-Web-External'
option src 'wan6'
config rule
option name 'Drop-Default-IPv6-TCP-UDP'
option family 'ipv6'
option dest 'lan'
option target 'DROP'
option src 'wan6'
However, the allow rules don't seem to be working. I switched my IPv6 interface to wan6, based on the OpenWrt docs. IPv6 config is fine across LAN and 10/10 on test-ipv6.com.
It seems I need to have Inter-Zone Forwarding enabled so the traffic can flow, but now I can't seem to stop all ports being exposed over v6, with the exception of my allow rules, when adding that DROP rule.
Edit: Ah got it, specifying the source port isn't needed, only destination port. Source port wouldn't necessarily be the same as the destination anyway, so that was just a bad config!
Remove option src_port from your rules, then it should work.
If you have a dynamic prefix you can also use:
(Assuming the host has an interface identifier of ::10:0:0:1)
option extra '-d 2001:470::10:0:0:1/FFFF:FFFF::FFFF:FFFF:FFFF:FFFF'
instead of
list/option dest_ip
Thanks @shm0. I saw my mistake after realising I didn't need src_port, because I copied and pasted the redirect rule as a template, as I have matching port forwards for IPv4.
I'm interested to know though, because I need to enable inter zone forwarding for IPv6 to flow across the LAN properly in order for it to work that basically exposes all IPv6 ports externally from hosts to the WAN6 side without additional handling, I would have thought there would be a default IPv6 forward rule that is applied that prevents this? Now that I'm applying this rule:
config rule
option name 'Drop-Default-IPv6-TCP-UDP'
option family 'ipv6'
option dest 'lan'
option target 'DROP'
option src 'wan6'
This has been prevented and the responses are now STLH, rather than RFSD, but the fact there isn't any protection on this default, concerns me. Unless I've misunderstood somewhere?
It might be not understanding this fully, but in order for my IPv6 setup to work on wan6, I thought I needed to do:
config zone
option name 'wan6'
option network 'wan6'
option family 'ipv6'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option dest 'lan'
option src 'wan6'
config forwarding
option dest 'wan6'
option src 'lan'
Originally, I had a henet interface which was attached to the WAN zone, but looking at the docs, the better approach was wan6, so I have updated the config to that setup instead.
It was my understanding that the two forwarding rules are essentially the inter-zone forwarding to allow traffic to flow properly. In order to prevent all IPv6 ports being exposed default, it seems this forward rule is not needed and instead you should replaced with the allow rules which I've now got working?
config forwarding
option dest 'lan'
option src 'wan6'
So if I can remove the forwarding rule and instead config more selective firewall rules, that seems to be the better option, all though with the DROP rule implemented this should also prevent the issue I guess, but I was just trying to clarify.
It's just about the WAN6 traffic generally, nothing with guest interface or anything. These would only apply to WAN6 to LAN.
This allows all traffic to be forwarded between the zones.
But then you have to create firewall rules to block all unwanted traffic. (As you did)
I think it's better to remove the forwarding rules and create a proper firewall ruleset.
So when the forwarding from wan(6) -> lan is removed, you only need these rules:
config rule
option name 'Allow-Plex'
option family 'ipv6'
option proto 'tcp'
option src 'wan6'
option dest 'lan'
option dest_ip '2001:470:xxxx::xx'
option dest_port '32400'
option target 'ACCEPT'
config rule
option name 'Allow-Web-External'
option family 'ipv6'
option proto 'tcp'
option src 'wan6'
option dest 'lan'
option dest_ip '2001:470:xxxx::xx'
option dest_port '80 443'
option target 'ACCEPT'
And you can do the same between lan zone <-> guest zone
I saw that but I think that comment was under the wrong forwarding rule though, lan -> wan6 is OK, it's the other forwarding rule that's wan6 -> lan that's potentially dangerous, but that rule appeared above that comment, so while the disclaimer was there, it's bringing attention to the forwarding rule that's actually needed (otherwise you'll break IPv6 on the LAN) and not the one that's potentially edgy, it's essentially inversed by the looks of it.
I don't maybe something like this?
When the following forwarding is removed:
config forwarding
option dest 'wan6'
option src 'lan'
Then setup some rules like this:
To only allow web browsing:
config rule
option name 'Allow-LAN-Forward-WAN-HTTP/S'
option family 'ipv6'
option proto 'tcp'
option src 'lan'
option dest 'wan6'
option dest_port '80 443'
option target 'ACCEPT'
Allow mail:
config rule
option name 'Allow-LAN-Forward-WAN-SMTP/S'
option family 'ipv6'
option proto 'tcp'
option src 'lan'
option dest 'wan6'
option dest_port '25 465 587' # Actually allowing Port 25 outgoing is a bad idea, often used for spamming and it is unencrypted
option target 'ACCEPT'
config rule
option name 'Allow-LAN-Forward-WAN-IMAP/S'
option family 'ipv6'
option proto 'tcp'
option src 'lan'
option dest 'wan6'
option dest_port '143 993' # Maybe don't allow forwarding of 143 because no cryption
option target 'ACCEPT'
config rule
option name 'Allow-LAN-Forward-WAN-POP3/S'
option family 'ipv6'
option proto 'tcp'
option src 'lan'
option dest 'wan6'
option dest_port '110 995' # Maybeaybe don't allow forwarding of 110 because no cryption
option target 'ACCEPT'