Does relaying IPv6 to LAN interfaces exposes my internal hosts to the Internet?

My ISP IPv6 support is nasty. They give my router 2 subnets:

  • A /64 subnet, let's say 2001:1:1:1::/64, for the wan6 interface, so that my OpenWrt router can connect to the IPv6 gateway on their side
  • And a /64 prefix delegation, let's say 2001:2:2:2::/64

To enable Internet IPv6 for all internal subnets, I have to use IPv6 relay. I set the wan6 as designated master, and relay the other interfaces through it. As a result, I observe that all internal nodes now have public IPv6 addresses in the subnet 2001:1:1:1::/64, which is the same as the wan6 interface itself. Does that mean all nodes are exposed to the Internet, bypassing the OpenWrt firewall?

Is it a better idea if I assign the 2001:2:2:2::/64 prefix to an internal subnet, let's say lan, then set this interface as designated master instead? Is it more secure? At least I do not see my nodes on the same subnet as the wan6 interface -- they are on the same subnet as lan nodes instead. But then does that mean other subnets (e.g cctv, guests) can freely access lan nodes because they are on the same subnet, bypassing my firewall rules again?

I really do not understand how this relaying thing works under the hood. I am really appreciated if someone can explain in detail.

No, IPv6 relaying does not change your firewall configuration.
Transit traffic crossing firewall zones is still subjected the relevant forwardings and rules.
The rules allowing WAN to LAN forwarding are limited to ICMPv6, IPSec-ESP, ISAKMP.

You cannot use a public prefix which is not delegated to you as it won't be routed.

odhcpd relays ICMPv6 and DHCPv6 between master and slave interfaces.
This allows clients to configure their IPv6 address and routes.
Then it works as typical IPv6 routing via the LLA gateway.

4 Likes