Dynamic ipv6 /56 help with open ports and ddns

This is kind of a 2 part question. I'm using starlink which hands out an ipv6 /56 and a cgnat ipv4. I run a mincraft server, plex server, and a few apps on a PC that I want to access from the outside. I understand that dynvs 6 works with ipv6 but can this somehow run on openwrt and update the PC's ipv6 or should dynv6 be ran directly on the pc? The second part of the question is that since the starlink ipv6 is dynamic, how can I keep the ports I need open on ipv6 in my openwrt firewall rules open all the time without having to change them whenever the ipv6 prefix changes from my ISP?

1 Like

You can run on both, since the IPv6 of the PC will be different than the OpenWrt.

1 Like

I do the same thing but with my raspberry pi. You can disable privacy extension on your Windows 10 so that you get a static suffix and add that suffix to your firewall rules and use ddns updater client on your computer to update the ddns.

Thank you for this.

1 Like

This is where I was running into my issue following the above information. Thank you.

No problem, let me know if you need help setting it up.

So I have a static suffix on the machine but it seems the firewall rule still needs the ipv6 prefix in order for it to work. The ipv6 prefix is dynamic.

Add a permissive forwarding rule as mentioned above.
You don't need to specify the prefix itself, only its length.

1 Like

Yes I tried doing that. I made my pc a static of ::2 and did

uci set firewall.@rule[-1].dest_ip="::2/-64"

Should I be doing this instead since my wan has
IPv6-PD: 2605:59c1:xxxx::/56

uci set firewall.@rule[-1].dest_ip="::2/-56"

It should match the prefix length delegated to your LAN:

ifstatus wan6 | jsonfilter -e "@['ipv6-prefix']"
1 Like

This is what my rule is for ipv6 wireguard, you need ::2/::ffff:ffff:ffff:ffff
I also have the same IPv6 reserved.


My PC has a static of ::6a6 for some reason. I don't know why but adjusted everything to just use :6a6 and it's all working even though ::2 works locally. Oh well. If it works this way that's fine with me. Thank you guys.

Did you disabled random ipv6 address generation by disabling privacy extension?
Save this file as ipv6_temp_addr_disable.bat
with these contents

@echo on
REM netsh interface ipv6 set global randomizeidentifiers=disabled
REM netsh interface ipv6 set privacy state=disabled

netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent

and right click and run as administrator and restart your computer and then find out your external ipv6 using test-ipv6.com and add the last four octects to firewall rules as ::6a6:3a4c:c4b2:3a3b/::ffff:ffff:ffff:ffff and you are good to go. Your prefix can change all day long but your suffix will stay fixed and use a ddns client to update your domain.

I don't know if I would really do that. I would keep Privacy Extensions on. The stable privacy address will still be the same and still be valid. Question is if the DDNS updater client supports specifying and outgoing address.