I've recently enabled ipv6 on my home network and everything is working well.
My ISP assigns a /48 address and my router is automatically assigning /64 addresses to my vlans.
Is it possible to assign static IPs to my devices using the /48 path that I control and then port forward to that relative path.
For example, if the IPs have this format:
isp.isp.isp.vlan#.local.local.local.local
Can everything from the .vlan#. be static with port forwarding rules that target specific devices?
I guess dynamic prefix forwarding is what you're looking for: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_ipv6_examples?#dynamic_prefix_forwarding
If you set your destination IP to something like ::5/-64, the prefix part of the address is handled dynamically.
My desktop PC sits on VLAN1 and has a static ipv4 address.
OpenWrt has assigned an ipv6 address:
2a02:x:x:1::190/128
1 = vlan number
190 = last octet of ipv4 static ip address (these are nifty features of OpenWrt IMHO).
The first three parts to the address are the routing prefix, which is assigned dynamically by my ISP.
The fourth part is the subnet ID.
The last four parts are the interface identifier.
The guide contains this example of a firewall rule:
uci add firewall rule
uci set firewall.@rule[-1].name="Forward-IPv6"
uci set firewall.@rule[-1].src="wan"
uci set firewall.@rule[-1].dest="lan"
uci set firewall.@rule[-1].dest_ip="::23/-64"
uci set firewall.@rule[-1].family="ipv6"
uci set firewall.@rule[-1].proto="tcp udp"
uci set firewall.@rule[-1].target="ACCEPT"
If I were trying to forward SSH my desktop PC, would this be the correct config?
uci add firewall rule
uci set firewall.@rule[-1].name="Forward-IPv6"
uci set firewall.@rule[-1].src="wan_ipv6"
uci set firewall.@redirect[-1].src_dport="22"
uci set firewall.@rule[-1].dest="lan"
uci set firewall.@rule[-1].dest_ip="1::190/-80"
uci set firewall.@redirect[-1].dest_port="22"
uci set firewall.@rule[-1].family="ipv6"
uci set firewall.@rule[-1].proto="tcp udp"
uci set firewall.@rule[-1].target="ACCEPT"
/-64.dest="lan", so that information isn't needed in dest_ipsrc_dportAll in all it should look like this:
uci add firewall rule
uci set firewall.@rule[-1].name="Forward-SSH-IPv6"
uci set firewall.@rule[-1].src="wan"
uci set firewall.@rule[-1].dest="lan"
uci set firewall.@rule[-1].dest_ip="::190/-64"
uci set firewall.@rule[-1].dest_port="22"
uci set firewall.@rule[-1].family="ipv6"
uci set firewall.@rule[-1].proto="tcp"
uci set firewall.@rule[-1].target="ACCEPT"
The prefix of 48 means that the ISP chooses the first 48 bits and you control the last 80 bits. So these rules should be written as -80 not -64.
If you only match the last 64 bits, which router or LAN is not considered, and the port is open to any thing on any of your networks (in the lan zone) that ends in ::190. You probably don't want that. Use -80 and include the delegated bits (ip6hint) in the address to match, such as 08::190/-80
Also since there's no NAT in use, the IPv4 concept of "port forward" to use ports to share a single public IP doesn't apply. These are simply forwards. Each server has its own public IP. You can allow input to a single port or all ports.
I assume NPT should also be possible from GUA to ULA.
I updated the documentation linked above, it works like this:
| Netmask | Equivalent |
|---|---|
/-64 |
/::ffff:ffff:ffff:ffff |
/-48 |
/::ffff:ffff:ffff:ffff:ffff |
Thanks for clarifying the format.
Would this be the rule to open up port 22 for just my desktop PC?
uci add firewall rule
uci set firewall.@rule[-1].name="Forward-IPv6"
uci set firewall.@rule[-1].src="wan_ipv6"
uci set firewall.@rule[-1].dest="lan"
uci set firewall.@rule[-1].dest_ip="1::190/-48"
uci set firewall.@redirect[-1].dest_port="22"
uci set firewall.@rule[-1].family="ipv6"
uci set firewall.@rule[-1].proto="tcp udp"
uci set firewall.@rule[-1].target="ACCEPT"
Why don't I need to include the vlan/subnet prefix?
Is it -48 or -80 (like @mk24 posted)? Counting mask bits from the beginning or end?
It created a firewall rule, but the rule in Luci was missing the port number.
I've manually added a port number, but the connection is refused.
This is the rule in the firewall config file.
config rule
option dest 'lan'
option family 'ipv6'
option proto 'tcp udp'
option target 'ACCEPT'
option src 'wan'
list dest_ip '1::101/-48'
option dest_port '32400'
option name 'ipv6 | Inbound | Plex | 32400'
What if you try the destination:
0:0:0:1::190/-48
That's done it.
Once again, thanks to everybody that's contributed their time to help with this.
I think the documentation might need to be updated to include the wildcard mask (probably the wrong term?).
uci set firewall.@rule[-1].dest_ip="::23/-48"
uci set firewall.@rule[-1].dest_ip="0:0:0::23/-48"
Thanks.
You wouldn’t need the extra zeroes up front if it hadn’t been for the vlan-specific hint in your configuration.
I've performed some tests, and the method from the wiki works as well, provided that the rule only applies to the LAN destination zone with only LAN network assigned to it by default.
This allows to omit the IPv6 hint and specify the length of the prefix assigned to the LAN interface.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.