Firewall blocking ipv6

I have 2 issues. If I disable firewall completely via /etc/init.d/firewall stop then I am able to access my ipv6 entities outside network and If I restart firewall, it doesn't work to access my ipv6 entities outside the network. What am I doing wrong?

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.73",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Linksys E8450 (UBI)",
        "board_name": "linksys,e8450-ubi",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "mediatek/mt7622",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}
root@OpenWrt:~#

Firewall settings

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'guestDHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'guestDNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'

config rule
	option name 'Allow_mdns_MotoTV'
	list proto 'udp'
	option src '*'
	option src_port '5353'
	option dest_port '5353'
	option target 'ACCEPT'
	list dest_ip '224.0.0.251'
	option family 'ipv4'

config rule
	option src 'guest'
	list dest_ip '192.168.87.1'
	option target 'REJECT'
	option name 'Block 192.168.87.1 in Guest'
	option dest 'guest'

Additionally, when I restart firewall, I get this error

root@OpenWrt:~# /etc/init.d/firewall restart
Section miniupnpd specifies unreachable path '/usr/share/miniupnpd/firewall.include', ignoring section

Network settings:

root@OpenWrt:~# uci export network
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.86.1'
        option device 'br-lan.99'
        option ip6assign '64'
        option ip6hint '5'
        option ip6ifaceid '::99'
        option defaultroute '0'
        option delegate '0'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option password '*********'
        option delegate '0'
        option username '***************'
        option ipv6 '1'
        option peerdns '0'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.87.1'
        option netmask '255.255.255.0'
        option device 'br-lan.4'
        option ip6ifaceid '::99'
        option delegate '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'lan4:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:t'

config interface 'wan6'
        option proto 'dhcpv6'
        option device '@wan'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'

root@OpenWrt:~#

DHCP settings:

root@OpenWrt:~# uci export dhcp
package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        list rebind_domain 'plex.direct'
        list server '127.0.0.1#5053'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        list doh_backup_server '127.0.0.1#5053'
        list doh_server '127.0.0.1#5053'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv4 'server'
        option start '20'
        option limit '230'
        option ra 'server'
        option ra_slaac '0'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dhcpv6 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'marcus-intel'
        option dns '1'
        option mac '00:1C:C0:7C:16:A0'
        option ip '192.168.86.53'
        option leasetime 'infinite'
        option duid '00020000ab1104021a920fa1899a'
        option hostid '53'

config host
        option name 'raspberrypi'
        option dns '1'
        option ip '192.168.86.196'
        option leasetime 'infinite'
        option mac 'DC:A6:32:D2:2A:77'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

config domain
        option name 'Dad-AndroidOne'
        option ip '192.168.86.146'

config domain
        option name 'E8450Hall'
        option ip '192.168.86.245'

config host
        option name 'E8450Hall'
        option dns '1'
        option mac 'E8:9F:80:C7:6E:55'
        option ip '192.168.86.175'
        option leasetime 'infinite'

config domain
        option ip '192.168.86.180'
        option name 'raspberrypiwifi'

config host
        option name 'EchoDot'
        option dns '1'
        option mac 'CC:F7:35:A9:5B:8E'
        option ip '192.168.86.207'

config host
        option name 'LenovoSmartClock'
        option dns '1'
        option mac '84:B8:B8:54:55:C8'
        option ip '192.168.86.231'

config host
        option name 'MAZE'
        option ip '192.168.86.113'
        option mac '7C:2A:31:B7:DA:FE'

config host
        option name 'marcus'
        option mac 'D8:BB:C1:D0:18:34'
        option ip '192.168.86.52'
        option leasetime 'infinite'
        option hostid '52'

config host
        option name 'Pixel-6a'
        list mac '06:24:34:8F:16:E6'
        option ip '192.168.86.147'
        option leasetime 'infinite'

config host
        option name 'Pixel-7a'
        list mac '1A:3B:FB:4A:6D:C2'
        option ip '192.168.86.98'
        option leasetime 'infinite'

config host
        option name 'Motorola-3B-TV'
        list mac '08:54:BB:8B:12:6B'
        option ip '192.168.86.39'
        option leasetime 'infinite'

config host
        option name 'tinxy-4n-myroom'
        option ip '192.168.86.144'
        option leasetime 'infinite'
        list mac '98:F4:AB:F7:00:C3'

config host
        list mac 'FE:37:06:57:BF:9B'
        option ip '192.168.86.145'
        option leasetime 'infinite'
        option name 'Pixel-8-Pro'

config host
        option name 'BrotherPrinter'
        list mac '3C:0A:F3:BE:26:8B'
        option ip '192.168.87.216'
        option leasetime 'infinite'

config host
        option name 'SamsungFridge'
        list mac '68:3A:48:C8:DB:DD'
        option ip '192.168.86.199'
        option leasetime 'infinite'

config host
        option name 'GalaxyWatch4Classic'
        list mac '1A:8E:D5:84:DC:6E'
        option ip '192.168.87.243'
        option leasetime 'infinite'

config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'

root@OpenWrt:~#

You have to install miniupnpd-nftables , the iptables version is for fw3

Executing package manager
opkg install miniupnpd-nftables
Installing miniupnpd-nftables (2.3.7-r1) to root...
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a53/packages/miniupnpd-nftables_2.3.7-r1_aarch64_cortex-a53.ipk
Configuring miniupnpd-nftables.
Errors
Collected errors:
 * resolve_conffiles: Existing conffile /etc/config/upnpd is different from the conffile in the new package. The new conffile will be placed at /etc/config/upnpd-opkg.

I get this error when installing and if I ignore it, it doesn't work to access ipv6 entities outside the network with the package

I was reading your posts when you made a significant edit.

I don't see any firewall entries allowing this IPv6 traffic you wish to allow.

Perhaps I overlooked it?

Thank you for getting back, and I am sorry for the confusion, I removed the last part out because it didn't work for me. This is what I had previously, which didn't work for me

config rule
    option name 'mans_Allow-HA-IPv6'
    option family 'ipv6'
    option proto 'tcp'
    option src 'wan'
    option dest 'lan'
    option dest_ip '2776:*****:c4:***::***'  # the ipv6 acessible via lan network
    option dest_port '8123'
    option target 'ACCEPT'

Basically, I want all dhcpv6 assigned ipv6 to be accessible outside the network. I don't intend to have a firewall rule for every entity individually. Additionally, some DDoS protection because some random person doesn't flood my ipv6.
I intend to do this for jellyfin and other services on my network.

thank you!

I also have OpenVPN and WireGuard servers inside my network which I want to be accessible with IPv6 from outside.
For IPv6 you do not port forward as you do for Ipv4 but you allow access, you can use a negative netmask to deal with a dynamic prefix.

An example for my WireGuard server:
/etc/config/firewall:

config rule
	option name 'wg-server6-6'
	list proto 'udp'
	option src 'wan'
	option dest 'lan'
	option dest_port '51810'
	option target 'ACCEPT'
	option family 'ipv6'
	list dest_ip '::6/-64'     <<<< negative netmask to deal with dynamic prefix, the server has a ::6 static IP

config rule
    option name 'mans_Allow-IPv6-Inbound'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp udp'   # allow both
    option family 'ipv6'
    option dest_ip '::/-64'     # Negative netmask
    option target 'ACCEPT'

I just included this firewall rule to allow access to all ipv6, but it doesn't happen. I have also followed your suggestion of using negative netmask. What's wrong here?

That is not an address.
For my WireGuard server I have made a static IPv6 address like this:

config host
	option dns '1'
	option name 'EA8500'
	option ip '192.168.0.6'
	option leasetime '6h'
	option duid '00030001c0562aaaaaa'
	option hostid '06'
	list mac 'C0:56:27:aa:aa:aa'

the hostid will hand out an IPv6 address like this prefix::6

So my dest_ip is: option dest_ip '::6/-64'

I tried this twice to be sure and crashed my router both the times. Luckily, I had a backup, so I could revert. It definitely doesn't work on my OpenWrt version. I just lose access to luci and no internet but all LED blinking.
The second time, prior to adding it to the firewall file via ssh, I tried adding negative net mask on luci, and it didn't even accept a value like that.

My prefix delegated is /64 and in dhcpv6 all ipv6 is /128. So should I try -128 or -64 in negative netmask?

No you mask the prefix which is usually /64

See: https://korhonen.cc/posts/firewall_rules_openwrt_ipv6_dynamic_prefix/

I was wrong, and thank you. Woke up today and believed in the steps you told me and tried again and it worked. I was doing it without making the address static, which is why it was crashing the router. Anyway, I have some more things to clarify:

1. How to enable ipv6 privacy extensions on OpenWrt with dhcpv6? And is it advisable to do so?

2. My unraid server does not get dhcpv6 assigned until I restart it. If restart my router, ipv6 is assigned only to my pikvm (separate entity outside unraid server, basically another server). And for ipv6 to get assigned to my unraid, I'll have to restart the entire unraid if I restart my router.
   How to fix this? It is basically an MSI motherboard

3. And how to fix this below error when I restart my firewall? or should I ignore it?

root@OpenWrt:~# /etc/init.d/firewall restart
Section miniupnpd specifies unreachable path '/usr/share/miniupnpd/firewall.include', ignoring section

2. unless you reconnect port device will not feel any change in the network config.
3. remove section from /etc/config/firewall and dont install eandom packages in future.

3. there is nothing related to miniupnp in firewall, please check my OP which has the settings

Clearly, not a single line, bye

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.