[firewall] ipv6 port redirect not implemented?

Installing and Using OpenWrt Network and Wireless Configuration
1
  • Master branch

Similar to

config redirect
	option name 'DNS client hijack prevention ipv4'
	option target 'DNAT'
	option proto 'tcp udp'
	option family 'ipv4'
	option src 'lan'
	option src_dport '53'
	option dest 'wan'
	option dest_port '53'
	option dest_ip '<ipv4 address>'

trying to deploy for ipv6

config redirect
	option name 'DNS client hijack prevention ipv6'
	option target 'DNAT'
	option proto 'tcp udp'
	option family 'ipv6'
	option src 'lan'
	option src_dport '53'
	option dest 'wan'
	option dest_port '53'
	option dest_ip '<ipv6 address>'

However, observing that:

  • LuCI Firewall -> Port Forwards -> Advanced (/cgi-bin/luci/admin/network/firewall/forwards) does not provide an address family option as it does in LuCI Firewall -> Traffic Rules -> Advanced
  • LuCI Firewall -> Port Forwards -> General Settings -> Internal IP address exhibits an overlay:
    :warning: Expecting: valid IPv4 network
  • restarting fw exhibits in the cli buffer:

Populating IPv4 filter table | Populating IPv4 nat table

  • Redirect 'DNS client hijack prevention ipv6'
    ! Skipping due to different family of ip address

Am I missing something or is ipv6 port redirect not implemented?

2

It is not implemented

3

any plan that it might be (soon) implemented or will it be only when fw4 (based on nft) ships?

4

You can achieve this by using custom firewall rules.

opkg update
opkg install ip6tables ip6tables-mod-nat

Maybe ip6tables-extra is also needed.

/etc/firewall.user

IPT6=$(which ip6tables)

# Redirect all DNS Queries to Router (IPv6)
$IPT6 -t nat -I PREROUTING -i br-lan -m udp -p udp -s fd13:3:7:10::/64 --dport 53 -j DNAT --to-destination fd13:3:7:10::254 -m comment --comment "Force DNS Request to Router"
$IPT6 -t nat -I PREROUTING -i br-lan -m tcp -p tcp -s fd13:3:7:10::/64 --dport 53 -j DNAT --to-destination fd13:3:7:10::254 -m comment --comment "Force DNS Request to Router"

My ULA Prefix is fd13:3:7::/48
br-lan is configured with:

ip6hint '10'
ip6ifaceid '::254'

//edit
Sorry, of course this will not work in the desired way.
This will only redirect local requests and that doesn't make sense.
To make this work we have to use redirect here:

$IPT6 -t nat -I PREROUTING -i br-lan -p udp ! -d fd13:3:7:10::254/128 --dport 53 -j REDIRECT --to-ports 53 -m comment --comment "Force DNS Request to Router"
$IPT6 -t nat -I PREROUTING -i br-lan -p tcp ! -d fd13:3:7:10::254/128 --dport 53 -j REDIRECT --to-ports 53 -m comment --comment "Force DNS Request to Router"

I can't get this working with DNAT.
Even with the -s fd13:3:7:10::/64 (which is obviously wrong here) part removed, it doesn't work.

5

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.