Firewall is Rejecting Instead of Dropping Incoming IPv6 Packets

I have a Hurricane Electric 6in4 tunnel up and running and added this WAN6 interface into my WAN firewall zone on OpenWrt 21.02.2 running on a Raspberry Pi 4.

The WAN zone is set to Drop/Accept/Drop for Input/Output/Forward (see below) and all IPv4 port scans show a stealth response for all ports, meaning that the firewall dropped the inbound SYN request instead of responding by closing the socket. This is my desired behavior as I do not want any probes to reveal my presence.

IPv6 port scans, however, always return CLOSED for every port. At first I did not trust the port scanner so I ran a TCPDUMP capture during the scan and do indeed see the router responding to each inbound IPv6 SYN request with an immediate RST packet.

Does anyone know why the behavior is different between IPv4 and IPv6?

What can I do to force a Drop on for IPv6?

Thanks in advance!

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	option forward 'DROP'
	list network 'wan'
	list network 'WAN6'

Set up a wan6 zone.

  • Did you test from the router or a client (I assume a port scan website on a client)?
    • If so, then this would be an IPv6 forward rule
  • Do you still have the default ICMPv6 forward rule enabled?
  • Do you still have the default ICMPv6 input rule enabled?
  • What kind of packet did they use to scan (ICMPv6 :wink: , UDP, TCP)?

Can you share the port scan site?

Drop is working on the ones I tested.

This works for me on 20.02.2 with an HE tunnel when I set my firewall properly. I would check the firewall rules.

Working ICMPv6 was required by RFC for IPv6...but if you disable the relevant rules, it should stop.

1 Like