Fw4 MAC address matching

hgl · August 23, 2023, 2:48am

I want to expose some device in LAN with public IPv6, to the internet, and since WAN->LAN is rejected by default, I think I probably need to add some exempt rule, and since my IPv6 PD is dynamic, I opt to use MAC address, where if the destination MAC address matches my device, the WAN->LAN connections should be allowed

But it seems fw4 only allows matching source MAC address? Exposing LAN devices should a pretty popular use case, I guess there must be some others way to achieve that? Would appreciate if someone could shed some light.

dave14305 · August 23, 2023, 2:56am

You can match on the hostid of the IPv6 address if the prefix changes.

slh · August 23, 2023, 3:00am

Beyond that, set up an IPv6 DDNS dæmon on the host you want to expose.

hgl · August 23, 2023, 4:04am

I didn't know it's possible to match only the hostid part. That should do it, thanks.

hgl · August 23, 2023, 4:07am

Thanks for the suggestion, I was about to ask that. My device doesn't support the DDNS service I use, but OpenWRT DDNS client does, and centralizing my DDNS would also be nice. I wonder if there is an easy way like the hostid matching trick to directly upload my device's IPv6 with OpenWRT's DDNS client?

slh · August 23, 2023, 4:13am

I'm not aware of anything pre-made to take care of that, it would probably require original development. Starting a DDNS update service on the exposed host is typically the easiest way out of this issue (but obviously not the only one).

system · September 2, 2023, 4:14am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.