Help needed to create fw4 rule

Please help me create a firewall rule that

  • Matches traffic originating in "lan" zone destined for or [FC00::]/7
  • Sends that traffic to a service running on the router listening on and [::]:9040

I'm running OpenWrt 22.03.2. I would prefer to do this via Luci, but I am also fine with just editing /etc/config/firewall.

You may guess that this is for Tor, which is correct. I have visited the wiki pages "Tor Client" and "Tor Extra", but they just led to more confusion. This is because the setup there is more complicated than I want. I've got the DNS redirection working fine, just need help with this rule. This setup is only for occasional visits to a .onion website, and not for strict privacy preservation. When in need of privacy, I use Tor Browser.

While trying various things, I also created an interface called 'Tor', gave it static IP and [FC00::]/7, and put it in a firewall zone called 'Tor'. This was probably pointless, but just mentioning it in-case it can be used for the rule I need.

Port forward.

Whoa, wouldn't have guessed that...

Have you seen? -

Yes, I saw that before asking the question here and it left me more confused. It is more complicated than want I need/want. Not sure if ipset is still available in nftables (fw4). I also want to, preferably, just stick with the usual lan->wan forwarding and not have to create the "Allow-NonTor-Forward" rule; just want to create a rule only intercept the Tor destined traffic as I asked for.

Also, at least from the GUI, the port forward only seems to work for IPv4 and not IPv6.

Yes, it is.

OK, from what I see in the Wiki, it does that. How does the Wiki not provide that?

(FYI, I also have a hard time reading UCI CLI, I personally use the file method.)

Ok, so a more specific question, if I create the following rule will that work?:

config redirect
	option target 'DNAT'
	option name 'Tor-fwd-ipv6'
	option src 'lan'
	option src_dport '0-65535'
	option dest_ip '2a02:8010:6807:10::1'
	option dest_port '9040'
	option src_dip 'FC00::/7'
	option reflection '0'

Similar rule for ipv4 is working fine.

Probably not without setting up NAT for IPv6.


I went with this for the ipv6 redirect and it seems to be working:

config ipset 'torv6'
	option name 'torv6'
	option family 'ipv6'
	option match 'net'
	list entry 'fc00::/8'

config redirect
	option target 'DNAT'
	option name 'Tor-fwd-ipv6'
	option src 'lan'
        option src_dport '0-65535'
	option family ipv6
	option dest_port '9040'
	option ipset 'torv6 dest'
	option reflection 0
1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.