Help with 21.02.1 and traffic rules

Hi all, need assistance with 21.02.1. I've updated my R7800 router from 19.07.08 to 21.02.1 and started from scratch - I did NOT KEEP settings. Everything is working ok except I cant forward IPv6 to my security cameras on 21.02, which was working fine on 19.07. For some reason my cameras dont hold IPv6 address if I set them to DHCP - they get IPv6 address ok but then in about an hour, reset to local IPv6 - I "fixed" that issue by manually assigning IPv6 to the cameras (would be great if someone can recommend how to fix this, but that's not the issue for this post).

So, I have 4 cameras with IPv6 manually assigned to them:

CAM1: 2835:865:c840:e4a4::60
CAM2: 2835:865:c840:e4a4::61
CAM3: 2835:865:c840:e4a4::62
CAM4: 2835:865:c840:e4a4::63

(those IP numbers are random, for the sake of the demonstration)

In 19.07 I had these Traffic Rules that allowed me to connect to these cameras from outside:

config rule
	option src '*'
	option name 'Allow WAN to Front 1 Cam IPv6'
	option target 'ACCEPT'
	option family 'ipv6'
	option dest 'lan'
	option proto 'tcp'
	option dest_port '44550'
	list dest_ip '2835:865:c840:e4a4::60'

config rule
	option src '*'
	option name 'Allow WAN to Front 2 Cam IPv6'
	option target 'ACCEPT'
	option family 'ipv6'
	option dest 'lan'
	option dest_port '44551'
	option proto 'tcp'
	list dest_ip '2835:865:c840:e4a4::61'

config rule
	option src '*'
	option name 'Allow WAN to Back 1 Cam IPv6'
	option target 'ACCEPT'
	option family 'ipv6'
	option dest 'lan'
	option dest_port '44552'
	option proto 'tcp'
	list dest_ip '2835:865:c840:e4a4::62'

config rule
	option src '*'
	option name 'Allow WAN to Back 2 Cam IPv6'
	option target 'ACCEPT'
	option family 'ipv6'
	option dest 'lan'
	option dest_port '44553'
	option proto 'tcp'
	list dest_ip '2835:865:c840:e4a4::63'

After installing 21.02 and configuring IPv6 the same (I think) as 19.07, I can get IPv6 from my provider OK and can delegate to my local devices OK too.

I've installed IPSET package with related dependencies but still cant connect to my cameras from outside.

Firewall is as follows:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'
	option flow_offloading '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	option forward 'DROP'

config forwarding
	option src 'lan'
	option dest 'wan'

DHCP is as follows:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option nohosts '1'
	option quietdhcp '1'
	option filterwin2k '1'
	option nonegcache '1'

config dhcp 'lan'
	option interface 'lan'
	option limit '150'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option start '50'
	option leasetime '24h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '3'

Network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd46:3417:c587::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'
	option igmp_snooping '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.xxx.1'
	list dns '1.1.1.2'
	list dns '1.0.0.2'
	option ip6assign '64'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.2'
	list dns '1.0.0.2'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option peerdns '0'
	list dns '2606:4700:4700::1112'
	list dns '2606:4700:4700::1002'
	option reqprefix '60'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

I would appreciate any assistance. Thank you

I think, albeit slowly, but I'm making some progress. I tried pinging the IPv6 address of one of the cameras from the router but got unreachable. Then, I switched one of the cams to DHCP but instead of 2835:865:c840:e4a4::60 IP, which should be delegated public, the cam got this ip: fdac:a190:bbaa::30, which is from ULA prefix.
I made this change in LAN interface:

list ip6class 'wan6'

and now I can see that camera is getting the public address, but, unfortunately I still cant reach it from outside. Actually, I just tired reaching the camera while I was connected to the WiFi and couldnt reach it either - I was able on my previous config on 19.07.

Any help would be greatly appreciated.
Thanks

Your firewall config is missing the essential rules, revert it to factory defaults:
https://github.com/openwrt/openwrt/blob/master/package/network/config/firewall/files/firewall.config

And then follow the wiki to set up IPv6 forwarding:
fw3 IPv6 configuration examples > Dynamic prefix forwarding

Thanks @vgaetera for chiming in. I checked my firewall to the github and all settings are there and the only lines that are missing from my config are the commented example lines, so that wasnt it.

I looked at the IPv6 forwarding you linked, and it seemed too dangerous for me. It seems to me that I'm missing something simple as in 19.07 build all I did to enable this created a couple rules and it worked. I was ok with that as it exposed only 4 devices. The fw3 IPv6 wiki appears to be opening quite a bigger hole and I'm not versed enough to tighten it up confidently.

I've gotten my IPv6 configured properly now, I think, as all my devices get public and ULA addresses, it's just passing 4 IPv6 ports through firewall holding me back.

Reading again the fw3 wiki you linked, the first 3 example it lists, under Port Accept for IPv6, is exactly what I did on 19.7, without any additional zones and forwards - and it worked. I've been going over my backed up 19.07 firewall file line by line and my new 21.02 setup is matching it exactly - but no dice.

Do you know if there is some fundamental change in firewall rules processing on 21 that preventing my opening IPv6 ports?

Appreciate your time very much.

I got tired of trying to figure what I'm missing and decided to proceed with the rest of my setup, which was only adding the guest network. Once I finished with configuring everything that is needed for guest to work - boom, all my IPv6 rules started working.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.