How can i open an ipv6 address port?

patrikx3 · May 17, 2021, 12:06pm

like a given ipv6 port 1978 should be opened through the openwrt router and the wan. i suppose it is not NAT so not forwarding but rather just open a port via openwrt system to be open on an ipv6 address on the network.

mpa · May 17, 2021, 12:24pm

Do you get a fixed or a dynamic prefix from your ISP?
How do clients get their IPv6 address - router advertisements (SLAAC), DHCPv6, static configuration?

The firewall rule would look similar to the following, perhaps with minor changes depending on your answers to the questions above.

config rule
	option name			Allow-SSH-IPv6
	option src			wan
	option dest			lan
	option proto		tcp
	option dest_ip		::1122:33ff:fe44:5566/-64
	option dest_port	22
	option family		ipv6
	option target		ACCEPT

patrikx3 · May 17, 2021, 12:42pm

wow you are a god

patrikx3 · May 17, 2021, 12:51pm

what would be the the difference in the config if we are using slaac, dhcpv3 and/or static wan setups?

patrikx3 · May 17, 2021, 12:54pm

could this be the dest be based on ethernet address? like if i receive an ipv6 dhcpv6 setup?

mpa · May 17, 2021, 12:59pm

No changes in the firewall rule, but you have to be aware that the SLAAC assigned IPv6 address is derived from the ethernet MAC address. If you want to use the IP address in firewall rules, it is better to assign the host ID explicitly, using DHCPv6 (preferred), or locally on the client.

With a static prefix, you could change dest_ip to match the whole IP address, not just the host ID.

patrikx3 · May 17, 2021, 1:03pm

so if i use the duid i wouldnt have to reconfigure the firewall if the dhcpv6 prefix changes?

patrikx3 · May 17, 2021, 1:06pm

i am looking for a solution where i do not have to write a script to reconfigure with uci the dynamic ipv6 address.

if course that is not possible i would write a script that will update the firewall rules.

mpa · May 23, 2021, 12:54pm

You do not have to reconfigure the firewall when the delegated prefix changes, because the firewall rule ignores the prefix (the /-64 part):

I had not mentioned a DUID. Where I said host ID, I meant the rightmost 64 bit of the IPv6 address:
1122:33ff:fe44:5566 in the above example.

Specifying a DUID on the client can be useful to ensure it gets a stable host ID from your own DHCPv6 server.

With some ISPs, specifying a DUID on the router might help with getting a stable prefix, but I have no experience with this kind of setup. I put up with a dynamic prefix.

patrikx3 · May 23, 2021, 1:40pm

ah ok, so i can open the ipv6 address by specifing only the postfix and will work with dhcpv6, thanks

openwrtforever · May 23, 2021, 1:59pm

I want to add a small question why can't I add ::1122:33ff:fe44:5566/-64 using luci, the field turns red when I type -64 only /ffff:ffff.... Are allowed

mpa · May 23, 2021, 3:36pm

Mask negation in LuCI is now allowed with OpenWrt 21.02-rc1.
For OpenWrt 19.07, you can use /::ffff:ffff:ffff:ffff instead.

system · June 2, 2021, 3:36pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.