like a given ipv6 port 1978 should be opened through the openwrt router and the wan. i suppose it is not NAT so not forwarding but rather just open a port via openwrt system to be open on an ipv6 address on the network.
Do you get a fixed or a dynamic prefix from your ISP?
How do clients get their IPv6 address - router advertisements (SLAAC), DHCPv6, static configuration?
The firewall rule would look similar to the following, perhaps with minor changes depending on your answers to the questions above.
config rule
option name Allow-SSH-IPv6
option src wan
option dest lan
option proto tcp
option dest_ip ::1122:33ff:fe44:5566/-64
option dest_port 22
option family ipv6
option target ACCEPT
wow you are a god
what would be the the difference in the config if we are using slaac, dhcpv3 and/or static wan setups?
could this be the dest be based on ethernet address? like if i receive an ipv6 dhcpv6 setup?
No changes in the firewall rule, but you have to be aware that the SLAAC assigned IPv6 address is derived from the ethernet MAC address. If you want to use the IP address in firewall rules, it is better to assign the host ID explicitly, using DHCPv6 (preferred), or locally on the client.
With a static prefix, you could change dest_ip
to match the whole IP address, not just the host ID.
so if i use the duid i wouldnt have to reconfigure the firewall if the dhcpv6 prefix changes?
i am looking for a solution where i do not have to write a script to reconfigure with uci the dynamic ipv6 address.
if course that is not possible i would write a script that will update the firewall rules.
You do not have to reconfigure the firewall when the delegated prefix changes, because the firewall rule ignores the prefix (the /-64 part):
I had not mentioned a DUID. Where I said host ID, I meant the rightmost 64 bit of the IPv6 address:
1122:33ff:fe44:5566
in the above example.
Specifying a DUID on the client can be useful to ensure it gets a stable host ID from your own DHCPv6 server.
With some ISPs, specifying a DUID on the router might help with getting a stable prefix, but I have no experience with this kind of setup. I put up with a dynamic prefix.
ah ok, so i can open the ipv6 address by specifing only the postfix and will work with dhcpv6, thanks
I want to add a small question why can't I add ::1122:33ff:fe44:5566/-64 using luci, the field turns red when I type -64 only /ffff:ffff.... Are allowed
Mask negation in LuCI is now allowed with OpenWrt 21.02-rc1.
For OpenWrt 19.07, you can use /::ffff:ffff:ffff:ffff
instead.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.