How does ip6tables publish intranet services to the public network based on PPPoE dynamic IPv6 environment

In the case of IPv4, the port is mapped to the server and port of the intranet through NAT. Now the machine of the IPv6 intranet passes through
The router obtains IPv6-PD and then configures a random IPv6. Intranet servers are all obtained public network addresses. The router v6 firewall generally prohibits other public networks from actively initiating port access to intranet servers by default, because the IPv6-PD prefix will change Then the server v6 address itself will change, so how does ip6tables allow internal access? 1. Turn off the firewall of the router and turn on the firewall of the server itself. 2. Allow all requests on this port, and the machine on the internal network will open the firewall by itself. 3. Similar to the previous v4 nat, use the router gateway v6 ip NAT server intranet v6 IP. In addition, the public network v6 ip obtained by the internal network machine and the router interface is different now, so does DDNS have to be run on a specific server? Otherwise, the address is incorrect

1 Like

Port forwarding to a dynamic IPv6 address - #2 by vgaetera

@vgaetera - I think the wiki example would be easier to grasp if it would use ::ffff:ffff:ffff:ffff as mask instead of -64.

The former notation is also accepted by plain iptables (and likely yields useful google hits) while the latter is an fw3 specific shortcut.

@VxBox - as @vgaetera pointed out with his wiki example, the general approach is to create traffic accept rules instead of dnat port forwards. The dynamic prefix problem can be solved by matching the last 64bit denoting the fixed host part of the prefix. The can be either done by using the special -64 uci notation or by specifying ::ffff:ffff:ffff:ffff (or 0:0:0:0:ffff:ffff:ffff:ffff) as mask

2 Likes

Thank you, "The negative netmask notation /-64 works only with fw3" can the method introduced in this method be used under linux ip6tables? such as : ip6tables -t nat -A PREROUTING -i -p tcp --dport 80 -j DNAT --to-destination ::1/-64

No, that's what jow's post was explaining.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.