How to add firewall rules for IPv6 devices?

Installing and Using OpenWrt Network and Wireless Configuration
1

I have a WAN with IPv4 and IPv6 is provided with 6RD and I'm using prefix delegation to local hosts. Works OK.
I have already managed to configure static IPv6 suffix for host that I want to allow a traffic.

Now, when the router boots up, the /64 IPv6 prefix might change.
How am I supposed to add a firewall rule for hosts that are in the local network?

Lets say, the host always generates a IPv6 using <prefix>::f0f0/64
And today the prefix is 2001:2003:ff01:: so the IP would be 2001:2003:ff01::f0f0.
But how about tomorrow, when prefix changes?

Am I supposed to use some kind of ipset using domain names? If those are DynDNS based, those might be out of date, when OpenWRT boots?
Or is there a syntax to say dest = <our global prefix>::<a known suffix>/128

2

Use /-64 netmask as shown here: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_ipv6_examples#dynamic_prefix_forwarding

2 Likes
3

Thanks.

This was quite a well hidden trick.
I spend hours searching and reading even Netfilter's man pages. This syntax does not exist elsewhere, and is not documented in https://openwrt.org/docs/guide-user/firewall/firewall_configuration

But it works... or at least is accepted. Now I just need to find a host to test this from.

1 Like
4

Try searching for negative netmask in the forum, that should give you some usage examples.

1 Like
5

You just need to know where to look at https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_ipv6_examples :see_no_evil_monkey:

Yes even fw3 is outdated the syntax is the same... Someone definitely should add that part to the main firewall page after all these years :joy:

Edit ps. Next time I'm more careful with the link review. @AndrewZ already linked there...

1 Like
6

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.