I have a simple topology with an OpenWrt router and 2 subnets.
config zone 'admins'
option name 'admins'
list network 'admins'
option input 'ACCEPT' # accept input to the router
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'users'
option name 'users'
list network 'users'
option input 'REJECT' # deny input to the router
option output 'ACCEPT'
option forward 'REJECT'
I create firewall rules to allows DHCP and DHCPv6 as follows:
config rule 'drop_dhcp_wan_localhost'
option name 'Drop DHCP from WAN to LOCALHOST'
option src 'wan'
option proto 'udp'
option dest_port '67' # drop regardless of source port
option target 'DROP'
option enabled '1'
config rule 'accept_dhcp_any_localhost'
option name 'Accept DHCP from ANY to LOCALHOST'
option src '*'
option proto 'udp'
option src_port '68'
option dest_port '67'
option target 'ACCEPT'
option enabled '1'
config rule 'drop_dhcpv6_wan_localhost'
option name 'Drop DHCPv6 from WAN to LOCALHOST'
option src 'wan'
option proto 'udp'
option dest_port '547' # drop regardless of source port
option target 'DROP'
option enabled '1'
config rule 'accept_dhcpv6_any_localhost'
option name 'Accept DHCPv6 from ANY to LOCALHOST'
option src '*'
option proto 'udp'
option src_port '546'
option dest_port '547'
option target 'ACCEPT'
option enabled '1'
On admins subnet, both DHCP and DHCPv6 work fine (obviously because it has unrestricted access to the router). On users subnet, however, only DHCP works. Hosts failed to get prefixes from the router, and ended up with a single link local address (fe80::).
/etc/config/dhcp configurations are the same for both subnets. What should I allow on /etc/config/firewall for DHCPv6 to work? I think it needs more than just port 547.