How to allow IPv6 traffic from WAN to reach a LAN server?

I have a OpenWRT router.
I'm trying to access my server over SSH from WAN
I can access the luci interface from https://[2603:8001:xxxx:xxxx::1]/cgi-bin/luci/ or https://192.168.1.1/cgi-bin/luci/ or https://[fd0d:c6f2:a86e::1]/cgi-bin/luci/.

After logging in, under Network -> DHCP and DNS > Static Leases, I added an entry for my Server, IPv6 address = 192.168.1.244 , IPv6 suffix (hex) = aa64. After saving and applying, and then replugging the ethernet cable:
The Ethernet "ip a" result of the server is:

2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether <redacted mac address> brd ff:ff:ff:ff:ff:ff
    altname enp0s25
    inet 192.168.1.244😃/24 brd 192.168.1.255 scope global dynamic noprefixroute eno1
       valid_lft 39883sec preferred_lft 39883sec
    inet6 2603:8001:xxxx:xxxx::557☹️/128 scope global dynamic noprefixroute 
       valid_lft 39884sec preferred_lft 39884sec
    inet6 fd0d:c6f2:a86e::557☹️/128 scope global dynamic noprefixroute 
       valid_lft 39884sec preferred_lft 39884sec
    inet6 fd0d:c6f2:a86e:0:3578:d7c0:fa9f:ed79/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 2603:8001:xxxx:xxxx:aa15:f2fb:3ea5:5d43/64 scope global dynamic noprefixroute 
       valid_lft 573510sec preferred_lft 573510sec
    inet6 fe80::7511:c83a:fe0e:9ffb☹️/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

I think 557 should be replaced with aa64 in the above report

I set up port forwarding (from what I heard, this is only done on IPv4): Network > Firewall > Port Forwards > "Incoming IPv4, protocol TCP
From wan
To this device, port 20022
Forward to lan IP 192.168.1.244 port 20022"
Port forwarding to an IPv6 address was not an option.

I set up Traffic Rules: Network > Firewall > Traffic Rules > " Forwarded IPv4 and IPv6, protocol TCP
From wan
To lan, IP 2603:8001:xxxx:xxxx::557, port 20022
Accept forward"

Then, I try to reach the server with ssh on port 20022, using my phone connected to either the wifi or to the mobile network:

on wifi:

~ $ ssh -p 20022   nasadmin@192.168.1.244
nasadmin@192.168.1.244: Permission denied (publickey).

~ $ ssh -p 20022 nasadmin@66.75.xxx.xxx
nasadmin@66.75.xxx.xxx: Permission denied (publickey).

~ $ ssh -p 20022 nasadmin@fd0d:c6f2:a86e::557
nasadmin@fd0d:c6f2:a86e::557: Permission denied (publickey).

~ $ ssh -vp 20022   nasadmin@2603:8001:xxxx:xxxx::557
OpenSSH_9.1p1, OpenSSL 3.0.7 1 Nov 2022
debug1: Reading configuration data /data/data/com.termux/files/usr/etc/ssh/ssh_config
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 2603:8001:xxxx:xxxx::557 [2603:8001:xxxx:xxxx::557] port 20022.
<User Patience Timeout>^C

on mobile network

~ $ ssh -p 20022 nasadmin@66.75.xxx.xxx
nasadmin@66.75.xxx.xxx: Permission denied (publickey).

~ $ ssh -vp 20022   nasadmin@2603:8001:xxxx:xxxx::557
OpenSSH_9.1p1, OpenSSL 3.0.7 1 Nov 2022
debug1: Reading configuration data /data/data/com.termux/files/usr/etc/ssh/ssh_config
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 2603:8001:xxxx:xxxx::557 [2603:8001:xxxx:xxxx::557] port 20022.
<User Patience Timeout>^C

My server seems to be accessible over IPv4 through normal port forwarding strategies (I did this years ago with a different router software, worked great), but IPv6 DHCP static lease doesn't respond to configuration, and IPv6 traffic rules seem to block the connection.

What am I doing wrong such that the global(?) IPv6 ip of the server never works? How can I make it connect?

your OpenWRT router is behind an ISP router?

Then your ISP rouer must either offer IPv6 prefix delegation (in Luci interface overview, the WAN must show e.g. a …PD /60, …PD /56 or similar line, but not /64.). This is so that OpenWRT can hand out public routable IPv6 addresses to clients.

Or you can configure „IPv6 relay“.

This is link local IP and can't be used to connect from another network. The server must have a GUA IPv6 (the one starting from 2603).
The address you see in ip.me belongs to OpenWrt or another router most likely.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

This is link local IP and can't be used to connect from another network. The server must have a GUA IPv6 (the one starting from 2603).

I replaced with the individual addresses reported by the server with the "ip a" command result (it runs Debian 11). I think the link-local IP is still useful for connecting to the server from within the house, but hopefully the server's global IP address will be completely more useful than the local ip once it actually works.

The address you see in ip.me belongs to OpenWrt or another router most likely.

The router's HTTPS address is https://[2603:8001:xxxx:xxxx::1]/cgi-bin/luci/ , which is different from the address that ip.me shows, 2603:8001:xxxx:xxxx::557

Here's the result of the provided commands on both the server and the router.

nasadmin@FamilyNAS:~$ ubus call system board; uci export network; uci export dhcp; uci export firewall; ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
-bash: ubus: command not found
-bash: uci: command not found
-bash: uci: command not found
-bash: uci: command not found
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2603:8001:xxxx:xxxx::557/128 scope global dynamic noprefixroute 
       valid_lft 38841sec preferred_lft 38841sec
    inet6 fd0d:c6f2:a86e::557/128 scope global dynamic noprefixroute 
       valid_lft 38841sec preferred_lft 38841sec
    inet6 fd0d:c6f2:a86e:0:3578:d7c0:fa9f:ed79/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 2603:8001:xxxx:xxxx:aa15:f2fb:3ea5:5d43/64 scope global dynamic noprefixroute 
       valid_lft 572467sec preferred_lft 572467sec
    inet6 fe80::7511:c83a:fe0e:9ffb/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
::1 dev lo proto kernel metric 256 pref medium
2603:8001:xxxx:xxxx::557 dev eno1 proto kernel metric 100 pref medium
2603:8001:xxxx:xxxx::/64 dev eno1 proto ra metric 100 pref medium
fd0d:c6f2:a86e::557 dev eno1 proto kernel metric 100 pref medium
fd0d:c6f2:a86e::/64 dev eno1 proto ra metric 100 pref medium
fd0d:c6f2:a86e::/48 via fe80::c206:c3ff:fe57:5bfd dev eno1 proto ra metric 100 pref medium
fe80::/64 dev eno1 proto kernel metric 100 pref medium
default via fe80::c206:c3ff:fe57:5bfd dev eno1 proto ra metric 100 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2603:8001:xxxx:xxxx::557 dev eno1 table local proto kernel metric 0 pref medium
local 2603:8001:xxxx:xxxx:aa15:f2fb:3ea5:5d43 dev eno1 table local proto kernel metric 0 pref medium
local fd0d:c6f2:a86e::557 dev eno1 table local proto kernel metric 0 pref medium
local fd0d:c6f2:a86e:0:3578:d7c0:fa9f:ed79 dev eno1 table local proto kernel metric 0 pref medium
local fe80::7511:c83a:fe0e:9ffb dev eno1 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eno1 table local proto kernel metric 256 pref medium
0:      from all lookup local
32766:  from all lookup main
ls: cannot access '/tmp/resolv.*': No such file or directory
ls: cannot access '/tmp/resolv.*/*': No such file or directory
-rw-r--r-- 1 root root 93 Jan  8 21:36  /etc/resolv.conf
-rw-r--r-- 1 root root 21 Dec 17 03:58  /etc/resolv.conf.bak
==> /etc/resolv.conf <==
# Generated by NetworkManager
search lan
nameserver 192.168.1.1
nameserver fd0d:c6f2:a86e::1

==> /etc/resolv.conf.bak <==
nameserver 127.0.0.1
head: cannot open '/tmp/resolv.*' for reading: No such file or directory
head: cannot open '/tmp/resolv.*/*' for reading: No such file or directory
nasadmin@FamilyNAS:~$ ssh root@2603:8001:xxxx:xxxx::1
root@2603:8001:xxxx:xxxx::1's password: 


BusyBox v1.35.0 (2022-10-14 22:44:41 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 22.03.2, r19803-9a599fee93
 -----------------------------------------------------
root@FamilyOpenWrt:~# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
        "kernel": "5.10.146",
        "hostname": "FamilyOpenWrt",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer A7 v5",
        "board_name": "tplink,archer-a7-v5",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.2",
                "revision": "r19803-9a599fee93",
                "target": "ath79/generic",
                "description": "OpenWrt 22.03.2 r19803-9a599fee93"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd0d:c6f2:a86e::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'ma:cc:ad:dr:es:ss'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option dns '1'
        option mac 'ma:cc:ad:dr:es:ss'
        option name 'FamilyNAS'
        option hostid 'aa64'
        option ip '192.168.1.244'

config host
        option dns '1'
        option mac 'ma:cc:ad:dr:es:ss'
        option ip '192.168.1.245'
        option hostid 'aa65'
        option name 'FamilyNASwifi'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow_SSH_FamilyNAS'
        list proto 'tcp'
        option src 'wan'
        option target 'ACCEPT'
        option dest 'lan'
        option dest_port '20022'
        list dest_ip '2603:8001:xxxx:xxxx::557'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'SSH_to_FamilyNAS'
        list proto 'tcp'
        option src 'wan'
        option src_dport '20022'
        option dest_ip '192.168.1.244'
        option dest_port '20022'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::c206:c3ff:fe57:5bfd/64 scope link 
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2603:8001:xxxx:xxxx::1/64 scope global dynamic noprefixroute 
       valid_lft 572338sec preferred_lft 572338sec
    inet6 fd0d:c6f2:a86e::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::c206:c3ff:fe57:5bfd/64 scope link 
       valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2606:6000:cfc0:2:2df8:1034:b54:8ade/128 scope global dynamic noprefixroute 
       valid_lft 572338sec preferred_lft 572338sec
    inet6 fe80::c206:c3ff:fe57:5bfe/64 scope link 
       valid_lft forever preferred_lft forever
9: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::c206:c3ff:fe57:5bfd/64 scope link 
       valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::c206:c3ff:fe57:5bfc/64 scope link 
       valid_lft forever preferred_lft forever
default from 2603:8001:xxxx:xxxx::/64 via fe80::201:5cff:fe74:aa46 dev eth0.2  metric 512 
default from 2606:6000:cfc0:2:2df8:1034:b54:8ade via fe80::201:5cff:fe74:aa46 dev eth0.2  metric 512 
2603:8001:xxxx:xxxx::/64 dev br-lan  metric 1024 
unreachable 2603:8001:xxxx:xxxx::/64 dev lo  metric 2147483647 
fd0d:c6f2:a86e::/64 dev br-lan  metric 1024 
unreachable fd0d:c6f2:a86e::/48 dev lo  metric 2147483647 
fe80::/64 dev eth0  metric 256 
fe80::/64 dev eth0.2  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan1  metric 256 
fe80::/64 dev wlan0  metric 256 
local ::1 dev lo table local  metric 0 
anycast 2603:8001:xxxx:xxxx:: dev br-lan table local  metric 0 
local 2603:8001:xxxx:xxxx::1 dev br-lan table local  metric 0 
local 2606:6000:cfc0:2:2df8:1034:b54:8ade dev eth0.2 table local  metric 0 
anycast fd0d:c6f2:a86e:: dev br-lan table local  metric 0 
local fd0d:c6f2:a86e::1 dev br-lan table local  metric 0 
anycast fe80:: dev eth0 table local  metric 0 
anycast fe80:: dev eth0.2 table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
anycast fe80:: dev wlan1 table local  metric 0 
anycast fe80:: dev wlan0 table local  metric 0 
local fe80::c206:c3ff:fe57:5bfc dev wlan0 table local  metric 0 
local fe80::c206:c3ff:fe57:5bfd dev eth0 table local  metric 0 
local fe80::c206:c3ff:fe57:5bfd dev br-lan table local  metric 0 
local fe80::c206:c3ff:fe57:5bfd dev wlan1 table local  metric 0 
local fe80::c206:c3ff:fe57:5bfe dev eth0.2 table local  metric 0 
multicast ff00::/8 dev eth0 table local  metric 256 
multicast ff00::/8 dev br-lan table local  metric 256 
multicast ff00::/8 dev eth0.2 table local  metric 256 
multicast ff00::/8 dev wlan1 table local  metric 256 
multicast ff00::/8 dev wlan0 table local  metric 256 
0:      from all lookup local 
32766:  from all lookup main 
4200000000:     from 2603:8001:xxxx:xxxx::1/64 iif br-lan lookup unspec unreachable
lrwxrwxrwx    1 root     root            16 Oct 14 22:44 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Jan  8 07:01 /tmp/resolv.conf
-rw-r--r--    1 root     root           159 Jan  8 04:51 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           159 Jan  8 04:51 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 209.18.47.63
nameserver 209.18.47.62
search san.rr.com
# Interface wan6
nameserver 2001:1998:f00:2::1
nameserver 2001:1998:f00:1::1
root@FamilyOpenWrt:~# 

Looks fine to me.
Can you verify on the server that the packets are received with tcpdump?
Are you running any firewall on the server by any chance?

Looking closer at the page at Luci > Network > Interfaces, I see that the LAN IPv6 addresses do not match the WAN6 IPv6 addresses!

LAN

Type: Bridge
Device: br-lan
Connected: yes
MAC: ma:cc:ad:dr:es:sD
RX: 4.11 GB (8744218 Pkts.)
TX: 33.04 GB (29395676 Pkts.)
(

Type: Software VLAN
Device: eth0.1
Connected: yes
MAC: ma:cc:ad:dr:es:sD
RX: 291.86 MB (1721017 Pkts.)
TX: 6.64 GB (5793975 Pkts.)
Type: Wireless Adapter
Device: wlan0
Connected: yes
MAC: ma:cc:ad:dr:es:sC
RX: 876.39 MB (3096746 Pkts.)
TX: 21.59 GB (18393736 Pkts.)
Type: Wireless Adapter
Device: wlan1
Connected: yes
MAC: ma:cc:ad:dr:es:sD
RX: 3.05 GB (4061200 Pkts.)
TX: 5.42 GB (5732351 Pkts.)

)
br-lan Protocol: Static address
Uptime: 1d 3h 43m 56s
MAC: ma:cc:ad:dr:es:sD
RX: 4.11 GB (8744218 Pkts.)
TX: 33.04 GB (29395676 Pkts.)
IPv4: 192.168.1.1/24
IPv6: 2603:8001:5b01:3f0e::1/64
IPv6: fd0d:c6f2:a86e::1/60

WAN

Type: Software VLAN
Device: eth0.2
Connected: yes
MAC: ma:cc:ad:dr:es:sE
RX: 32.84 GB (35701516 Pkts.)
TX: 4.18 GB (8455189 Pkts.)
eth0.2
Protocol: DHCP client
Uptime: 1d 3h 43m 52s
MAC: ma:cc:ad:dr:es:sE
RX: 32.84 GB (35701516 Pkts.)
TX: 4.18 GB (8455189 Pkts.)
IPv4: 66.75.xxx.xxx/20 this IP, on port 20022, reaches my server from anywhere in LAN or WAN4
________________ but what is the meaning of the /20 ?

WAN6
Type: Software VLAN
Device: eth0.2
Connected: yes
MAC: ma:cc:ad:dr:es:sE
RX: 32.84 GB (35701516 Pkts.)
TX: 4.18 GB (8455189 Pkts.)
eth0.2
Protocol: DHCPv6 client
Uptime: 1d 3h 43m 49s
MAC: ma:cc:ad:dr:es:sE
RX: 32.84 GB (35701516 Pkts.)
TX: 4.18 GB (8455189 Pkts.)
IPv6: 2606:6000:yyyy:2:xxxx:xxxx:xxxx:xxxx/128 I can access the Luci interface of my router at https://[2606:6000:yyyy:2:xxxx:xxxx:xxxx:xxxx]/cgi-bin/luci/ , I just found that out!
IPv6-PD: 2603:8001:xxxx:xxxx::/64 I tried to reach my IP at a slightly different IP, ssh -vp 20022 nasadmin@2603:8001:xxxx:xxxx::557 , but it never worked. Maybe I should be routing my traffic through the "IPv6: 2606:6000:yyyy:2:xxxx:xxxx:xxxx:xxxx/128" address instead? But this is the address of the router, so how will the router know to send that traffic to the server? Now I'm confused which address to attempt to access.

While ssh'd into the OpenWRT router:

opkg update
opkg list | grep tcpdump
opkg install tcpdump
tcpdump ip6 proto 6 | grep 20022
<I see the traffic actually getting to the server from some external IP>

From phone on mobile network:

ssh -p 20022 nasadmin@2603:8001:xxxx:xxxx::557
<normal ssh connection, success!>

Note that that 557 should be aa64 but I assume the 557 is default for the connected device and I am unable to change it from the Luci's static lease settings, which is fine, I guess.

The IPv6 connection seems to work the way I wanted! I will restart the router to make sure it isn't a fluke caused by tcpdump.
Still works!

Thanks very much /u/Pico and /u/trendy for helping me troubleshoot and helping me understand a few missing details of tcp and ipv6!, among the other things you've done to help me.

It is the subnet mask in slash notation, same as 255.255.240.0

The network assigned on the wan interface is different than the one assigned to the lan interface. They cannot be the same, just as you have 66.75.x.y on wan and 192.168.1.1 on lan.

Your router and your clients will have different IPv6 addresses (might even have a different IPv6 prefix depending on how your ISP configured things), if you query ip.me from a client, you will only see the IPv6 address the client used, not the one used by the router...

I guess you need to configure the client to accept its IPv6 address assignment via DHCP. I ran into similar challenges when trying to get a persistent interface identifier configured for an Ubuntu22 host in my network.
It turns out you can create a rule in the firewall that will match on the interface identifier (the last 64bit of an IPv6 address that often clients assign themselves) so that will allow access to internal machines even when the IPv6 prefix changes (helpful if like in my case the ISP appears to change the IPv6 prefix every 24 hours, otherwise you would need to change the rule daily).
See:
https://git.openwrt.org/?p=project/firewall3.git;a=commit;h=bba31cce0521e014109fc805671d4cff7ee9dbf6
basically in the rule select the current IPv6 address and add a /-64 suffix to have the rule ignore the potentially variable first 64bit of your IPv6 addresses.

@AnotherNeko

Did you have seen / know that you can write the firewall rule for IPv6 using only the host part so you don't need to change your rule in case you get a new prefix? Have a look at https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_ipv6_examples#dynamic_prefix_forwarding

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.