How to configure fw4 nft port forwarding when the interface address changes dynamically

ac169 · May 28, 2025, 5:08am

The br-lan interface ipv6 address changes dynamically. It runs a service with port 3306 on it. The traffic incoming from the wan interface uses port 13306 forwarding 3306 to access this service. On the old version of fw3 ip6tables, the requirements can be achieved by adding the following settings in /etc/firewall.user:

ip6tables -t nat -A PREROUTING -i pppoe-wan -p tcp -d ::2a51:70/::ffff:ffff --dport 13306 -j REDIRECT --to-port 3306
ip6tables -I zone_wan_input 2 -m conntrack --ctstate DNAT -j ACCEPT

Try adding the following rules to the /etc/config/firewall file on the new version of fw4 nft. It seems to work properly, but adding option dest_ip '::2a51:70/-96' after qualifying the target address suffix. Section @redirect[1] must not use non-contiguous masks in 'dest_ip', it seems that suffix matching is not supported

/etc/config/firewall

config redirect
        option dest 'lan'
        option target 'DNAT'
        option family 'ipv6'
        option src 'wan'
        option src_dport '13306'
        option dest_port '3306'
        option reflection '0'
        # option dest_ip '::2a51:70/-96'
        option proto 'tcp'

So how to implement this requirement on the new version of fw4 nft, and how to dynamically update the br-lan address after the change?

brada4 · May 28, 2025, 5:40am

Just add a simplest dnat type rule.

ac169 · May 28, 2025, 8:27am

The problem seems to be the fw4 redirect rule. The destination address suffix matching (negative mask) is not supported. option dest_ip '::2a51:70/-96' option dest_ip '::2a51:70/::ffff:ffff' Both prompts: "Section @redirect[1] must not use non-contiguous masks in 'dest_ip'"

Add to /etc/nftables.d/10-custom-filter-chains.nft file to achieve requirements

chain dstnat_wan { 
    ip6 daddr & ::ffff:ffff == ::2a51:70 tcp dport 13306 redirect to :3306
}

The problem of changing option dest_ip to option src_dip can also be solved. So many similar options are too easy to confuse. I hope the official document can describe the differences in the relevant options in detail.

egc · May 28, 2025, 9:38am

Maybe not applicable for your situation but this is how I solved the IPv6 "port forwarding" , I use quotes because ti is not a port forwarding but a port opening !

For IPv6 where your br-lan or other clients have a GUA address there is no need to port forward. You just simply open a port and use a negative netmask to overcome changing prefixes.

An example, for my WireGuard and OpenVPN server I have added a static IPv6 address:

config host
	option dns '1'
	option name 'EA8500'
	option ip '192.168.0.6'
	option leasetime '6h'
	option duid '00030001c056274533db'
	option hostid '06'   #IPv6 hostid: prefix::6
	list mac 'C0:56:27:45:33:DB'

This will get my server an IPv6 address as prefix::6

Then I open up the necessary port on my firewall

config rule
	option name 'wg-server6-6'
	list proto 'udp'
	option src 'wan'
	option dest 'lan'
	option dest_port '55443'
	option target 'ACCEPT'
	option family 'ipv6'
	list dest_ip '::6/-64'   #<<< negative netmask

ac169 · May 28, 2025, 10:24am

Thank you, but the br-lan interface address is based on the wan port pppoe to obtain IPV6-PD. This will change whenever you re-dial

egc · May 28, 2025, 11:40am

Yes that is the same for me, my PD changes after a reboot but with the negative netmask the prefix is left out of the equation so it works regardless what prefix is delegated.

grrr2 · May 28, 2025, 1:19pm

ipv6 protocol supports multiple addresses per interface, cannot you set a fix ipv6 address independently from the dynamic delegated address?

system · June 7, 2025, 1:19pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.