config rule
option src 'wan'
option name 'WEB'
option target 'ACCEPT'
option family 'ipv6'
option dest 'lan'
option proto 'all'
This is how I configure my firewall now, but it looks very insecure.
I have tried to allow only a single port of the TCP protocol to pass through the firewall, but this seems to cause that the web server located in my LAN cannot be accessed.
And it is.
config rule
option target 'ACCEPT'
option src 'wan'
option name 'Allow webserver IN'
option family 'ipv6'
option dest_ip 'fc00::....'
option dest_port '80'
option proto 'tcp'
option dest 'lan'
Make sure the server has a non changing IPv6, either with SLAAC or DHCPv6. If the prefix is changing, you can use as dest_ip ::1234:5678:9abc:def0/-64 where 1234:... is the host part of the IPv6 address.
Does this mean I might betray my MAC address?
Perhaps you should use a temporary address and update your firewall entries after the temporary address is updated.
It seems complicated, but it seems to work, but I worry about the read and write life of my ROM.
No, don't have to use EUI64 IPv6 necessarily.
That doesn't sound like a good practice. Temporary addresses are used in ephemeral outgoing traffic. Furthermore you will be killing all established sessions on every firewall reload.
Are there other options?
what is that?
If you are worried about IPv6 privacy on your router addressing, see:
There's a method to enable random IPs on the router. You router's IPv6 address will change on each reboot or up/down. Be sure to generate your own secret - do not use the secret generated in the posting!
config host
option ip '192.168.*.*'
option mac '*'
option hostid '1024'
option duid '*'
Now I get an IPv6 address with a custom suffix through DHCPv6 static address assignment (this seems to require setting DUID and a hexadecimal custom suffix hostid), which has been working for me for 12 hours.
However, when setting firewall policy in Luci, I encountered some problems. I could not fill in the address similar to::1234:5678:9abc:def0/-64 in dest_ip, which may be the bug of Luci.
Finally, of course, I used VIM to edit the configuration file of firewall in SSH.
You mean I should enable IPv6 temporary address for router itself?
It looks like a good idea!
That's right.
I tried the methods they mentioned, but they always failed. Neither RFC4941 nor RFC7217 seemed to be implemented because I set net.ipv6.conf.default.stable_secret and net.ipv6.conf.pppoe-wan After .addr_gen_mode I don't seem to get the ipv6 address with a fixed suffix. I got scope global dynamic noprefixroute, it seems random, does openwrt use “privacy extensions” by default? But logically, using “Privacy stable addressing” seems to be the better choice, which is weird. My operator assigned me an ipv6 address with a subnet mask of / 64. It seems to support “EUI-64” and “privacy extensions” and “privacy stable addressing”.
It seems that in the thread you mentioned, they have not successfully implemented RFC4941 and RFC7217.
Also, I would like to ask, if my client supports it, should I use "Privacy stable addressing" instead of the custom suffix address that I am using now?
In /etc/sysctl.conf:
net.ipv6.conf.default.stable_secret=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
In /etc/config/network:
option ip6assign '64'
option ip6ifaceid 'random'
option ip6class 'wan6 local'
LOL
It works!
@rwberger posted the solution and I said it worked!
Don't know what these are - I never mentioned them.
I am using pppoe. Will these settings work for my network?
https://wiki.archlinux.org/index.php/IPv6#Stable_private_addresses
Should. Why not?
EDIT: To be clear, the random setting is for LAN.
I know the RFCs, I donno why you set those configs. The other thread didn't mention them, and I think notes that setting individual interfaces may not work.
Actually I try to enable RFC4941 on RFC7217 on WAN.
Ummmm...Per the Wiki page that @trendy posted above, option ip6ifaceid is only valid for static IPv6 configurations.
But a random host should work if a suffix is given upstream, if you configured the secret.
Feel free to review the provided documentation.
I configured option ip6prefix 'eui64' for PPPOE, but it seems that I don't get a fixed suffix.
(You are aware EUI64 is generated from your MAC address, hence not providing privacy, correct?)
Huh. You want privacy, you won't get a fixed suffix...I don't think you can use ip6hint on dynamic; but reqprefix should work on dynamic wan6.
Maybe you should clarify what you're seeking.
Works fine on my LAN with static protocol and prefix delegated from wan6.
It is not configured on PPPoE interface, but on the LAN.
=
I actually got the ipv6 address from the pppoe protocol and it was random, but I think this may be assigned by the ISP's DHCPv6, so I tried to set the option ip6prefix 'eui64' in the pppoe protocol, but as you can see There is no fixed suffix, but at least it reveals that ip6prefix has no effect on pppoe.