Internal Dyndns redirect to Luci with IPv6

Hello community,
im trying to install Nextcloud AIO at home on a Debian VM on a Proxmox server and OpenWRT router.
I get 20/20 at ip6-test.com testing with a Debian Desktop for instance.

The problem now is that when i try to reach my new Nexctloud via URL i get redirected to LUCI.

So i´ve searched around and thought i could solve it by adding Hostsnames under DHCP and DNS. I tried though with the ipv4 and ipv6 address of the VM on which Docker is running on, but no luck.

Via GSM coming from WAN everything is reachable and fine, it´s just that when i try to connect to it with a browser from LAN, that i get then redirected to the OpenWRT. It works via IPv6 as long as i got disconnected from my ISP (DTAG) which leads to new IPv6 addresses. How can i assure that the Port Forwarding in OpenWRT gets "updated"??

Adding my external DnyDNS domain to the rebind protection didn´t helped me also, but probably i´ve done it wrong anyways.

So here is my config so far, i appreciate any help :).

Router ipv4: 192.168.178.1
VM with Docker and NC ipv4: 192.168.178.46 (Reachable via 80 and 443 from WAN)

/etc/config/network/

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3b:ec65:a318::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'
	option igmp_snooping '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.178.1'
	option ip6assign '64'

config device
	option name 'eth0.2'
	option macaddr 'c0:'

config interface 'wan'
	option device 'eth0.2'
	option proto 'pppoe'
	option username ''
	option password ''
	option ipv6 'auto'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '8.8.8.8'
	list dns '2606:4700:4700::1111'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option device '@wan_6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'WG0'
	option proto 'wireguard'
	option private_key 
	option ip6assign '64'
	list addresses '192.168.20.1/24'
	list addresses 'fd42:42:42::1/64'
	option listen_port ''
	option mtu '1280'
	list ip6class 'wan6'

I redacted some parts like VPN and some standard stuff.

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'



config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'



config include
	option path '/etc/firewall.user'


config rule

config rule
	option name 'wgv6test'
	option family 'ipv6'
	option src 'wan'
	option target 'ACCEPT'
	list proto 'udp'
	option dest_port ''

config redirect 'adblock_lan53'
	option name 'Adblock DNS (lan, 53)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config redirect 'adblock_lan853'
	option name 'Adblock DNS (lan, 853)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'

config redirect 'adblock_lan5353'
	option name 'Adblock DNS (lan, 5353)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Nextcloud'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.178.46'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'V6httpsTest'
	option family 'ipv6'
	option src 'wan'
	option src_dport '443'
	option dest_ip '2003:c7:4fff:3f6c:be24:11ff:fe17:495'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'NextcloudHttp'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.178.46'
	option dest_port '80'

Forget to mention a thing.

This is what a nslookup on my domain gives me.

nslookup TEST.dynv6.net
Server:		192.168.178.1
Address:	192.168.178.1#53

Name:	TEST.dynv6.net
Address: 192.168.178.46
Name:	TEST.dynv6.net
Address: 2003:c7:4fff:596:cdb8:fa88:c47c:a040

The IPv6 address is the correct WAN address, until next reconnect. So is there a way to get a "fixed" IPv6 address on the Debian VM and point to that from inside LAN?

ifconfig of the Debian VM interface:

ens18: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.178.46  netmask 255.255.255.0  broadcast 192.168.178.255
        inet6 2003:c7:4fff:596:be24:11ff:fe17:495  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::be24:11ff:fe17:495  prefixlen 64  scopeid 0x20<link>
        ether bc:24:11:17:04:95  txqueuelen 1000  (Ethernet)
        RX packets 78296  bytes 32340864 (30.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 30545  bytes 11283522 (10.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Tried to add the following to my config under lan

        option ip6assign '64'
        option ip6ifaceid 'random'
        option ip6hint '2'
        list ip6class 'wan6 lan'

But that doesn´t work either.

If you are connecting to the internal server from the internet, then you'd need to use the IPv6 address of the internal server, the one ending in :495.
If you wish to connect by hostname, then you need to create a AAAA record for DNS on the authoritative nameserver for this domain for the hostname pointing it to the same IP. By default port forwarding doesn't work on IPv6.

Well connecting to the internal server from the internet is already working.

The thing is that i cannot connect to the hostname when im in LAN. From outside everything is fine with v4 and v6 it seems.

As @trendy said, the IP6 registered for the server needs to be its own IP; the one that ends in 495. In IPv6 properly deployed, every LAN machine has a unique public (GUA) IP that is directly reachable from the Internet, firewall permitting. The router firewall should be configured to not allow such incoming traffic to user endpoints though, and indeed the default configuration allows no incoming forwards.

The router's wan IPv6 address is used only for traffic that originates or terminates inside the router, such as VPN tunnels or NTP requests. "Port forwarding" is not necessary as it is with IPv4, since the ISP routes a whole block of unique possible IPv6 destination addresses to your house, not just one as it is with IPv4.

Then IPv6 access to the server from inside on the same LAN will work immediately, as it is a simple case of two machines with different IPs on the same link. Such traffic doesn't even touch the firewall, and usually gets hardware switched bypassing the router for maximum speed. The internal client can get the IP from an external name server as the server's IP6 is the same for internal or external access.

For v6 access from outside to work you need the router to not be doing NAT6, and install a regular wan->lan forward rule allowing connections to the IP of the server. This rule can also be port specific, but it is not called a port forward, it is just a regular forward.

As your prefix may change, the destination IP should be written to match the interface identifier only, using the negative prefix length syntax. Then the firewall does not need to be changed if the prefix changes. Of course the dynamic DNS needs to update with the new prefix.

You can create an appropriate hostname entry for the internal network.

How to configure that exactly and where?

@trendy
I tried, for ipv4 and ipv6, but it only works from time to time. Sometimes i can access my cloud internally, most of the times its not working atm.

Edit:
So i still have the thing that its routing to my router internally instead of to the cloud. Anyways of what i inset into DHCP hosts. Connecting via IP directly is not possible.

If it is working from time to time you may want to check that the client is using the correct DNS server all the time.

That is definitely a tick into the right direction. When i manipulate my /etc/hosts on my Desktop to make it to fd_and_so_on:: external.domain it works.

Still i don´t know why it´s not working when i manually set it to that address.

see me config/dhcp here
I have also added some traffic rules as you mentioned.

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option nonwildcard '0'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '0'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan6'
	option dhcpv6 'relay'
	option ra 'relay'
	option ndp 'relay'
	option master '1'
	option interface 'wan6'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'


config host
	option name 'PROXMOXHOME'
	option dns '1'
	option mac '70:85:C2:CA:6C:05'
	option ip '192.168.178.44'

config host
	option duid '000100012D1CA06BBC241163A49D'
	option mac 'BC:24:11:63:A4:9D'

config host
	option name 'OMV7'
	option duid '00020000ab1113f4c4ad5951b9f2'
	option mac 'BC:24:11:17:04:95'
	option ip '192.168.178.46'
	option leasetime 'infinite'
	option dns '1'

config domain
	option name 'myhost.dynv6.net'
	option ip 'fd3b:ec65:a318::46'

config domain
	option name 'myhost.dynv6.net'
	option ip '192.168.178.46'

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'




config rule

config rule
	option name 'wgv6test'
	option family 'ipv6'
	option src 'wan'
	option target 'ACCEPT'
	list proto 'udp'
	option dest_port '51902'

config redirect 'adblock_lan53'
	option name 'Adblock DNS (lan, 53)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config redirect 'adblock_lan853'
	option name 'Adblock DNS (lan, 853)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'

config redirect 'adblock_lan5353'
	option name 'Adblock DNS (lan, 5353)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Nextcloud'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.178.46'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'V6httpsTest'
	option family 'ipv6'
	option src 'wan'
	option src_dport '443'
	option dest_ip 'fd3b:ec65:a318::46'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'NextcloudHttp'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.178.46'
	option dest_port '80'

config rule
	option name 'HTTPSTrafficRuleTest'
	option src 'wan'
	option src_port '443'
	list dest_ip '192.168.178.46'
	list dest_ip 'fd3b:ec65:a318::46'
	option dest_port '443'
	option target 'ACCEPT'

config rule

config rule
	option name 'HTTPTRAFFICRULETEST'
	option src 'wan'
	option src_port '80'
	list dest_ip '192.168.178.46'
	list dest_ip 'fd3b:ec65:a318::46'
	option dest_port '80'
	option target 'ACCEPT'

Go to dnsleaktest.com to find out which nameservers your browser is using.

It seems like i was to inpatient. After adding the ip addresses to hosts and restarting the dnsmasq service on OpenWRT and my Debian Client, its working.

At least for now.

Happy new year, btw!

Well no, its not working. As long as im not faking /etc/hosts with the fdXX address, its not working reliable in local LAN.

So i guess i have to fix this first with dnsmasq on the router right?

It looks like you're trying to use the wan as v6 relay mode, but not properly. First I would check if the ISP provides a routable prefix. If they do you can set up Ipv6 properly so that the server machine has a GUA and a route to it. In that case it would be unnecessary to use ULAs at all. Even if you have to use relay mode on a single /64 from the ISP, it should still work without ULAs. Only if the ISP is only giving you a single /128 would it be necessary to NAT.

Run ifstatus wan6 and/or ifstatus wan_6 to see if a prefix is present.

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 90501,
	"l3_device": "pppoe-wan",
	"proto": "dhcpv6",
	"device": "pppoe-wan",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "2003:c7:4fff:24c7:c94a:cbbc:fd77:6b64",
			"mask": 64,
			"preferred": 1768,
			"valid": 14368
		}
	],
	"ipv6-prefix": [
		{
			"address": "2003:c7:4f30:7c00::",
			"mask": 56,
			"preferred": 82305,
			"valid": 82305,
			"class": "wan6",
			"assigned": {
				"WG0": {
					"address": "2003:c7:4f30:7c00::",
					"mask": 64
				},
				"lan": {
					"address": "2003:c7:4f30:7c03::",
					"mask": 64
				}
			}
		}
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::2a8a:1cff:fee3:202c",
			"metric": 512,
			"valid": 1768,
			"source": "2003:c7:4f30:7c00::/56"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::2a8a:1cff:fee3:202c",
			"metric": 512,
			"valid": 1768,
			"source": "2003:c7:4fff:24c7:c94a:cbbc:fd77:6b64/64"
		}
	],
	"dns-server": [
		"2003:180:2:4000::53",
		"2003:180:2:3000::53"
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		"passthru": "001700202003018000024000000000000000005320030180000230000000000000000053"
	}
}

The ISP is running a /56 prefix. Relay mode should not be used. Change dhcp wan6 to be ignore. (the same as v4).

The LAN has a prefix of XXXX:XXXX:XXXX:XX03::/64. (the Xs are the 56 bits assigned by the ISP and may change. The 03 is assigned by OpenWrt(*). Your server machine and your PC should both have IPs with this prefix. The ddns should have registered the server machine's IPv6, not the routers. If you use a public DNS on the PC to look up the server, it should get this GUA, which can then be accessed directly on the LAN.

To allow the server to be accessed from outside, you will need to add a firewall rule:

config rule
    option src 'wan'
    option dest 'lan'
    option family 'ipv6'
    option dest_ip '::03:YYYY:YYYY:YYYY:YYYY/-72'
    option target 'ACCEPT'

where the Ys are the server machine's interface ID (last 64 of its IPv6).

(*) It's a good practice to add ip6hint '03' to the lan configuration to be sure this does not change if more interfaces are added.

Hi,
okay here´st my server´s ifconfig:

ens18: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.178.46  netmask 255.255.255.0  broadcast 192.168.178.255
        inet6 fe80::be24:11ff:fe17:495  prefixlen 64  scopeid 0x20<link>
        inet6 fd3b:ec65:a318:3:be24:11ff:fe17:495  prefixlen 64  scopeid 0x0<global>
        inet6 2003:c7:4f35:1903:be24:11ff:fe17:495  prefixlen 64  scopeid 0x0<global>
        inet6 fd3b:ec65:a318:3::46  prefixlen 128  scopeid 0x0<global>
        inet6 2003:c7:4f35:1903::46  prefixlen 128  scopeid 0x0<global>
        ether bc:24:11:17:04:95  txqueuelen 1000  (Ethernet)
        RX packets 140243  bytes 42911589 (40.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 102758  bytes 155970140 (148.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

What about an AAAA record with this fd3b:ec65:a318:3::46, would this work as well? Or is the 2003:c7:4f35:1903::46 the right address? Im confused..

Anyway, i have to "build" the dest_ip which would be that in this case?
And this address got to be resolved by nslookup besides the 2003:XXX address i get from my provider, or has it to be only that one address?

::3:be24:11ff:fe17:495

What is the story behind that / -72?

The AAAA record means a name to an IPv6. If you use the fdxx address, it is ULA, or private, so you cannot use it from the internet, only in dnsmasq. The 2003: is public, so it can be used from the internet.

Prefix -72 means to match 72 bits starting from the right side (which are the bits that determine which machine in your LAN) and ignore the 56 on the left side, which are the prefix from the ISP that you don't control.

A conventional prefix matches from the left side.

Ok, so here is what my config/firewall now is looking like. I tried to inset the PrefixForwardingRule, but i guess it´s not correct.

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'VPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'WG0'

config forwarding
	option src 'VPN'
	option dest 'lan'

config forwarding
	option src 'VPN'
	option dest 'wan'

config nat
	option name 'VPN'
	list proto 'all'
	option src 'lan'
	option src_ip '192.168.20.0/24'
	option target 'MASQUERADE'

config redirect
	option target 'DNAT'
	option name 'WIREGUARD'
	option src 'wan'
	option dest 'VPN'
	option dest_ip '192.168.178.1'
	option src_dport '51902'

config rule
	option name 'wgv6test'
	option family 'ipv6'
	option src 'wan'
	option target 'ACCEPT'
	list proto 'udp'
	option dest_port '51902'

config redirect 'adblock_lan53'
	option name 'Adblock DNS (lan, 53)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config redirect 'adblock_lan853'
	option name 'Adblock DNS (lan, 853)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'

config redirect 'adblock_lan5353'
	option name 'Adblock DNS (lan, 5353)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Nextcloud'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.178.46'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'V6httpsTest'
	option family 'ipv6'
	option src 'wan'
	option src_dport '443'
	option dest_ip 'fd3b:ec65:a318:3::c65'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'NextcloudHttp'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.178.46'
	option dest_port '80'

config rule
	option name 'IPV6DynamicPrefixRouting'
	option src 'wan'
	option dest 'lan'
	option family 'ipv6'
	option proto 'tcp udp'
	option target 'ACCEPT'
	list dest_ip '3::46/-72'


config rule
	option name 'HTTPSTrafficRuleTest'
	option src 'wan'
	option src_port '443'
	option dest_port '443'
	option target 'ACCEPT'
	list dest_ip '192.168.178.46'
	list dest_ip 'fe80::be24:11ff:fe17:495'
	list dest_ip 'fd3b:ec65:a318:3::46'

config rule
	option name 'HTTPTRAFFICRULETEST'
	option src 'wan'
	option src_port '80'
	option dest_port '80'
	option target 'ACCEPT'
	list dest_ip '192.168.178.46'
	list dest_ip 'fe80::be24:11ff:fe17:495'
	list dest_ip 'fd3b:ec65:a318:3::46'

Well with these two following Rules (first Port Forwarding, second Traffic rule) it´s working from outside testing with https://ready.chair6.net and http://www.ipv6scanner.com/cgi-bin/main.py. Ports are open etc..

rl11982×228 30.5 KB

rl21520×207 26.1 KB

Thing is that im not clever enough to build this prefix routing address.