Ipv6: allow port on wan

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi, im trying to open port 5000 on wan but its not working. ISP delegated ipv6 prefix is getting allocated to respective hosts.

since the ip address is dynamic, i have created a firewall rule with destination address represented in negative netmask notation. Also for dhcp lease, i have a static suffix 200 added against the host and the same is getting allocated every time.

firewall rule is as below:

config rule
	option dest_port '5000'
	option src 'wan'
	option name 'test'
	option target 'ACCEPT'
	option family 'ipv6'
	option dest 'lan'
	list proto 'tcp'
	list dest_ip '::200/-16'

if i hard code the complete ipv6 address of the host in the above rule, its working fine though. please help

referenced the below documentation:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_ipv6_examples#dynamic_prefix_forwarding

2

Have you tried -64 rather than -16 as the netmask?

1 Like
3

yes i tried '::200/-64' , '::0200/-16' and also '::0200/-64' but nothing worked except for the complete ip address.

i tried mapping last 32 bits as well like ::0434:0200/-32 and ::434:200/-32. it didnt working either.

4

well if we configure the complete suffix like below, it works.

list dest_ip '::641e:201a:434:200/-64'

so would the configuration rule accepts only a 64 bit suffix or a complete ip address?

5

That does appear to be the case.

1 Like
6

i restarted the wan interface. both prefix and suffix for the host got changed completely except the last 16 bits of suffix which i have added in static dhcp config.

it seems this whole host based config for ipv6 is broken, given i cant configure a 64 bit suffix for static lease.

7

thanks, for now, i ll isolate the host and add zone based rule like below. hope it respects zone config.

config rule
	option dest_port '5000'
	option src 'wan'
	option name 'test'
	option target 'ACCEPT'
	option family 'ipv6'
	option dest 'app_server'
	list proto 'tcp'
8

The wiki explicitly states to set up a static DHCPv6 lease.
This makes the destination properly match the prefix/suffix.

9

of course we need to set static suffix but the problem is you can set only the last 16 bits of the suffix in static config and the firewall rule needs the complete 128bit address or the 64bit suffix.

when the prefix changes, say on router reboot. the suffix also changes except the last 16 bits which will make the firewall rule useless.

10

Sounds like you are doing something wrong as the suffix must not depend on the prefix.
Even if hostid is limited, other bits must remain zero, except for ip6hint which can vary.
But ip6hint only matters for multiple interfaces and it can also be configured statically.

11

thanks, this configuration seems to be the issue. i thought its only for the interface. if i remove random, it will always allocate ::xxx suffix to all the hosts. this should solve my issue even though the first 48 bits of suffix is always zero or is there a way to configure it as well?

Screenshot_2021-08-20_10-32-17
Screenshot_2021-08-20_10-32-17870×351 27.5 KB

12

The suffix is empty by default and that should be for a reason.
It would be better to let the hosts decide for themselves what suffix to use.
Modern client OS can automatically apply randomization when required.

13

i do agree with you. there is this one host that i need to expose on wan and i didnt have a choice. i got this host based rule working now as expected. thanks a lot

14

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.