IPv6 and port forwarding to IPv4

Hi,

I would like to redirect all my 80/443 WAN6 trafic to my NAS. My NAS have a static lease in IPv4. Is it possible to redirect IPv6 to IPv4 ?

Best regards.

1 Like

Not really.
This is the easiest option:
Dynamic prefix forwarding
Or consider setting up NAT6.

Port forwarding cannot change the address family (IPv4 to IPv6).
If your NAS supports IPv6, go with the solution proposed by @vgaetera.
Otherwise, you need a proxy to translate the address family, or a VPN tunnel to transport IPv4 within IPv6.

1 Like

Thanks

But, this is expose all my device...

Other solution can be to have IPv6 static lease and redirect from firewall ?

But I can't have static lease on IPv6. I have a static lease on 192.168.1.6 with IP suffix "6" but my IPv6 is fd20:6eec:6e47::938... It would must be fd20:6eec:6e47::6 ?

My configuration seam missing duid... But how choose the duid value ?

No, as long as you specify dest_port.

Yep, but NAT6 is a dirty hack which is best to avoid if possible.

Weird, it should work.
Make sure you have configured it properly, restarted odhcpd and reconnected the client.

Check the active leases:

ubus call dhcp ipv6leases

OK, thanks for the explications.

Now I have IPv6 lease on my server:

ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
       inet 192.168.1.1  netmask 255.255.255.0  broadcast 192.168.1.255
       inet6 2a01:e34:xxxx:xxxx::yyyy prefixlen 128  scopeid 0x0<global>
       inet6 fd20:6eec:6e47::yyyy prefixlen 128  scopeid 0x0<global>
       inet6 fe80::d2bf:zzzz:zzzz:wwww prefixlen 64  scopeid 0x20<link>
       ether d0:bf:9c:45:e1:30  txqueuelen 1000  (Ethernet)
       RX packets 27912  bytes 10044710 (9.5 MiB)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 30186  bytes 17379764 (16.5 MiB)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
       device interrupt 16

I ping6 and curl my webserver on internal adresse:

curl -6 -g -k https://[fd20:6eec:6e47::yyyy]

I have open route:

config rule
        option name '[HTTPs] Deepspace9'
        list proto 'tcp'
        option src 'wan'
        option dest 'lan'
        option dest_port '443'
        option target 'ACCEPT'
        option family 'ipv6'
        list dest_ip '2a01:e34:xxxx:xxxx::yyyy'

But I can't curl on public IPv6:

curl -6 -g -k https://[2a01:e34:xxxx:xxxx::yyyy]
1 Like

Check this:

# Client
ping6 public_ipv6
traceroute6 public_ipv6
curl -6 -v public_ipv6

# Server
netstat -l -n -p | grep -e :443
ss -l -n -p | grep -e :443
curl -6 -v localhost
curl -6 -v public_ipv6
ip6tables-save
nft list ruleset
ping6 public_ipv6_of_openwrt

OK, use default rules called "Allow-ICMPv6-Input"

ping6 public_ipv6_of_server

KO :-(. Use default rule called "Allow-ICMPv6-Forward".

traceroute to public_ipv6_of_server (public_ipv6_of_server), 30 hops max, 80 byte packets
 1  _gateway (2001:bc8:xxxx:xxxx::)  1.040 ms  0.933 ms  0.897 ms
 2  * * *
 3  * * *
 4  2001:bc8:xxxx:x::188 (2001:bc8:xxxx:x::188)  1.203 ms 2001:bc8:400:100::66 (2001:bc8:400:100::66)  1.227 ms  1.241 ms
 5  * 2001:bc8:xxxx:x::4d (2001:bc8:xxxx:x::4d)  1.119 ms 2001:bc8:400:100::c1 (2001:bc8:400:100::c1)  1.067 ms
 6  * * *
 7  * 2001:bc8:x:x::10 (2001:bc8:0:2::10)  2.206 ms *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  public_ipv6_of_server (public_ipv6_of_server)  17.194 ms *  17.038 ms

OK.

 curl -g -v -k -6  https://\[public_ipv6_of_server\]
* Rebuilt URL to: https://[public_ipv6_of_server]/
*   Trying public_ipv6_of_server...
* TCP_NODELAY set
* connect to public_ipv6_of_server port 443 failed: Connection refused
* Failed to connect to public_ipv6_of_server port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to public_ipv6_of_server port 443: Connection refused

KO.

netstat -l -n -p | grep -e :443
tcp6       0      0 :::443                  :::*                    LISTEN      4300/nginx: master

OK.

tcp                LISTEN              0                    511                                                                                               *:443                                                     *:*                      users:(("nginx",pid=4302,fd=27),("nginx",pid=4301,fd=27),("nginx",pid=4300,fd=27))

OK.

curl -k -6 https://localhost

OK, after adding "-i lo" rules.

curl -6 -g -k -v https://\[public_ipv6_of_server\]

OK, after adding "-i lo" rules.....

My iptables6 rules on the server:

# Generated by xtables-save v1.8.2 on Mon Nov  9 14:23:22 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s fd20:6eec:6e47::/64 -p ipv6-icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -p tcp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-port-unreachab

But if I disable firewall (-A INPUT -j ACCEPT) all work fine...

# Generated by xtables-save v1.8.2 on Mon Nov  9 14:25:24 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s fd20:6eec:6e47::/64 -p ipv6-icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -p tcp -j ACCEPT
-A INPUT -j ACCEPT
COMMIT
# Completed on Mon Nov  9 14:25:24 2020

For me issue is not in the OpenWRT component but in my IPv6 firewall on my server... But 80 et 443 rules seem OK...

1 Like

Allow ICMPv6 from anywhere as IPv6 heavily relies on it.
Also, it's a bad idea to configure firewall manually from scratch unless you are an expert.
I recommend you to use higher level firewall management tools such as firewalld that generate the proper rule set by default.

I use OpenMediaVault, I setup firewall with the WebUI.

You can rely on iptables and ip6tables configs from Fedora.

Working with adding ICMP6.

THK !!!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.