IPv6 and port forwarding to IPv4

Hi,

I would like to redirect all my 80/443 WAN6 trafic to my NAS. My NAS have a static lease in IPv4. Is it possible to redirect IPv6 to IPv4 ?

Best regards.

Port forwarding to a dynamic IPv6 address - #2 by vgaetera

Port forwarding cannot change the address family (IPv4 to IPv6).
If your NAS supports IPv6, go with the solution proposed by @vgaetera.
Otherwise, you need a proxy to translate the address family, or a VPN tunnel to transport IPv4 within IPv6.

Thanks

But, this is expose all my device...

Other solution can be to have IPv6 static lease and redirect from firewall ?

But I can't have static lease on IPv6. I have a static lease on 192.168.1.6 with IP suffix "6" but my IPv6 is fd20:6eec:6e47::938... It would must be fd20:6eec:6e47::6 ?

My configuration seam missing duid... But how choose the duid value ?

No, as long as you specify dest_port.

Yep, but NAT6 is a dirty hack which is best to avoid if possible.

Weird, it should work.
Make sure you have configured it properly, restarted odhcpd and reconnected the client.

Check the active leases:

ubus call dhcp ipv6leases

OK, thanks for the explications.

Now I have IPv6 lease on my server:

ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
       inet 192.168.1.1  netmask 255.255.255.0  broadcast 192.168.1.255
       inet6 2a01:e34:xxxx:xxxx::yyyy prefixlen 128  scopeid 0x0<global>
       inet6 fd20:6eec:6e47::yyyy prefixlen 128  scopeid 0x0<global>
       inet6 fe80::d2bf:zzzz:zzzz:wwww prefixlen 64  scopeid 0x20<link>
       ether d0:bf:9c:45:e1:30  txqueuelen 1000  (Ethernet)
       RX packets 27912  bytes 10044710 (9.5 MiB)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 30186  bytes 17379764 (16.5 MiB)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
       device interrupt 16

I ping6 and curl my webserver on internal adresse:

curl -6 -g -k https://[fd20:6eec:6e47::yyyy]

I have open route:

config rule
        option name '[HTTPs] Deepspace9'
        list proto 'tcp'
        option src 'wan'
        option dest 'lan'
        option dest_port '443'
        option target 'ACCEPT'
        option family 'ipv6'
        list dest_ip '2a01:e34:xxxx:xxxx::yyyy'

But I can't curl on public IPv6:

curl -6 -g -k https://[2a01:e34:xxxx:xxxx::yyyy]

Check this:

# Client
ping6 public_ipv6
traceroute6 public_ipv6
curl -6 -v public_ipv6

# Server
netstat -l -n -p | grep -e :443
ss -l -n -p | grep -e :443
curl -6 -v localhost
curl -6 -v public_ipv6
ip6tables-save
nft list ruleset

ping6 public_ipv6_of_openwrt

OK, use default rules called "Allow-ICMPv6-Input"

ping6 public_ipv6_of_server

KO :-(. Use default rule called "Allow-ICMPv6-Forward".

traceroute to public_ipv6_of_server (public_ipv6_of_server), 30 hops max, 80 byte packets
 1  _gateway (2001:bc8:xxxx:xxxx::)  1.040 ms  0.933 ms  0.897 ms
 2  * * *
 3  * * *
 4  2001:bc8:xxxx:x::188 (2001:bc8:xxxx:x::188)  1.203 ms 2001:bc8:400:100::66 (2001:bc8:400:100::66)  1.227 ms  1.241 ms
 5  * 2001:bc8:xxxx:x::4d (2001:bc8:xxxx:x::4d)  1.119 ms 2001:bc8:400:100::c1 (2001:bc8:400:100::c1)  1.067 ms
 6  * * *
 7  * 2001:bc8:x:x::10 (2001:bc8:0:2::10)  2.206 ms *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  public_ipv6_of_server (public_ipv6_of_server)  17.194 ms *  17.038 ms

OK.

 curl -g -v -k -6  https://\[public_ipv6_of_server\]
* Rebuilt URL to: https://[public_ipv6_of_server]/
*   Trying public_ipv6_of_server...
* TCP_NODELAY set
* connect to public_ipv6_of_server port 443 failed: Connection refused
* Failed to connect to public_ipv6_of_server port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to public_ipv6_of_server port 443: Connection refused

KO.

netstat -l -n -p | grep -e :443
tcp6       0      0 :::443                  :::*                    LISTEN      4300/nginx: master

OK.

tcp                LISTEN              0                    511                                                                                               *:443                                                     *:*                      users:(("nginx",pid=4302,fd=27),("nginx",pid=4301,fd=27),("nginx",pid=4300,fd=27))

OK.

curl -k -6 https://localhost

OK, after adding "-i lo" rules.

curl -6 -g -k -v https://\[public_ipv6_of_server\]

OK, after adding "-i lo" rules.....

My iptables6 rules on the server:

# Generated by xtables-save v1.8.2 on Mon Nov  9 14:23:22 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s fd20:6eec:6e47::/64 -p ipv6-icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -p tcp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-port-unreachab

But if I disable firewall (-A INPUT -j ACCEPT) all work fine...

# Generated by xtables-save v1.8.2 on Mon Nov  9 14:25:24 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s fd20:6eec:6e47::/64 -p ipv6-icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -p tcp -j ACCEPT
-A INPUT -j ACCEPT
COMMIT
# Completed on Mon Nov  9 14:25:24 2020

For me issue is not in the OpenWRT component but in my IPv6 firewall on my server... But 80 et 443 rules seem OK...

Allow ICMPv6 from anywhere as IPv6 heavily relies on it.
Also, it's a bad idea to configure firewall manually from scratch unless you are an expert.
I recommend you to use higher level firewall management tools such as firewalld that generate the proper rule set by default.

I use OpenMediaVault, I setup firewall with the WebUI.

You can rely on iptables and ip6tables configs from Fedora.

Working with adding ICMP6.

THK !!!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.