Hi,
I'm running Lede/Openwrt 17.01.4 and have port forwarding set up for ports 22, 80 and 443 to a server. IPv4 addresses are appropriately forwarded to the server but not IPv6 addresses. I.e., running tcpdump on both the router and the server, I see requests hit the router but only IPv4 requests hit the server.
What do I need to do to get port forwarding to work under IPv6?
Thanks!
What does iptables -vL show? Are you seeing drops counters increasing ?
Port "forwarding" where packets destined for the router's IP are instead rewritten and forwarded to a private IP on the LAN side is not necessary under ipv6, what is needed is simply to open up the firewall to allow forwarding traffic to the public IP of the server as there are plenty of public addresses to go around for everyone (times several thousand trillion)
Suppose 2002::1 is your router, and 2002::2 is the server on your LAN you want to make available to the world, then create a new forwarding rule in LuCI, from WAN to LAN, click add and edit, select ipv6 family, allow any address in WAN to access 2002::2 on the destination port you choose with action "accept"
voila.
Now it's likely that you have issues with your prefix changing, hopefully not too often, but maybe if your power goes out for a day when your internet comes back up you have a new ipv6 prefix, so you'll want to check and edit this rule after such events. Some people have ISPs that haven't a clue or are actually malicious and change the prefix on a regular basis, if you have that your connection isn't suitable for hosting your own server, or you should use a tunnel.
IPv6 isn't NATed, so you would use Traffic Rules to allow 22, 80 and 443/tcp traffic to the IP.
Otherwise, it is identical to setting up a port forward for an IPv4 NATed address.
Thanks for all the replies.
After playing around, the most restrictive traffic rule that seems to work is to forward all IPv6 requests from wan to the lan IPv6 address. If I try to restrict it to particular ports, it doesn't get forwarded.
Can you post an example of a rule that works and one that doesnt?
This works:
IPv6-traffic
From any host in wan
To IP xxxx:xxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx in lan
This does not:
IPv6-traffic
From any host in wan
To IP xxxx:xxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx in lan at port 80
Can you post the actual config that doesn't work from /etc/config/firewall
The relevant part of /etc/config/firewall is:
config rule
option target 'ACCEPT'
option src 'wan'
option dest 'lan'
option dest_ip 'xxxx:xxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx'
option family 'ipv6'
option dest_port '80'
option name 'kandinky-80'
option src_port '80'Try dropping the sourcePort restriction from your rule.
Clients will be using a random high port (30000+) not 80 when they connect inbound to your webserver
That works but the question is how do I configure it for ports 22 and 443?
config rule
option target 'ACCEPT'
option src 'wan'
option dest 'lan'
option dest_ip '2601:14d:4101:380b:208:9bff:fed0:65af'
option family 'ipv6'
option dest_port '80'
option name 'kandinsky-80'Nice 
.
Just make additional rules substituting the destPort as needed. Im not in front of my pc at the moment, but uci config might support a list of ports if you want to be fancy
Great! I'm puzzled with how it works since everything gets forwarded to each of these ports. So does it try each one in turn until it gets an accept and then reject if it gets through all of them without an accept?
yep pretty much - in a nut shell its like a giant if/then/else structure. And keeps trying the next rule in a chain until it finds one that matches.