IPV6 port forwarding (or redirect) does not work in Openwrt 23.05

OneLostCat · October 29, 2023, 5:29am

I set up port forwarding according to the tutorial, but it didn't work. Can someone help me?

This is the configuration of the network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd54:599d:e9d8::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.11.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr 'a4:a9:30:10:e5:c4'

config interface 'tailscale'
	option proto 'none'
	option device 'tailscale0'
	option defaultroute '0'

config interface 'wan4'
	option proto 'dhcp'
	option device 'wan'
	option defaultroute '0'

config interface 'wan'
	option proto 'pppoe'
	option device 'wan'
	option username 'xxx'
	option password 'xxx'
	option ipv6 'auto'
	option peerdns '0'
	list dns '114.114.114.114'

And this is the configuration of the firewall:


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan4'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'tailscale'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'tailscale'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'tailscale'
	option dest 'lan'

config forwarding
	option src 'tailscale'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'tailscale'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name '路由器 Web'
	option src 'wan'
	option src_dport '10086'
	option dest_ip 'fd54:599d:e9d8::1'
	option dest_port '443'
	list proto 'tcp'

config redirect
	option target 'DNAT'
	option name '路由器 SSH'
	list proto 'tcp'
	option src 'wan'
	option src_dport '122'
	option dest_ip 'fd54:599d:e9d8::1'
	option dest_port '22'
	option dest 'lan'

frollic · October 29, 2023, 5:33am

If you run tcpdump, can you see the incoming traffic ?

zekica · October 29, 2023, 5:41am

dest_ip doesn't look ok. what are the IPv6 addresses on the router's LAN interface and on the computer running the web and ssh servers?

OneLostCat · October 29, 2023, 5:43am

Yes, there is inbound traffic, but there was no reply

root@OpenWrt:~# tcpdump -i pppoe-wan port 10086
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on pppoe-wan, link-type LINUX_SLL (Linux cooked v1), snapshot length 262144 bytes
13:41:20.246946 IP6 240e:36e:2:eb0f:4bb:5f63:a936:3512.9465 > 240e:368:1003:bd63:8038:7030:d8d2:cec4.10086: Flags [S], seq 2588428034, win 64440, options [mss 1432,nop,wscale 8,nop,nop,sackOK], length 0
13:41:20.247436 IP6 240e:36e:2:eb0f:4bb:5f63:a936:3512.9473 > 240e:368:1003:bd63:8038:7030:d8d2:cec4.10086: Flags [S], seq 1166850686, win 64440, options [mss 1432,nop,wscale 8,nop,nop,sackOK], length 0
13:41:21.260612 IP6 240e:36e:2:eb0f:4bb:5f63:a936:3512.9465 > 240e:368:1003:bd63:8038:7030:d8d2:cec4.10086: Flags [S], seq 2588428034, win 64440, options [mss 1432,nop,wscale 8,nop,nop,sackOK], length 0
13:41:21.260845 IP6 240e:36e:2:eb0f:4bb:5f63:a936:3512.9473 > 240e:368:1003:bd63:8038:7030:d8d2:cec4.10086: Flags [S], seq 1166850686, win 64440, options [mss 1432,nop,wscale 8,nop,nop,sackOK], length 0
13:41:23.265440 IP6 240e:36e:2:eb0f:4bb:5f63:a936:3512.9465 > 240e:368:1003:bd63:8038:7030:d8d2:cec4.10086: Flags [S], seq 2588428034, win 64440, options [mss 1432,nop,wscale 8,nop,nop,sackOK], length 0

OneLostCat · October 29, 2023, 5:49am

emm, "fd54:599d:e9d8::1" is the ULA address of the router. Because there is no device behind the LAN, So i use Luci web to test whether the port forwarding settings are correct. But obviously it won't work

OneLostCat · October 29, 2023, 5:52am

I can also confirm that the router can access this address, but forwarding from the WAN access port does not work

root@OpenWrt:~# curl [fd54:599d:e9d8::1]
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
        <head>
                <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
                <meta http-equiv="Pragma" content="no-cache" />
                <meta http-equiv="Expires" content="0" />
                <meta http-equiv="refresh" content="0; URL=cgi-bin/luci/" />
                <style type="text/css">
                        body { background: white; font-family: arial, helvetica, sans-serif; }
                        a { color: black; }

                        @media (prefers-color-scheme: dark) {
                                body { background: black; }
                                a { color: white; }
                        }
                </style>
        </head>
        <body>
                <a href="cgi-bin/luci/">LuCI - Lua Configuration Interface</a>
        </body>
</html>
root@OpenWrt:~#

frollic · October 29, 2023, 5:57am

Is the goal to forward the traffic somewhere behind your router ?
Or is the router remote access what you actually want ?

OneLostCat · October 29, 2023, 6:00am

No, just forward the traffic to the router's own 443 port, which is Luci web server. I also tried to forward to other devices, but it still didn't work properly.

frollic · October 29, 2023, 6:02am

Temp, skip the rule, and simply open port 22 in the fw,.
Busybox binds to all interfaces, so it should be enough to get an answer from outside.

Just be aware of the can of worms you're opening, when not using VPN.

OneLostCat · October 29, 2023, 6:13am

Thank you for your reply, but I don't quite understand the method you provided. Can you be more detailed?

hnyman · October 29, 2023, 6:55am

Are the rules actually visible in the firewall ruleset, in LuCI or in rule print?
I am not sure if a space and/or advanced letters are allowed in the rule name...

fw4 print
nft list ruleset

OneLostCat · October 29, 2023, 7:37am

It may be normal, this is the printed content. But this configuration doesn't work

chain dstnat_wan {
                meta nfproto ipv6 tcp dport 10086 counter packets 12 bytes 864 dnat ip6 to [fd54:599d:e9d8::1]:443 comment "!fw4: 路由器 Web"
                meta nfproto ipv6 tcp dport 122 counter packets 2 bytes 144 dnat ip6 to [fd54:599d:e9d8::1]:22 comment "!fw4: 路由器 SSH"
        }

OneLostCat · October 29, 2023, 7:42am

I also tried to delete those special characters, but the problem remains the same as at the beginning...

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Luci'
	option src 'wan'
	option src_dport '10086'
	option dest_ip 'fd54:599d:e9d8::1'
	option dest_port '443'
	list proto 'tcp'

config redirect
	option target 'DNAT'
	option name 'SSH-Router'
	list proto 'tcp'
	option src 'wan'
	option src_dport '122'
	option dest_ip 'fd54:599d:e9d8::1'
	option dest_port '22'
	option dest 'lan'