I'm quite confused with SLAAC, DHPv6, Port Forward and Traffic Rules with IPv6, it doesn't seem to be straightforward, like IPv4.
The only thing I could grasp after going through the forums is that SLAAC likes to change the IPv6 address up to a certain time and the device doesn't request for DHCPv6(?) as SLAAC takes care of that and it's impossible to set an IPv6 Static Lease from the router?
What I'm trying to achieve is to port-forward IPv6 hosts similar to how IPv4 hosts get port-forwarded. It's just that without a static lease my IPv6 will keep changing if I am right here.
Secondly, I'm guessing my ISP assigns SLAAC by default and if I disable SLAAC then devices (like Android etc.) which don't support DHCPv6 don't end up having an IPv6 address. So disabling SLAAC altogether is a no-go unless there's a way to disable SLAAC only for my Desktop which is connected through Ethernet? When running ipconfig on my Windows I'm flooded with a-lot of IPv6 addresses which could only hint that SLAAC is into play here.
Perhaps create two separate network interfaces one which has SLAAC enabled (the default interface) and one without SLAAC (a custom interface) and devices which need a static lease can be assigned to the network interface with SLAAC disabled. I assume there might be a way to port forward even with SLAAC addresses but I would prefer if it only port forwards a single host instead of allowing every host in the network to react to that packet and see if it's for them or not.
What is ideally the best practice here and something which causes the least amount of confusion similar to how IPv4 can assign static leases and is much easier to port-forward?
It seems less straightforward because you're trying to apply IPv4 concepts to IPv6. This will not work, you should consider these two protocols completely different things.
The whole point of IPv6 is to eliminate port forwards. In IPv4, due to the severe shortage of addresses, you have to use NAT to share a single address across multiple hosts. Hence, the need for port forwards in the router, since your router won't know a priori which host on the network handles which ports. But since IPv6 has way more addresses than you can shake a stick at, every device can have a globally unique IPv6 address.
You would just set up firewall traffic rules to allow incoming traffic on certain ports and protocols. Then your router would just route the packets to the right subnet, and the correct host in that subnet will answer. In IPv6, the destination IP address of incoming packets will not be that of the router which will then forward the port. Instead it will be the host you actually want to talk to, the way the Internet was supposed to operate since its conception.
This is normal. IPv6 was designed with the expectation that every interface will have multiple IPv6 addresses.
It seems you're indeed confusing a few things. Let's try to unwind this.
First, we need to understand your WAN interface (or WAN6 to be exact). You need to be issued a Prefix Delegation from your ISP. Assuming you have a standard Ethernet-based Internet connection and that occurs. You need a prefix delegation that is at least a /56 is common. In any instance, you must be issued more IP space than a single /64 subnet. Note that you must be running DHCPv6 Client on WAN6 in order to receive a Prefix Delegation. You cannot control if your ISP changes this often.
With this Prefix Delegation, your downstream interfaces can now receive IPs. OpenWrt uses /60 by default for LAN. You have 2 options for IP assignment - I will also note some important points for each:
SLAAC - Androids are well-known to only use this method to receive an IPv6 address
DHCPv6 Server - you can use this to assign IPs in certain schemes as well
Firewalling
In IPv6 you would us e a Traffic Rule. As there is no Network Address Translation (NAT) in the case described above, you would simply allow traffic from WAN Zone to the IP, MAC, or Zone, etc. of the device. You can specifically select IPv6, I'll provide an example for allowing the default Transmission BitTorrent port for all IPv6 addresses on LAN:
config rule
option target 'ACCEPT'
option family 'ipv6'
option proto 'tcp udp'
option src 'wan'
option dest 'lan'
option dest_port '51413'
option name 'Allow-BitTorrent_IPv6'
In OpenWRT, when searching for my host to enter as the Destination address in Firewall, Traffic Rules I have a lot of IPv6 hosts with the same name (derwa.lan)
This image should show what I'm struggling with... which IPv6 host to even choose for derwa.lan?
First let's figure out why you're trying to port forward to derwa.lan. Are you running a service on derwa that you want accessible to the Internet? What port and protocol is the service running on?
If I understood this correctly it'll monitor for a connection from the WAN zone and then route it to my LAN zone with the Destination port as 51413. So, whichever service is running on my LAN network which is listening on that port will receive it but won't the router start asking each device as to who's this packet meant for? It's like sending the packet to each LAN device hoping to find the correct one instead of just directly routing it to the intended LAN device?
I assume you have some kind of dynamic DNS service running on the router? So that devices on the global Internet can resolve to your router for port forwarding even if its WAN IP address changes?
I've just changed the IPv6 assignment length based on your recommendation for LAN. Should I change the IPv6 prefix filter as well?
Does WAN6 need any changing for the IPv6 assignment length or just leave it as it is?
How do I do so? specifying by IP at least? I understood how to do it for IPv4 but how for IPv6? I assume when port forwarding a port you need to port forward both the IPv4 and IPv6 so that it routes to whichever is preferred by the LAN device?
If you have only one LAN, a /64 prefix from the ISP is adequate, as the LAN will hold the whole prefix space.
RA/SLAAC and DHCPv6 are two mostly exclusive ways for a router to tell a client what IP address it should use. In RA, the router tells the client the first 64 bits of it's IP (called the "prefix", but this is a different thing than the "routable prefix" assigned by the ISP). Then the client itself chooses the last 64. Depending on the client capabilities and configuration (which is outside the scope of this forum), the last 64 could be chosen:
at random. This is typical for general use as it offers a sort of security by obscurity.
a constant based on the interface's factory MAC address. These (known as EUI64s) can be recognized as the 16 bits in the middle are always ff:fe. This is not good for privacy as any site visited will get the client's uniquely assigned MAC, and can thus uniquely identify and track it.
a constant configured by the user. That would be the best way to run a server that must always have the same IP.
In DHCPv6, the router also chooses the last 64 and pushes the client's entire 128 bit IP to the client. So a client can have a reserved address like is done with DHCPv4.
In a home network is is probably preferable to use RA only, assuming you have a way to control any server machine's choice of the last 64 so that an incoming firewall exception (allow input to the one server, also possibly only on certain ports) can be configured. This is not a port forward. The IP and port are not modified by the firewall, it is only allowed to pass.
When selecting add IP I have a-lot of entries for IPv6, how to choose which is what? my LAN device (derwa.lan) has multiple IPv6 addresses which makes it harder to decide which address I have to route the traffic to.
I've assigned a static IPv4 lease to derwa.lan as 192.168.0.141, after restarting the ethernet link I've noticed that one of my IPv6 addresses has 141 at the very end of the prefix as well. Could they be sharing something in common? One starting with 2001: and the other with fdb3:
Using RA only I assume only DHCPv6? That way you can have control over setting static DHCPv6 leases?
Before you do all that, you need to do these things first, assuming that OpenWrt hasn't been modified beyond the port forwards you have:
Go to the LuCI home page, scroll down to "Active DHCPv6 Leases", and click "Set Static" on the server host. There should be only one entry for each host but multiple IPv6 address associated with it.
Go to "Network" → "DHCP and DNS" in the LuCI menu, then click on the "Static Leases" tab.
Click "Edit" on the hostname entry. Assign an "IPv6-Suffix (hex)" to the entry. This can be any hexadecimal number, but remember this suffix. Let's say for example, you pick a suffix of "42". Click "Save" then force your server to renew its DHCPv6 lease. It should obtain an IPv6 address with that suffix.
Now you have a host with a stable IPv6 suffix. This is enough to make the firewall rules work, even when the ISP changes the IPv6 prefix. This is because OpenWrt supports a "negative netmask notation" that allows you to specify a firewall rule to an IPv6 host using only its IPv6 suffix. You can set this in LuCI under "Network" → "Firewall" → "Traffic Rules" tab, for example:
To set this kind of destination address you need to scroll the list all the way down to see a "-- custom --" box. You can then type in ::42/-64 into that box.
I've forgotten to mention this earlier on the post but initially before in my DHCPv6 Active Leases only a single device on my LAN was having an entry and the rest weren't even present (including my own PC).
Just now I've changed my IPv6 assignment length to disabled in my LAN interface and only my IPv4 showed up.
Suddenly devices started showing up in the DHCP IPv6 Leases which is totally odd.
Thinking that I've broken something I've set my IPv6 assignment length back to /64
and now my IPv6 is being displayed as before in my LAN interface and I seem to still have my devices present in DHCPv6 Active Leases. Odd regarding what happened...
This is good! That means DHCPv6 works on your network and you can assign static leases. Nothing is broken here, it's working as intended.
That's because the leases themselves are still valid. The hosts don't see your new DHCPv6 configuration until they renew on their own accord, or you force them to (e.g. you manually reconnect their interfaces).
You can see how I've only assigned a static DHCP lease for my IPv4, but I have some IPv6 addresses (of my own LAN machine derwa.lan) ending with ::141/128, what's happening?
Also thanks for helping me out so far, I have another doubt but what's the difference between
Firewall -> Port forwarding and Firewall -> Traffic Rules?
Which should I use ideally since they both seem to do the same job?
Note that you must be running DHCPv6 Client on WAN6 in order to receive a Prefix Delegation. 
