Again, this is normal. When the server obtains a DHCPv6 lease, the DHCPv6 server will assign some arbitrary suffix to all viable prefixes. In OpenWrt, you typically have two prefixes. The prefix that starts with 'fd' is a ULA (unique local address) prefix. The prefix that starts with 20 is the GUA (globally unique address) prefix. The GUA prefix was assigned to you by your ISP. The ULA prefix was generated by OpenWrt when you first booted it up.
In this case, the DHCPv6 server has assigned a suffix of ::141 to your device. This is actually a rather stable assignment, but to guarantee a specific suffix you will need to set a static lease using the instructions I've given you.
Although for some reason I don't see a DUID assigned in your static leases table. Go back to the "Active DHCPv6 Leases" table on the LuCI front page, take note of the DUID, and make sure you assign that specific DUID in the static lease.
You may also notice the other addresses with massive suffixes other than ::141. These are the SLAAC addresses. They used to be based on the MAC address of the interface, nowadays hosts randomly generate the suffix.
Suppose I want to expose my port to WAN and route them to my IPv4 and IPv6. Do I still need to use Traffic Rules -> Port Forward for IPv4 hosts or can I just use Traffic Rules to do same?
Suppose I want to expose my port to WAN and allow traffic thru the firewall to my IPv4 and IPv6 on LAN.
(It's a common n00b mistake to confuse "firewalling" and "routing".)
If you have Private IPv4 addresses on LAN (e.g. 192.168.0.xxx) and are therefore using masquerade, then yes you will need to make an IPv4 Port Forward for translating the port/protocol from the WAN IP to the LAN IP
Since no NAT is used for your IPv6, you would make a Traffic Rule allowing traffic to the DST IPv6 address
Using the BitTorrent example from above, an IPv4 Port Forward for the same device would be:
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option src_dport '51413'
option dest_port '51413'
option dest_ip '192.168.0.xxx'
option name 'BitTorrent'
list proto 'tcp'
list proto 'udp'
Note that once you confirm that the firewall rules work and you can access the host using its GUA IPv6 address, you probably want to make DDNS work on this as well. Since your host has a static suffix, it's possible to have the DDNS client on the router update the AAAA record on denwa's behalf by combining the ISP's GUA prefix with the static suffix. This might require a script to make this work.
Another option is to run the DuckDNS client on the denwa server itself, but you have to make sure that the client uses only the DHCPv6-assigned GUA address when updating the AAAA record, or the firewall will block incoming requests. Again, this might require a script.
Thanks a-lot @lleachii and @elbertmai for the clarification, This should help me standardize my port forwarding.
Regarding this, However...
My router has a DDNS Panel which takes care of updating both the IPv4 and IPv6 DDNS, Currently it's pulling my IPv4 from the WAN interface to update and IPv6 from the WAN6 interface (2001:8f8:...), is this the correct way or am I missing something?
This is correct if Plex and all the other services are running on the router itself. But since they're running on another host in the network, the AAAA record needs to point to the IPv6 address of that host, not the router.
Yes, the same (sub)domain can in fact resolve to completely different devices, because the A and AAAA records are independent from each other.
Huh, that's odd, but thanks for letting me know. I feel like I might need to have two sub-domains with AAAA records pointing to my Router and the other to my Desktop?
Also, I've just rebooted my Router and deleted my Wireguard Traffic Rule as well as the Port Forward but for some reason my Wireguard clients can still access it. How is that possible? Does it possibly auto-configure the ports when setting up the interface?
Left it disabled and it no longer accepts any Wireguard traffic.
I've been setting this up in an attempt to have IPv6 access through my Wireguard tunnel with Selective IPv6 NAT.
But that didn't seem to work.
I'm not sure if I'm allowed to cross-reference another post...
I guess maybe you would've witnessed how my wg0 interface was using a ULA address... but with how many threads there are regarding setting up Wireguard with IPv6 access and so many NAT options which people try I'm puzzled as to how to get my things sorted...
If they are in the same zone, do you allow [intra] zone forwarding?
If they are in different zones, do you allow traffic to the DST zone the devices is located?
Your IPv4 Port Forward would be configured for traffic received on the OpenWrt's WAN IP (which matches the A Record). so the rule has affect and can be translated to the Private LAN IP
As noted before - your IPv6 doesn't NAT from your WAN to LAN, so the DST desktop device's IPv6 address would be contained in the AAAA Record
You should be able to use the same sub-domain, I do this with a DDNS service. One config updates the A record, the other config updates the AAAA record. You'll need to verify this is possible with your provider.
Also could you please take a look at this IPv6 Traffic Rule?
config rule
option name 'Allow-Wireguard_IPv6'
list proto 'udp'
option src 'wan'
option dest 'lan'
option dest_port '51820'
option target 'ACCEPT'
option family 'ipv6'
When I use my IPv6 endpoint on my Wireguard client I can't seem to connect.
But with my IPv4 endpoint, it works fine.
Yeah, my wg0 interface works but for some reason I just cannot get my IPv6 connectivity when I'm tunnelling in my Wireguard client. Only IPv4 shows up when I do whatsmyip or browserleaks.
Thanks a-lot the above rule worked! Just to improvise it further will it be alright to include this option as well? To restrict it to only IPv6 addresses.
option family 'ipv6'
Also just to avoid any further confusions, if I'm dealing with my IPv6 router port forwarding. This should be the standard?
Yes that's correct, adding that will make the allow allow rule only for IPv6 IPs only.
To avoid confusion, the term is "Forwarding" not "Port Forwarding"
Yes, your screenshot looks OK
To avoid confusion, you're asking about "allowing IPv6 traffic thru the firewall" - the "routes" are already configured and would be improper terminology here
To answer your question - in addition to specifying an IP, you would have to specify the Destination Zone (LAN) in order to make an IPv6 Traffic Rule from WAN to a IP on LAN - as well as the SRC Zone (WAN - or leave at ANY)
When trying to use an IPv6 Lookup the addresses starting with 2001 show roughly my location.
But fdb3 doesn't show. I assume they are assigned by OpenWRT and are a private IPv6 address? Are these IPv6 addresses starting with fdb3 needed or hold any purpose?
EDIT: Looks like fdb3's are for ULA's and 2001's are GUA's?
I guess pretty much the only thing left now is to figure out a way to route my IPv6 through the Wireguard tunnel, then I should pretty much have a robust way to remote into my home from outside...
The IP's that start with fd are ULAs which are for local use only. They don't mean anything on the Internet, similar to "private" (RFC1918) IPv4s that start with 192.168 etc. In this use case, you don't need any ULAs, and they are only adding clutter and confusion. Take ula_prefix out of the network config so that no ULAs are issued.
How is your wireguard client configured? Of course it needs a GUA IPv6 on its end of the tunnel in order to make requests to the v6 Internet.
As @mk24 noted, these are private addresses, used similarly to Private IPv4 IPs. They are not needed for Internet connectivity (hence why a geosearch website doesn't display your location when searching that IP address).