Ipv6 tunnel protocol 41 and 59

Do you guys I still have to add in into /etc/config/firewall (since it works without adding it), or should add it this:

config rule
    option name 'Allow-protocol 41'
    option src      wan
    option proto    41
    option target   ACCEPT
        
config rule
    option name 'Allow-protocol 59'
    option src 'wan'
    option proto '59'
    option target 'ACCEPT'
    option extra '-m length --length 40' 

Ciao!
How are you?

From here: https://lede-project.org/docs/user-guide/ipv6_ipv4_transitioning

It does not do anything it was working with out it and now with as well.

What does the meaning, please let me know.
Thanks.
Patrikx3

Protocol 41 is only necessary for 6in4 (e.g. he.net) tunnels, not for native IPv6.

thanks for replying.
but what i see it works without adding the porotocol 41, so do i still add it (i added it anyw way yesterday), but it was working anyway. is it pre-built already?

Ciao!
How are you?
I use HE.net tunnel, but my question is, how come it was working without adding it into the firewall, although I added, but is it built in now or what. Do you know?

Thanks for helping,
patrikx3

I have protocol 59 enabled for a month, but iptables registered no traffic count. I'm not sure why it's needed but the tunnel worked without it.

I have plenty of protocol 41 traffic count registered and I believe that is used by v6 traffic originating from external.

CIA!
how are you

ok, so you think i can just remove? and done?
thanks so much!

Just confirming, because for me too it was working, i guess we don't need addational 41/59 port settings, must be built in LEDE or OpenWrt long ago.

I believe protocol 59 was added into the wiki recent because someone noticed something and someone else thought it was required. My 6in4 has never required 59 to function. Protocol 41 is required if you are initiating v6 connection from the outside. If that's not the case for you, I'm sure you can remove it.

My own protocol 41 is "strict", allow from only one of HE.net tunnel IP, not globally.

Ciao!
How are you?

yea i removed and not different, i think whatever is doing but its working, it is not needed anymore.

Thanks so much for this issue!
Take care!

Also I am still uncertain if @ffries was right by detemining that protocol 59 should be allowed in the firewall. See HE NET, shoud IPv6 protocol 59 be accepted on the firewall?

I never needed it with my old SixXS tunnel, and also he.net tunnel operated ok without that. (But I have now a native ipv6, so I haven't looked into that recently.)

But it is quite possible that he.net uses that protocol for some kind of "tunnel alive" monitoring, or so.

Perhaps it is better to not "allow-all" for that rule and limit it to the v4 tunnel IP address. Err on the safe side.