Is network.wan6.sourcefilter="0" insecure?

Cucumber · March 24, 2025, 11:05am

Unfortunately, my setup requires NAT for IPv6. Unavoidable as my ISP router is completely non-configurable - so I'm running OpenWRT on a router behind my ISP router, but with the WAN of the OpenWRT as a client on the LAN of the ISP router.

The Wiki says that network.wan6.sourcefilter="0" needs to be set to achieve NAT for v6, but I'm struggling to find any documentation about it. (See https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_nat#ipv6_nat)

I'm worried that by doing this, I'm opening up the IPv6 firewall up to traffic from the WAN6 into the LAN. I'm hoping that this isn't the case, but would like reassurance. Would there be any other implications of setting this? Thanks.

lleachii · March 24, 2025, 11:19am

The reason for disabling the filter is because e.g. private IPv6 addresses will not egress until they're:

explicitly routed by SRC IP (and configure masq6), or
you disable this setting

Hope this helps.

Nope.

Your firewall still controls that
While NAT was never designed to be a security feature in IPv4 nor IPv6, you still have added benefits of no global IPv6 address assigned directly to clients

Cucumber · March 24, 2025, 11:31am

Thanks, I thought so - but didn't want to assume!

system · April 3, 2025, 11:31am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.