Issue in outbound packet after ipv6 port forwarding

sk_buff · January 11, 2024, 4:39pm

Hello Team,

I have enabled ipv6 port forwarding, and i can view the syn packet arriving on my host. However, when the host responds back with syn,ack ; the syn,ack lands on br-lan/eth0 and not on wan interface, causing destination unreachable in the icmpv6 packet. Please see below :

21:47:46.846425 wan In  IP6 xx:ac4d.49196 > yy:8b6.80: Flags [S], seq 3021570576, win 65535, options [mss 1282,sackOK,TS val 101383554 ecr 0,nop,wscale 10], length 0
21:47:46.846557 br-lan Out IP6 xx:ac4d.49196 > yy:8b6.80: Flags [S], seq 3021570576, win 65535, options [mss 1282,sackOK,TS val 101383554 ecr 0,nop,wscale 10], length 0
21:47:46.846567 eth0  Out IP6 xx:ac4d.49196 > yy:8b6.80: Flags [S], seq 3021570576, win 65535, options [mss 1282,sackOK,TS val 101383554 ecr 0,nop,wscale 10], length 0
21:47:46.847072 eth0  In  IP6 yy:8b6.80 > xx:ac4d.49196: Flags [S.], seq 2390739363, ack 3021570577, win 32660, options [mss 1432,sackOK,TS val 974946202 ecr 101383554,nop,wscale 7], length 0
21:47:46.847072 br-lan In  IP6 yy:8b6.80 > xx:ac4d.49196: Flags [S.], seq 2390739363, ack 3021570577, win 32660, options [mss 1432,sackOK,TS val 974946202 ecr 101383554,nop,wscale 7], length 0
21:47:46.847206 br-lan Out IP6 aaa:1 > yy:8b6: ICMP6, destination unreachable, unreachable route 
21:47:46.847214 eth0  Out IP6 aaa:1 > yy:8b6: ICMP6, destination unreachable, unreachable route

I add the static route and it works fine. But i am not sure if that's the correct solution as the packet might arrive from any of the client.

Below is the port mapping rule :

config redirect
        option target 'DNAT'
        option name 'test'
        option src 'wan'
        option src_dport '80'
        option dest_ip 'yy:8b6/96'
        option dest_port '80'
        option dest 'lan'

Could someone please assist me on how can i make the return packet go via wan interface without any specific route ?

egc · January 11, 2024, 4:42pm

You do not port forward with IPv6.

The client should have its GUA address so is reachable via the internet.

What you should do is opening up the port for that GUA address of the LAN client with a traffic rule

Example:

I have a WG server in my Network which has a static IPv6 address ::6

The traffic rule is then:

config rule
	option name 'wg-server6-6'
	list proto 'udp'
	option src 'wan'
	option dest 'lan'
	option dest_port '51810'
	option target 'ACCEPT'
	list src_ip '::6/-64'

sk_buff · January 11, 2024, 4:52pm

That worked, thank you for such a quick response.

system · January 21, 2024, 4:54pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.