I know that we have enough ipv6 address space to not use masquerading and port forwarding for our dmz servers.
But! If your ipv6 prefix is not static then masquerading and port forwarding are actually very comfy solutions to handle the dynamic situation regarding DDNS and firewall rules.
What are the tools/concepts to treat dynamic ipv6 prefixes for servers with ingress traffic for the internet? Would masquerading and port forwards work for ipv6?
Which size is the network prefix you get from your ISP, e.g. by DHCP prefix delegation?
delegation from provider is /56, to the internal interfaces it delegates delegates /64
The example there is:
...
uci set firewall.@rule[-1].dest_ip="::23/-64"
...
where 23 is the host_id set in DHCP for that machine and the address dynamically calculated from the prefix will end with that host_id, correct?
How would I enter this host_id in LUCI?
Thanks so masquerading is possible. What about port forwarding for ipv6? does that work? On the LUCI UI it doesn not seem to be possible.
Yes.
LuCI > Network > DHCP and DNS > Static Leases > Add > Hostname, DUID, IPv6-Suffix
LuCI > Network > Firewall > Custom Rules
OK, so actually there is no real UI support for that.
What would a rule look like that I can enter in the Custom Rules box that forwards (to) port 443 of host_id 2 ?
The dash in /-64 means that the /64 mask is inverted?
So /-64 is 000...000111...111 instead of /64 being 111...111000...000 ?
This is good since it allows a solution without masquerading or port forwarding. You can rely on simple routing and firewall rules which let the desired traffic pass from WAN to DMZ.
Publish the IPv6 addresses of the DMZ servers with DDNS, giving each its own host name. Either make each DMZ server register itself with DDNS, or find a DDNS provider which allows you to preregister the stable host IDs and dynamically update the prefix only.
As opposed to IPv6 port forwarding rules, IPv6 filter rules are indeed supported by LuCI.
It should not be necessary to use a custom rule.
Thanks.
Still, the question was what the ipv6 port forwarding rule would have to look like to put in custom rules. Anyone?
Like any IPv4 rule also. Either with LuCI:
or like any iptables rules e. g.:
ip6tables -t nat -A PREROUTING -i eth0.2 -p udp --dport 4500 -j DNAT --to-destination [fdea:dead:dead:30::1]:4500 -m comment --comment "DNAT WG0"
This example is not using the dynamic prefix .... (/-64) ?!?
I don't want to be unpolite. But this setup is not common. I'm not a firewall expert. How about just to try it?
Use ::ffff:ffff:ffff:ffff instead of -64 - that should work with LuCI too
Like this: ?
ip6tables -t nat -A PREROUTING -i eth0.2 -p udp --dport 4500 -j DNAT --to-destination [fdea:dead:dead:30::1/-64]:4500 -m comment --comment "DNAT WG0"
Yes I would try it like this. EDIT: and don't forget to adjust this rule your needs e. g. the device eth0.2 etc.
For reference this thread above:
list dest_ip '::44:2e3a:fdff:fe09:614b/-80'
So LuCI is not accepting the -80 if I understood it right. So you have to go with this ffffff thing ... But I don't know how to set this in LuCI properly.
So if my WAN6 is an alias to eth2 and I have a /56 dynamic provider prefix and I want the subnet and host part to be kept I would need an inverse 56-8 bit mask, like this?
ip6tables -t nat -A PREROUTING -i eth2 -p udp --dport 443 -j DNAT --to-destination [0000:0000:0001::2/-48]:443 -m comment --comment "Port forward 443->..01::2 443"
I thin that restriction was relating to the regular luci rule input, not to the custom rules field.
Does it make any sense to use a dynamic prefix for the DNAT rule?
The ULA prefix should work the same way and much simpler to utilize.
So what you mean is using the uLA prefix as destination for the port forward?
Yes, it should work assuming that the router is in the same LAN.
If this is your main router, you can fetch the ULA prefix like this:
NET_PFX6="$(uci get network.globals.ula_prefix)"
echo "${NET_PFX6%/*}"