I know that we have enough ipv6 address space to not use masquerading and port forwarding for our dmz servers.
But! If your ipv6 prefix is not static then masquerading and port forwarding are actually very comfy solutions to handle the dynamic situation regarding DDNS and firewall rules.
What are the tools/concepts to treat dynamic ipv6 prefixes for servers with ingress traffic for the internet? Would masquerading and port forwards work for ipv6?
OK, so actually there is no real UI support for that.
What would a rule look like that I can enter in the Custom Rules box that forwards (to) port 443 of host_id 2 ?
The dash in /-64 means that the /64 mask is inverted?
So /-64 is 000...000111...111 instead of /64 being 111...111000...000 ?
This is good since it allows a solution without masquerading or port forwarding. You can rely on simple routing and firewall rules which let the desired traffic pass from WAN to DMZ.
Publish the IPv6 addresses of the DMZ servers with DDNS, giving each its own host name. Either make each DMZ server register itself with DDNS, or find a DDNS provider which allows you to preregister the stable host IDs and dynamically update the prefix only.
As opposed to IPv6 port forwarding rules, IPv6 filter rules are indeed supported by LuCI.
It should not be necessary to use a custom rule.
Yes I would try it like this. EDIT: and don't forget to adjust this rule your needs e. g. the device eth0.2 etc.
For reference this thread above:
list dest_ip '::44:2e3a:fdff:fe09:614b/-80'
So LuCI is not accepting the -80 if I understood it right. So you have to go with this ffffff thing ... But I don't know how to set this in LuCI properly.
So if my WAN6 is an alias to eth2 and I have a /56 dynamic provider prefix and I want the subnet and host part to be kept I would need an inverse 56-8 bit mask, like this?