Under WAN interface you have the option ipv6 'auto' so it will automatically create the wan6 interface and try with DHCPv6. So basically you don't need the extra wan6 interface.
Other than that you need to open the flows in firewall for IPv6 as by default everything is blocked.
3 Likes
Awesome! Thanks for your help, peeps. Including tmomas who cleaned up the /etc/config/network embedding in my first post.
I removed the extra device. The extra device was there at setup and despite my instincts I put my PPPoE settings in there as well.
I opened up the flow by creating a Traffic Rule "IPv6-traffic, From any host in wan, To any host in lan", which I believe blows a hole though the router's firewall for all devices using an IPv6 address?
1 Like
Don't do this! Assign a specific IP6 address to your server, and then add a forward rule for any wan host to your server only on the port of interest.
5 Likes
I'll draft a list of devices and add them to the dnsmasq file, so the will have stable addresses. Then open the firewall on an address by address/port basis.
For now I'll just limit the rule to any address: torrentclientport "until I get around to fixing it".
Only if they use dhcpv6.
3 Likes
DHCPv6 might not be necessary. Stable IPv6 addresses can also be generated by Stateless Address Autoconfiguration (SLAAC) with an interface identifier derived from the MAC address (Modified EUI-64) or a stable privacy address (RFC 7217). Quite likely the LAN hosts already have one of those addresses assigned.
Another point to consider is that ISPs often assign the IPv6 prefix dynamically, which causes all of the global IPv6 addresses in your LAN to change along with the prefix. This is independent of the address assigment mechanism used in your LAN (DHCPv6 or SLAAC). If your prefix is dynamic, the firewall rule must take this into account with a suitable address mask. Here is an example for a webserver:
config rule
option name 'webserver'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '::2345:67ff:fe89:abcd/-64'
option dest_port '80 443'
option family 'ipv6'
option target 'ACCEPT'
3 Likes
DHCPv6 is a reasonable way to configure servers that require stable and predictable addresses esp even while the prefix changes. But you need to configure the devices to use DHCPv6 which they may well not be doing by default.
Also, rather than a fixed rule you can set up an ipset to describe all the addresses that should be reachable from the exterior. This can be updated on the fly, for example by a cron job.
2 Likes
So, a follow up.
I've used Dnsmasq a lot over the years but ipv6 got me stumped. Documentation is thin on the ground and trying to put ipv6 addresses in the config file wasn't working for me. I ended up using the lua interface to create static leases in the Network -> DHCP and DNS menu. Entering MAC/ipv4 and DUID/ipv6.
To deal with dynamic ipv6 prefixes and firewall access I installed the iptables-mod-u32 package. Then created a FORWARD rule to match a portion of the suffix. By using an octet of a specific value, any IPv6 address using it in their suffix is forwarded, and the final octet (that I use as the unique client identifier) allows me to create client specific rules.
e.g. ip6tables -I FORWARD 1 -m u32 --u32 "34 = 0x6565" -j ACCEPT
Allows any machine with an address of ::6565:???? unrestricted access from the WAN. It doesn't matter what the prefix is or if it changes, the firewall rule remains valid.
This is a simplified example! Something like:
ip6tables -I FORWARD 1 -p tcp --dport xyz -m u32 --u32 "36 = 0x6565abcd" -j ACCEPT
would open port xzy for the client at ::6565:abcd
Matching of the interface identifier can be solved without u32 match, use "::ffff:ffff:ffff:ffff" as destination mask, i.e. "-d ::xxxx:xxxx:xxxx:xxxx/::ffff:ffff:ffff:ffff"
1 Like
@mpa Hello, what's the name of this kind of mask called?
::2345:67ff:fe89:abcd/-64
or ::xxxx:xxxx:xxxx:xxxx/::ffff:ffff:ffff:ffff
Any rfc defined them?
I have research this all night but can't get some usefull infomation. If you have, Do you mind telling me about it?
1 Like
The :: is defined in RFC 4291:
A mask of ::ffff:ffff:ffff:ffff expands to 0000:0000:0000:0000:ffff:ffff:ffff:ffff, which matches the interface ID part of the IPv6 address and causes the network prefix to be ignored.
2 Likes
Firewall configuration are converted to iptables rules, and the rules that can be converted in this way are
-A zone_wan_forward -d ::ca1/128 -p tcp -m comment --comment "!fw3: @rule[9]" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -d ::ca1/128 -p udp -m comment --comment "!fw3: @rule[9]" -j zone_lan_dest_ACCEPT
I think this is mainly because firewall is based on iptables, which is the reason for this feature.
But I don't see it used in other projects, Maybe this usage only exists in iptables?
Not the rfc defined the :: but define the how the mask should work
A mask of
::ffff:ffff:ffff:ffffexpands to0000:0000:0000:0000:ffff:ffff:ffff:ffff, which matches the interface ID part of the IPv6 address and causes the network prefix to be ignored.
This is your define, What I want to know is whether rfc has defined this behavior.
Many CLI tools support the numeric netmask notation.
But the negative numeric appears to be the fw3-specific feature.
Thank you very much, I'm trying to find out how iptables implements it.
fw3 inverts the netmask bits when its numeric value is negative:
https://git.openwrt.org/?p=project/firewall3.git;a=blob;f=utils.c;hb=HEAD#l853
1 Like
Thanks! It's very helpful! I think OpenWrt just convert config to iptables args and call the command just before, this show fw3 do something other job too.
fw3 do not call iptables command directly, but call libiptc API, and append API defined here https://git.netfilter.org/iptables/tree/iptables/ip6tables.c?h=v1.8.7#n467 , it require a mask for source IP and dest IP, and the mask is also a valid IP, defined in stdlib, so fw3 need to convert the mask string to a valid IP.
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.