Hello,
From my isp, my connection has
Has openWRT the ability to run:
a. with the firewall functionality completely off, (because the nodes have their own firewalls)
b. without NAT at all
c. so that a machine with only ipv6 can be accessible from the internet?
the equipment available to use is either an edgerouter-lite-3 or an asus ac68u (ac1300) hw rev A2.
thanks in advance for any advice
Yes, but it's not advisable if the OpenWRT device is going to be the router/gateway device. With the firewall off your router would be easily accessible from the internet (which is a bad thing). And even if devices on your network all have firewalls (which isn't a given, nor is the quality of said firewalls) it's just common sense to use all the security tools you have available.
Yes.
Yes, as long as the device has a globally accessible IPv6 address assigned to it.
Thanks for that info.
I'm tempted to run it on the asus. What do you think?
Oh the asus uses MESH. I'm p sure it's proprietary to asus.
d'oh! the asus runs NAT!! lol
So maybe the edgerouter first (it doesn't have wifi). i think it's quite a bit more gutless than the asus even though that router is about 7 years old.
The connection right now is fttp 100/21 and the LAN is gigabit.
If you're putting OpenWRT on it then it'll operate using NAT (or not if you choose) no differently than any other OpenWRT device.
For non-NAT IPv4 you would put in routes from your external routed IPs to an internal network. That network is usually called a DMZ not a LAN since it is directly linked to the Internet. If you allow general forwarding wan->dmz it is effectively no firewall. Of course specific rules can be written to allow only certain IPs and/or ports.
IPv6 operates without NAT by default, and again you'd set up a network with servers on it as a DMZ, taking a /64 out of your /48, then allow wan->dmz forwarding. These machines will be accessible from the Internet.
ok thanks.
a bit of history:
I was using OpenBSD 7.x on the edgerouter before and it worked as I wanted for a while, but since 7.2 it's stopped working properly for dhcpcd in that it'll get the /64 fine but not the /48 and I've not been able to get a config working for it. I'm still unsure why.
Swapped it out with a fritzbox and it gets the ipv6 correctly immediately. The problem with the fritzbox is if it's used as the device that connects to the internet then (it seems) the firewall can't be turned off unless one wants to forward all traffic to this ip or configure it in client mode* then have something else doing the pppoe, and though I can configure it for machines with ipv4+6 and open ports on those machines, if I have a machine with only an ipv6 address, i can configure the port as before and it shows as configured but it's inaccessible from the internet. Additionally when ipv6 /48 was working with openbsd on the edgerouter, two ipv6 machines on the dmz could ip6 ping each other, ssh, web etc. But not with this fritzbox.
Maybe that one is a failure between brain & keyboard
Why?
Deinstall the webserver, just use ssh. Disable password auth and call it a day.
If you have no services running you need not restrict access.
See:
You forgot that if you disabled the firewall you expose the IPv6 IPs to the un-firewalled Public Internet. This is one reasons administrations should not rely on Security Through Obscurity - a minor design change could have serious security implications. The user noted the devices have their own firewall - good luck and don't forget to check/enable every single one.
Also, regarding IPv4, unless the OP just wants less security, it's actually possible to firewall the /29 Public IPs without using NAT/masquerade, so as noted the OPs desires are possible with OpenWrt.
What has this to-do with the topic firewall on a router or not?
Again. If there are no services running on a Linux box why would you need a firewall? Or if you can configure the services to listen only on certain addresses or interfaces?
You gain nothing with this attitude that people will die without a firewall. If you more or less know what you are doing you can be totally fine without a firewall. It totally depends on the use cases.
And let me tell you a secret: a router is a router and not a firewall. Routers which route traffic on the Internet do not even have the ability to firewall. Sometimes access controll lists is all what you get but as the main purpose of a router is pushing packets there is no filtering.
If you want to restrict access you put i.e. a management interface into a VRF and on a dedicated line.
I made that completely clear. If you don't understand the security risks of disabling a firewall on a router (it seems you elaborate on routers not being firewalls, so I digress) - I would advise not advising suggesting to do dangerous things or ignore best practices regarding security.
Then I would still advise to verify and check the firewall on the clients, as noted. I would also suggest configurations to prevent DDoSing of open ports - otherwise unnecessary if done on an upstream firewall. 
And I assume you "secure" this "VRF" thru some method other than firewalling, correct?
Can you explain what you use in place of the firewall (and how you guarantee that malicious or malformed or maliciously crafted packets do not try to route, DDoS, etc.)?
Lastly, you have to make a firewall policy on all clients, instead of one upstream firewall. Perhaps some may consider this more secure, to me it seems more opportunity for missing configs, errors and mistakes.
And just to be clear - that isn't the topic.
The topic reads here: "Non-nat ipv4 & ipv6" not "firewall on a router or not" - hence my note that you can firewall a /29 without NAT. I should also add, IPv6 normally doesn't use NAT anyway - so that's not a concern either.
Perhaps you should make a new thread to discuss the topic you made up?
I see multiple scenarios:
so it is already on every router where the packet has flown already. it just makes no difference if there is one or two more hops.
every hosting proving / cloud /datacenter / isp works this way. all will just forward traffic wand will not filter it. the end-entity is responsible to apply its security.
possible but does not have to be. if you have full control of that line then you don't need a firewall. (i.e. if you lease a dark fiber or other private line then you are the only one speaking on that line.)
In the days of "zero trust" you have to run a properly configured host firewall on each and every server in your network anyway. ok even without zero trust hype you should have a host firewall in place to avoid that if some one opens up a box in your network the attacker is not easily capable to connect on each and every port on each and every server. (like a random web app should not be accesable directly and only a frontend/proxy is able to connect to these backends. Or take databases: the HR or call center department has no need to be able to connect to a DB directly...)
then dont feed me 
My bad, I didn't realize this was trolling until now. Now I understand why you tend to alter the discussions of threads you participate in.
I'll be mindful in the future when deciding to reply.
I'm not trolling. But you don't have to waste your time if you disagree.
I'm just saying let a router be a router and a firewall a firewall. And you can secure a router without a firewall.
Yes this is how i want the router to be.
A firewall should not be confused with a packet filter which some routers have.
I can use the packet filter to prioritise traffic via either ip or protocol.
_bernd is correct that a router can be secured without a firewall.
For example, I can tell it to not respond to SYN+FIN and, what services it has like
ntpd, to only respond to the loopback address (or dispense with ntpd alltogether and
use something like a cronned ntpdate). Other services can be wrapped. sshd can be wrapped via sshd_config to username@iprange. Or disabled, with console access via serial port the only access method.
Regarding dhcpcd, if I understand correctly, the router first sends a packet (of the right protocol number, I can't remember offhand) then the isp acknowledges it for ipv6 solicitation and neighbour discovery then (correctly configured) dhcpcd issues/announces the /48 domain prefix to the dmz. That would really be the only "exposed service" in this sort of configuration. But would it really be vulnerable?
If your IPs and prefixes are statically assigned at the ISP you can just install them as static routes. When someone on the Internet tries to reach one of your servers, the request will come in on the wan port with that particular destination IP and all that the router has to do is forward it to the proper internal network where the server is. This is stateless destination routing which is little to no security risk as the router since it never acts on the content of the packets.
You will probably want a router (it could be, but doesn't have to be the same one that is doing edge forwarding) holding one of the public IP4s on an interface so that internal LAN users and wifi clients can be NATd out through it.
For LAN use I have an asus rt-ac68u which, for simplicity, blocks ipv6. it is configured statically, has a real routable ipv4 on the WAN and runs nat, and blocks everything initiating a connection inbound.
mk24
If your IPs and prefixes are statically assigned at the ISP
With regard to ipv6, I get a /64 ND and a /48 PD. Is the PD statically assigned? Not sure
if the isp statically assigns it or if it just assigns the same thing dynamically.
It's the /48 PD I'm having some difficulty with running services on a node with an ipv6-only context.
It gets one of the /48 fine, can access ipv6 internet from it. What I can't do is access services on it from the internet. regarding static routes:
If I go into the fritz!box it'll ask for the ipv6 to route to, its netmask (/64 or /48?) and its gateway IP.
gateway relative to the /48 or gateway for the ND /64? I don't know - neither work.
I hope I can get sane ipv6 routing with openwrt on the edgerouter. Hopefully also disable the web server too, as long as the cli is equally or more functional. Not for security reasons, but this hardware is gutless for anything but networking.
You need to ask your ISP.
As long as ipv6 is set up correctly on OpenWRT it should create all the required routes without you needing to add any static routes.
The v6 gateway for everything going toward the Internet would be the link-local of the ISP's first router on their side of your link. I guess you would need to discover that dynamically.
OK. Thanks all, am preparing the edgerouter now