Port forward IPV6

vkarthik · March 22, 2025, 10:10am

Model : TP-Link Archer C6U v1
Architecture|MediaTek MT7621 ver:1 eco:3|
Target Platform|ramips/mt7621|
Firmware Version|OpenWrt 24.10.0 r28427-6df0e3d02a / LuCI openwrt-24.10 branch 25.072.79561~41a338d

my IPV4 is begind cgnat, ISP provides IPV6 PD /64. I could reach the router from internet thru IPV6 addr.

So I was trying to setup port forward to my Hikvision DVR (connected to lan4 on openwrt) to access it externally.
port forwarding to DVR's IPV4 isnt working, I guess for want of 6 => 4 translation, is this correct?

I tried forwarding to IPV6 address as seen from hikvision, fe80 (fe80::66db:8bff:xxxx:xxxx) address. Even though I have ULA defined as fd10:0b22:e315::/48, I dont see that address assigned to hikvision.

I tried pinging the fe80::66db:8bff:xxxx:xxxx from openwrt , I couldnt. So, I tried enabling IPV6 for the lan4 (where DVR is connected) device. still same status.

I tried adding route to

ip -6 add route fe80::66db:8bff:xxxx:xxxx dev lan4

still same status


ip -6 route

default from 2401:4900:884f:ffff::xxx:xxxx via fe80::e6f2:7cff:xxx:xxxx dev pppoe-wan proto static metric 512 pref medium
default from 2401:4900:88e8:xxxx::/64 via fe80::e6f2:7cff:fed9:e3a2 dev pppoe-wan proto static metric 512 pref medium
unreachable 2401:4900:88e8:xxxx::/64 dev lo proto static metric 2147483647 pref medium
fd10:b22:e315::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd10:b22:e315::/48 dev lo proto static metric 2147483647 pref medium
fe80::5403:6ba8:f673:1bbe dev pppoe-wan proto kernel metric 256 pref medium
fe80::66db:8bff:xxxx:xxxx dev lan4 metric 1024 pref medium
fe80::e6f2:7cff:fed9:e3a2 dev pppoe-wan proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev lan4 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev phy0-ap1 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium

what does unreachable mean on ULA and PD ?

I also tried

uci set dhcp.lan.ra_default='1'

uci set dhcp.lan.master='1'

what could be done in order to get the port forward from ipv6 to get to the DVR?

Please let me know what config files would be needed for more info?

lleachii · March 22, 2025, 10:32am

No, you cannot connect to an IPv4 private address by translating ports from a public IPv6. Furthermore, you generally don't port forward on IPv6.

This is why IPv4 port forwarding doesn't work:

You could setup a VPN accessible via IPv6?

mk24 · March 22, 2025, 4:22pm

Yes definitely do this with a VPN that is v4 inside the tunnel and v6 outside. Wireguard does this well.

It may be possible to use something like Jool to remap v6 to v4 however this still has the issue of exposing a likely insecure IoT to incoming connections direct from the Internet.

If you only have a single /64 from the ISP (typical with LTE connections), you would need to use relay mode to have v6 available on the LAN. However that is not necessary here, as the VPN would terminate inside OpenWrt, and if the DVR is really v4 only (you may want to investigate this further), it would have no use for v6 on the lan.