Port forwarding to a dynamic IPv6 address

Hello,

My configuration is the following:

image

I have added a static lease, to which the expected IPv6 address has been assigned:

My goal is to forward the traffic from a specific port of the WAN6's IPv6 address (for instance 50022) to a specific port of my known hostname (let's assume 22), for which address I know the suffix (2), but while its prefix is dynamic.

I attempted to add a rule, but I imagine there is no "variable" available in order to reference the obtained IPv6-PD, even if this would logically make sense to me, so something like:

config rule
	option target 'DNAT'
	option proto 'tcp'
	option family 'ipv6'
	option src 'wan6'
	option src_port '50022'
	option src_dport '22'
	option dest 'lan'
	option dest_ip '{WAN6's IPv6-PD needed variable}::2'
	option name 'FORWARD SSH IPv6'
	option enabled 1    

Is it possible to achieve this in some way?

Many thanks!

OpenWrt firewall doesn't support NAT6 due to this bug:
https://bugs.openwrt.org/index.php?do=details&task_id=500

But you don't really need to use NAT6 for just IPv6 forwarding:
fw3 IPv6 configuration examples > Dynamic prefix forwarding

2 Likes

Thanks, I read about dynamic prefix forwarding, but given my limited knowledge about IPv6 I had the impression that it can't work because of the difference between the 49th to 56th bits:

IPv6: 2axx:xxxx:xxxx:ffff::524c:b3c1/128
IPv6-PD: 2axx:xxxx:xxxx:66::/56

I assumed that applying a negative mask for the first 56 bits would result in 2axx:xxxx:xxxx:ff::2 instead of the desired 2axx:xxxx:xxxx:66::2, this representing a problem.

Am I wrong?

Not really.

/-56 == /::ff:ffff:ffff:ffff:ffff
1 Like

The IPv6 address of the router does not matter here. Instead, you should set up an IPv6 DNS record (AAAA) for the LAN host you want to connect to. Together with a firewall forwarding rule, this makes the address and port translation unnecessary.

2 Likes

Actually I realized that my DDNS service was misconfigured. It was sourcing the address from WAN instead of LAN, so that's why all this story. Indeed, after changing the source to LAN it determines and sends the {dynamic prefix}::1 address, which is convenient. Using hostnames and static suffixes on DDNS provider's side I can obtain "semi-predictable" routable addresses and I can then define simple firewall rules, so you are right, I don't need NAT.

Thanks!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.