Ports on ipv4 not open on ipv6

Mitrovah · March 4, 2024, 3:35am

Hello all, my openwrt box will not open ssh port 22 on the IPv6. The first block is my nmap report. I have two separate rules for out bound and inbound.
2nd block is my firewall rule Ipv6
I've made an effort reading the forums for answers but I haven't found anyone solution to resolve my issue. THanks

Not shown: 997 closed ports
PORT    STATE SERVICE
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https


config rule
	option name 'Allow-SSH'
	option src 'lan'
	option dest 'lan'
	option target 'ACCEPT'
	option direction 'out'
	option device 'br-lan'
	option src_dport '22'
	option dest_port '22'
	list dest_ip 'fd87:a11e:feec::1/64'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	option src_port '22'
config rule
	option name 'Allow-SSH In'
	option direction 'in'
	option device 'br-lan'
	option src_port '22'
	option dest 'lan'
	option dest_port '22'
	option target 'ACCEPT'
	list dest_ip 'fd87:a11e:feec::1'

flygarn12 · March 4, 2024, 5:22am

Why icmp?

If we start from the beginning?
What do you want to do and from where do you want to do it?
Are you trying to connect from internet or your inside LAN network?
Do you have more than one local network?

Mitrovah · March 4, 2024, 5:28am

Why icmp?
-It was an extra option i checked as I tried to troubleshoot the issue.

If we start from the beginning?
What do you want to do and from where do you want to do it?
-use ssh from a terminal from a linux desktop on the same lan network
Are you trying to connect from internet or your inside LAN network?
-a isolated LAN network
Do you have more than one local network?
-I have a Ipv4 local network address space on the same br-lan interface.

flygarn12 · March 4, 2024, 5:38am

config rule
	option name 'Allow-SSH'
	option src 'lan'
	option target 'ACCEPT'
	option dest_port '22'
    option family 'ipv6'
	list dest_ip 'fd87:a11e:feec::1/64'
	list proto 'tcp'

Remove your rules and try this instead.
The dest_ip must be the router ipv6 adress, but that option isn’t necessarily required if you only have one internal zone with only one network.

This should work.

Mitrovah · March 4, 2024, 5:58am

Hello thank you for the reply:
below is the changes I made to /etc/config/firewall.

config rule
	option name 'Allow-SSH'
	option src 'lan'
	option target 'ACCEPT'
	option dest_port '22'
	option family 'ipv6'
	list dest_ip 'fd87:a11e:feec::1/64'
	list proto 'tcp'

But responses from terminal are as follows:

connect to host fd87:a11e:feec::1 port 22: Connection refused

Nmap responds the same open and closed ports in the first post.

flygarn12 · March 4, 2024, 6:55am

For testing if it is the firewall that is to blame, does it work if you set the lan firewall zone input to accept?

Since you had icmp in the rule to begin with. Do you have a working ipv6 network to begin with?

mk24 · March 4, 2024, 12:55pm

By default the lan firewall zone allows all input, so no rule will be necessary. Also by default the dropbear ssh server listens on all router IPs.

If you create a new "isolated lan" with restricted access, create a new zone for it with default input set to REJECT instead of ACCEPT. This will also reject services of DHCP and DNS. There is a wiki page about setting up a guest network that shows this.

Firewall rules must match all listed conditions to apply, so the fewer conditions that you have in a rule the more likely it is to match. A basic rule allowing access to a TCP based server (such as ssh) running on the router from one zone ( a new zone named lan_restrict) is this:

config rule
   option src 'lan_restrict'
   option dest_port '22'
   option proto 'tcp'
   option target 'ACCEPT'

bluewavenet · March 4, 2024, 2:35pm

As @mk24 said, no rule is necessary by default.
After flashing the router:

connect to the router's lan with your Linux desktop
on the desktop terminal run the command ip link
get the name of the interface you are using to connect to the router (ethernet or wireless)
on the desktop terminal run the command ip -6 neigh
from this, get the link-local address of the router (begins with fe80 and the last 4 digits will be the last 4 digits of the router's br-lan mac address)
run the command
ssh root@[link_local_address]%[desktop_interface_name]
(note the syntax is different for a link-local address)

For example it will look something like this:
ssh root@fe80::e695:6eff:fe4a:43e5%enp3s0f3u2u4

Mitrovah · March 5, 2024, 4:07am

Hello thank you all for your replies. The unsophisticated fix is simply deleting the drop bear instance and adding a new one. All is well thank you for your time and responses. Power to the GNU licence Regards.

Mitrovah · March 11, 2024, 4:51am

Fyi, if anyone is still watching ;-). This is the router is a virtual machine connected to a ovs programmed bridge switch with its own mac address, forwarding everything.

Mitrovah · March 14, 2024, 3:18am

Are there any ideas why I may have to keep deleting dropbear and re-adding to fix the connection refused message? It is a virtual machine i power off regularly.

efahl · March 14, 2024, 3:43am

Does this look similar? Dropbear not listening on IPv6 after reboot