Although I have the zones in the firewall setup as default:
The addresses of the LAN interfaces with ipv6 addresses are directly visible on the internet (a portscan with nmap reveals them as open and exposed).
How can I prevent these from being reached?
Input traffic from WAN is blocked, all ports should appear as blocked.
Can you post your network and firewall configuration files, please?
Also, explain exactly the tests you performed and the results.
#cat network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd00::/8'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth2'
list ports 'eth3'
option ipv6 '1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.7.3.254'
option netmask '255.255.255.0'
list dns_search 'thuis.local'
option ip6assign '64'
list dns '10.7.3.254'
list dns '<ipv6 prefix>::1'
config interface 'wan'
option proto 'pppoe'
option device 'eth0.6'
option username 'internet'
option password 'internet'
option mtu '1500'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
option ipv6 '1'
option metric '1'
config interface 'wan6'
option proto 'dhcpv6'
option device 'pppoe-wan'
option reqaddress 'try'
option reqprefix 'auto'
option ip6ifaceid '::42:42'
option ip6assign '64'
option defaultroute '1'
config device
option type '8021q'
option ifname 'eth0'
option vid '6'
option name 'eth0.6'
config interface 'lan2'
option proto 'static'
option device 'eth1'
option ipaddr '10.7.2.254'
option netmask '255.255.255.0'
option ip6assign '64'
config device
option name 'eth1'
option ipv6 '1'
config interface 'openvpn'
option proto 'none'
option device 'tun0'
config route
option interface 'openvpn'
option target '192.168.17.0/24'
option gateway '10.9.0.1'
config route
option interface 'lan2'
option target '10.7.4.0/24'
option gateway '10.7.3.133'
option metric '1'
#cat firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'lan2'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq6 '1'
list network 'wan'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-OpenVPN-1195'
option src 'wan'
option dest_port '1195'
option target 'ACCEPT'
option family 'ipv4'
list proto 'udp'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option src_port '547'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'nvkh'
option src 'wan'
option src_dport '1194'
option dest_ip '10.7.2.1'
option dest_port '1194'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'http'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip '10.7.2.1'
option dest_port '80'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'https'
option src 'wan'
option src_dport '443'
option dest_ip '10.7.2.1'
option dest_port '443'
list proto 'tcp'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'ssh'
list proto 'tcp'
option src 'wan'
option src_dport '22'
option dest_ip '10.7.2.1'
option dest_port '22'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'smtp'
list proto 'tcp'
option src 'wan'
option src_dport '25'
option dest_ip '10.7.2.1'
option dest_port '25'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'smtps'
list proto 'tcp'
option src 'wan'
option src_dport '465'
option dest_ip '10.7.2.1'
option dest_port '465'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'imap'
list proto 'tcp'
option src 'wan'
option src_dport '143'
option dest_ip '10.7.2.1'
option dest_port '143'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'imaps'
list proto 'tcp'
option src 'wan'
option src_dport '993'
option dest_ip '10.7.2.1'
option dest_port '993'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'openvpn_1195'
option src 'wan'
option src_dport '1195'
option dest_ip '10.7.3.254'
option dest_port '1195'
option enabled '0'
config zone
option name 'nvkh'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list network 'openvpn'
config forwarding
option src 'nvkh'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'nvkh'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'submit'
list proto 'tcp'
option src 'wan'
option src_dport '587'
option dest_ip '10.7.2.1'
option dest_port '587'
config rule
option name 'ssh ipv6'
list proto 'tcp'
option src 'wan'
option src_port '22'
option dest '*'
option dest_port '22'
option target 'ACCEPT'
option family 'ipv6'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'ssh tcp6'
option family 'ipv6'
list proto 'tcp'
option src 'wan'
option src_dport '22'
option dest_ip '<ipv6 prefix>:1::2'
option dest_port '22'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'http tcp6'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip '<ipv6 prefix>:1::2'
option dest_port '80'
option family 'ipv6'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'https tcp6'
option family 'ipv6'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '<ipv6 prefix>:1::2'
option dest_port '443'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'smtp tcp6'
option family 'ipv6'
list proto 'tcp'
option src 'wan'
option src_dport '25'
option dest_ip '<ipv6 prefix>:1::2'
option dest_port '25'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'smtps tcp6'
option family 'ipv6'
list proto 'tcp'
option src 'wan'
option src_dport '465'
option dest_ip '<ipv6 prefix>:1::2'
option dest_port '465'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'submit tcp6'
option family 'ipv6'
list proto 'tcp'
option src 'wan'
option src_dport '587'
option dest_ip '<ipv6 prefix>:1::2'
option dest_port '587'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'imap'
option family 'ipv6'
list proto 'tcp'
option src 'wan'
option src_dport '143'
option dest_ip '<ipv6 prefix>:1::2'
option dest_port '143'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'imaps'
option family 'ipv6'
list proto 'tcp'
option src 'wan'
option src_dport '993'
option dest_ip '<ipv6 prefix>:1::2'
option dest_port '993'
config rule
option name 'allow_443'
option src 'wan'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Transmission'
option family 'ipv4'
option src 'wan'
option src_dport '51411'
option dest_ip '10.7.3.32'
option dest_port '51411'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Transmission6'
option family 'ipv6'
option src 'wan'
option src_dport '51411'
option dest_ip '<ipv6 prefix>::32'
option dest_port '51411'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'mahler-torrent'
option family 'ipv4'
option src 'wan'
option src_dport '51412'
option dest_ip '10.7.3.40'
option dest_port '51412'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'mahler-torrent6'
option family 'ipv6'
option src 'wan'
option src_dport '51412'
option dest_ip '<ipv6 prefix>::40'
option dest_port '51412'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'pop3'
option src 'wan'
option src_dport '110'
option dest_ip '10.7.2.1'
option dest_port '110'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'pop3s'
option src 'wan'
option src_dport '995'
option dest_ip '10.7.2.1'
option dest_port '995'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'pop3-ipv6'
option family 'ipv6'
option src 'wan'
option src_dport '110'
option dest_ip '<ipv6 prefix>:1::2'
option dest_port '110'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'pop3s-ipv6'
option family 'ipv6'
option src 'wan'
option src_dport '995'
option dest_ip '<ipv6 prefix>:1::2'
option dest_port '995'
adguardhome.yaml excerpt:
dns:
bind_hosts:
- 10.7.2.254
- 10.7.3.254
- 127.0.0.1
- ::1
port: 53
anonymize_client_ip: false
(...)
upstream_dns:
- '[/thuis.local/]127.0.0.1:9453'
- '[/nvkh.local/]127.0.0.1:9453'
- '#8.8.8.8'
- 94.140.14.15
- 94.140.15.16
- '#https://dns10.quad9.net/dns-query'
(...)
local_ptr_upstreams:
- 10.7.3.254:9453
use_dns64: false
bind9 configuration excerpt:
#cat named.conf
// This is the primary configuration file for the BIND DNS server named.
options {
directory "/tmp";
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
listen-on port 9453 { 127.0.0.1; 10.7.2.254; 10.7.3.254; };
};
I'm asking this because, I've got problems. My ISP reports an open-dns-resolver.
Samenvatting
Types IPs
open-dns-resolver (9) <ipv6 prefix>:2::42:42, <ipv6 prefix>:1::1, <external ipv4 address>
Events (9)
Datum Type IP Melder
Mar 17, 2025 2:50pm open-dns-resolver <ipv6 prefix>:1::1 autoreports@shadowserver.org
Mar 15, 2025 2:30pm open-dns-resolver <ipv6 prefix>:1::1 autoreports@shadowserver.org
Mar 14, 2025 3:47pm open-dns-resolver <ipv6 prefix>:1::1 autoreports@shadowserver.org
Mar 13, 2025 9:42am open-dns-resolver <ipv6 prefix>:1::1 autoreports@shadowserver.org
Mar 13, 2025 2:19am open-dns-resolver <external ipv4 address> autoreports@shadowserver.org
Mar 12, 2025 4:01pm open-dns-resolver <ipv6 prefix>:1::1 autoreports@shadowserver.org
Mar 12, 2025 8:41am open-dns-resolver <ipv6 prefix>:2::42:42 autoreports@shadowserver.org
Mar 12, 2025 2:06am open-dns-resolver <external ipv4 address> autoreports@shadowserver.org
Mar 11, 2025 3:36pm open-dns-resolver <ipv6 prefix>:2::42:42 autoreports@shadowserver.org
I got an 'abuse' message from my ISP last friday, which I thought, I fixed. However, reports keep coming on the internal ':1::1' LAN interface.
Starting Nmap 7.93 ( https://nmap.org ) at 2025-03-18 11:20 UTC
Nmap scan report for <ipv6 prefix>-1--1.fixed6.kpn.net (<ipv6 prefix>:1::1)
Host is up (0.021s latency).
PORT STATE SERVICE
53/udp closed domain
54/udp open|filtered xns-ch
9453/udp closed unknown
Nmap scan report for <ipv6 prefix>--1.fixed6.kpn.net (<ipv6 prefix>::1)
Host is up (0.022s latency).
PORT STATE SERVICE
53/udp open|filtered domain
54/udp open|filtered xns-ch
9453/udp open|filtered unknown
Nmap scan report for <ipv6 prefix>-1--2.fixed6.kpn.net (<ipv6 prefix>:1::2)
Host is up (0.022s latency).
PORT STATE SERVICE
53/udp open|filtered domain
54/udp filtered xns-ch
9453/udp open|filtered unknown
Nmap scan report for <ipv6 prefix>--31.fixed6.kpn.net (<ipv6 prefix>::31)
Host is up (0.021s latency).
PORT STATE SERVICE
53/udp filtered domain
54/udp filtered xns-ch
9453/udp filtered unknown
Nmap scan report for <ipv6 prefix>--32.fixed6.kpn.net (<ipv6 prefix>::32)
Host is up (0.021s latency).
PORT STATE SERVICE
53/udp open|filtered domain
54/udp filtered xns-ch
9453/udp filtered unknown
Nmap scan report for <ipv6 prefix>--40.fixed6.kpn.net (<ipv6 prefix>::40)
Host is up (0.022s latency).
PORT STATE SERVICE
53/udp filtered domain
54/udp open|filtered xns-ch
9453/udp open|filtered unknown
Nmap scan report for <ipv6 prefix>--41.fixed6.kpn.net (<ipv6 prefix>::41)
Host is up (0.021s latency).
PORT STATE SERVICE
53/udp filtered domain
54/udp filtered xns-ch
9453/udp filtered unknown
Nmap scan report for [my internet host] (<ipv6 prefix>:2::42:42)
Host is up (0.021s latency).
Other addresses for [my internet host] (not scanned): 86.92.61.120
rDNS record for <ipv6 prefix>:2::42:42: <ipv6 prefix>-2--42-42.fixed6.kpn.net
PORT STATE SERVICE
53/udp open|filtered domain
54/udp closed xns-ch
9453/udp open|filtered unknown
Ideally I would ony want the following responses from nmap from WAN to LAN:
Starting Nmap 7.93 ( https://nmap.org ) at 2025-03-18 11:20 UTC
Nmap scan report for <ipv6 prefix>-1--1.fixed6.kpn.net (<ipv6 prefix>:1::1)
Host is up (0.021s latency).
PORT STATE SERVICE
53/udp closed domain
54/udp closed xns-ch
9453/udp closed unknown
(...)
Nmap scan report for [my internet host] (<ipv6 prefix>:2::42:42)
Host is up (0.021s latency).
Other addresses for [my internet host] (not scanned): 86.92.61.120
rDNS record for <ipv6 prefix>:2::42:42: <ipv6 prefix>-2--42-42.fixed6.kpn.net
PORT STATE SERVICE
53/udp closed domain
54/udp closed xns-ch
9453/udp closed unknown
2::42:42 is the external ipv6 address.
The DNS services only bind to the internal interfaces.
This works great with ipv4, but somehow, the ipv6 addresses keep getting exposed and although they're possibly filtered, I just don't want them to be able to be reached at all except if I do an explicit port forward.
So the question comes down to: How do I get openwrt only exposing the WAN ipv6 address on the WAN interface and not all the other ipv6 addresses?
weird, have you tried setting 'nvkh' fowarding to reject ?
if the openvpn connection is strictly ipv4 perhaps forcing ipv6 off for it at the device level would be a good move, though you'd probably have to create a 'tun0' in devices for that, i'm not sure how finicky openvpn is about creating the device itself, or maybe there's an option to disable ipv6 in openvpn
Are you launching "nmap" from withing your network, or from a device placed outside?
From a place outside.
wan6 is not in the wan zone where it should be. I'm not sure where it is in the firewall.
that's probably what it is, little curious that the o.p has the color coded gui working but somehow in the interface section they didn't see it...
Thank you for the reply. I added the wan6 zone:
However, nmap still gives me these results:
root@monitor:~# nmap -6 -v -sU [ipv6 prefix]:1::1 [ipv6 prefix]::1 my.home.server [ipv6 prefix]:1::2 [ipv6 prefix]::31 [ipv6 prefix]::32 [ipv6 prefix]::40 [ipv6 prefix]::41 [ipv6 prefix]::45 -p 53,54,9453
Starting Nmap 7.93 ( https://nmap.org ) at 2025-03-18 15:50 UTC
Initiating Ping Scan at 15:50
Scanning 9 hosts [3 ports/host]
Completed Ping Scan at 15:50, 0.06s elapsed (9 total hosts)
Initiating Parallel DNS resolution of 9 hosts. at 15:50
Completed Parallel DNS resolution of 9 hosts. at 15:50, 0.00s elapsed
Initiating UDP Scan at 15:50
Scanning 9 hosts [3 ports/host]
Completed UDP Scan at 15:50, 2.35s elapsed (27 total ports)
Nmap scan report for [ipv6 prefix]-1--1.fixed6.kpn.net ([ipv6 prefix]:1::1)
Host is up (0.021s latency).
PORT STATE SERVICE
53/udp open|filtered domain
54/udp open|filtered xns-ch
9453/udp closed unknown
Nmap scan report for [ipv6 prefix]--1.fixed6.kpn.net ([ipv6 prefix]::1)
Host is up (0.021s latency).
PORT STATE SERVICE
53/udp closed domain
54/udp open|filtered xns-ch
9453/udp open|filtered unknown
Nmap scan report for my.home.server ([ipv6 prefix]:2::42:42)
Host is up (0.021s latency).
Other addresses for my.home.server (not scanned): 86.92.61.120
rDNS record for [ipv6 prefix]:2::42:42: [ipv6 prefix]-2--42-42.fixed6.kpn.net
PORT STATE SERVICE
53/udp closed domain
54/udp closed xns-ch
9453/udp closed unknown
Nmap scan report for [ipv6 prefix]-1--2.fixed6.kpn.net ([ipv6 prefix]:1::2)
Host is up (0.021s latency).
PORT STATE SERVICE
53/udp open|filtered domain
54/udp open|filtered xns-ch
9453/udp open|filtered unknown
Nmap scan report for [ipv6 prefix]--31.fixed6.kpn.net ([ipv6 prefix]::31)
Host is up (0.021s latency).
PORT STATE SERVICE
53/udp filtered domain
54/udp filtered xns-ch
9453/udp filtered unknown
Nmap scan report for [ipv6 prefix]--32.fixed6.kpn.net ([ipv6 prefix]::32)
Host is up (0.021s latency).
PORT STATE SERVICE
53/udp open|filtered domain
54/udp open|filtered xns-ch
9453/udp filtered unknown
Nmap scan report for [ipv6 prefix]--40.fixed6.kpn.net ([ipv6 prefix]::40)
Host is up (0.022s latency).
PORT STATE SERVICE
53/udp open|filtered domain
54/udp open|filtered xns-ch
9453/udp filtered unknown
Nmap scan report for [ipv6 prefix]--41.fixed6.kpn.net ([ipv6 prefix]::41)
Host is up (0.021s latency).
PORT STATE SERVICE
53/udp filtered domain
54/udp filtered xns-ch
9453/udp filtered unknown
Nmap scan report for [ipv6 prefix]--45.fixed6.kpn.net ([ipv6 prefix]::45)
Host is up (0.021s latency).
PORT STATE SERVICE
53/udp open|filtered domain
54/udp open|filtered xns-ch
9453/udp filtered unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 9 IP addresses (9 hosts up) scanned in 2.48 seconds
Raw packets sent: 78 (4.488KB) | Rcvd: 32 (2.604KB)
Should I drop the incoming packages?