Properly exposing ports on IPv6 (it works fine for IPv4!)

IngwiePhoenix · July 9, 2023, 2:01pm

Hello there!

I am quite stumped right now and this might just be my synapses tangled up real good...

So I wanted to setup i2pd and realized that it needs at least one exposed port. Setting this up for IPv4 was easy:

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'wan'
        option src_dport '60066'
        option dest_ip '192.168.2.1'
        option dest_port '60066'
        option name 'i2pd ipv4'
        option family 'ipv4'

...But when I tried to do the same for IPv6, I noticed that my local device was not in the list of destination IPs and while taking a google trip around the documentation, there was mention of just using Traffic Rules instead of Port Forwarding.

Thing is, IPv6 is kinda the bane of my existence; I can never make it work right...

So how do I properly expose the 60066 port for IPv6?

Some small notes:

Device: FriendlyElec NanoPi R6s
OpenWrt 22.03
WAN has IPv4 and IPv6 configured and working

Thank you in advance!

lleachii · July 9, 2023, 2:36pm

Welcome to the community!

Yes, it would be a traffic rule:

config rule
        option target 'ACCEPT'
        option family 'ipv6'
        option proto 'all'
        option src 'wan'      
        option dest 'lan'             
        option dest_port '60066'
        option name 'i2pd_IPv6'

If you need a specific IP:

option dest_ip 'xxxx:xxxx:xxxx::x'

With IPv6 - unless they're static, they're prone to change often anyway, have multiple IPs per host, etc..

IngwiePhoenix · July 9, 2023, 3:35pm

Just tried that, and it still said it's firewalled.

Here is the config I used:

config rule
        option name 'i2pd_ipv6'
        option src 'wan'
        option src_port '60066'
        option dest 'lan'
        option dest_port '60066'
        option target 'ACCEPT'
        option family 'ipv6'

Side note: Why is it so complicated, actually? On my Ubuntu server, all I would have needed to do was ufw allow 60066. Also, when reviewing the change in LuCi, and clicking the Edit button and picking a destination IP, I can actually see my local host in the list this time, which I could not on the Port Forwarding - interesting.

krazeh · July 9, 2023, 3:39pm

Why have you added this? Are the connections coming from port 60066?

openwrtforever · July 9, 2023, 3:39pm

If you have a dynamic IPv6 here is the guide.

lleachii · July 9, 2023, 3:42pm

This is invalid - as there's no NAT. I'm not sure why you added it. Feel free to use the rule I posted.

Correct, this is exactly the same, you're allowing 60066 thru the firewall to your destination network, subnet or specific IP.

There is no "Port Forward" in IPv6 - just allowing thru the firewall. *

Edit:
*-actually, routing is termed "IP forwarding" - nontheless the term "Port Forwarding" is generally used to described IPv4 NATs

mk24 · July 9, 2023, 3:45pm

In general applications, clients choose a random port to originate their connection. Setting a fixed src_port will block those incoming connections.

The fewer conditions in a firewall rule, the more permissive it is. Once it is working you probably want to add a dest_ip to restrict to the one machine on the LAN. If your prefix from the ISP is subject to change, you can use the /-64 syntax to filter only on the last 64 bits of the IP (the interface ID which you control)

IngwiePhoenix · July 9, 2023, 9:00pm

...Because my brain was in Port-Forwarding mode. Ouch. Changed that, and now it works!

Thank you so much; I am sorry for that last one though, that was one big derp.

system · July 19, 2023, 9:00pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.