Routing IPv6 SSH from WAN to internal host - doesn't work

Hi, just installed OpenWrt on my router (Netgear R7800), and now I am entering the world of IPv6 (only late by 20 years or so!).

My ISP (Charter Spectrum) gives me public IPv6 addresses.
The router's address is: 2600:XXXX:7005:100:d144:718d:e219:dc2e/128
And it received an IPv6-PD range of: 2600:XXXX:6c3f:7f00::/56

I have a linux server inside my network, and I want to route SSH connection targeted at my ISP public address (i.e. the router) to that server (I moved the OpenWrt SSH server to a different port).

With IPv4 it is trivial with port forwarding:


And this works no problem.

I want to do the same for IPv6. My linux server received global IPv6 address:
2600:XXXX:6c3f:7f00::5819

I tried to have a Firewall rule to do it:

But it doesn't work, when trying to SSH from outside my network (error is Connection refused, not Connection timed out)

I verified that I can SSH to the linux IPv6 address from another computer inside the network, so the address is correct. I don't want to use that linux server IPv6 address in the external SSH request - I want to use the router's IPv6 address.

Any ideas or suggestions?

Let me clarify why I want this.
I have an external domain name like "fancyname.com"

I want people to open a web browser to fancyname.com and the port 80 traffic is handle by internal system linux_1
I want people to be able to ssh to fancyname.com and the port 22 traffic is handled by internal system linux_2

I know I could solve the problem by having different sub-domain names, like www.fancyname.com AAAA record pointing to system linux_1, and ssh.fancyname.com AAAA record pointing to system linux_2 (using the global access of IPv6 addresses).

But I want it to mirror the port forwarding paradigm of IPv4, where there is one central domain address, and the different ports can vector to different internal nodes.

That's a firewall port forward (NAT). You need a traffic rule (allow the traffic to the server's IP).

Ummmm...

That confused me. You realize that your server has a public IPv6 address. So you'll need an AAAA record specifically for that service/server to match an A record if that's your desire.

Also, I'm sure you realize DNS is not directly related to the IP, you configure that yourself.

Hi, thanks for your comments.

The picture which contains the "IPv6-ssh" item is from the traffic rule section.

Yes, the SSH server has a public IPv6 address. But my desire is to use the router's IPv6 address (which is associated with fancyname.com) and direct the SSH packets on port 22 to the SSH server internally. That way I have one IPv6 address which is used for multiple services, with the ports redirected internally.

You'll need to install NAT for IPv6, then. IPv6 wasnt orginally designed to NAT (since the plan is to have enough IPs), so it's not included with the default IPv6 stack.

1 Like

ipv6 is not designed to NAT. But to have a single ip address for all services, you may use a reverse proxy server like nginx, caddy and forward the request to relevant servers.

1 Like