Hi,
I attempt to forward Domain and web services on server into my DMZ on IPv6.
I've IPv6 by tunnel with he.net, with success.
The IPv6 address is: 2001:470:cc33::3
On OpenWRT, I set thoses rules:
config rule
option src_port '53'
option name 'Allow-Domain6-WANtoSH1'
option target 'ACCEPT'
option family 'ipv6'
option dest_port '53'
option dest 'DMZ'
option src 'WAN'
list dest_ip '2001:470:cc33::3'
list proto 'tcp'
list proto 'udp'
config rule
option src 'WAN'
option target 'ACCEPT'
option family 'ipv6'
list dest_ip '2001:470:cc33::3'
option dest 'DMZ'
list proto 'tcp'
option dest_port '80'
option name 'Allow-TCP6-HTTP-WANtoSH1'
option src_port '80'
config rule
option dest_port '443'
option src 'WAN'
option name 'Allow-TCP6-HTTPS-WANtoSH1'
option target 'ACCEPT'
option family 'ipv6'
list dest_ip '2001:470:cc33::3'
option dest 'DMZ'
list proto 'tcp'
option src_port '443'
This seems like the tunnel subnet (as HE uses 0470 in the second hextet for tunnel addressing). I thought only ::2 was valid for the local end; and ::1 is HE's remote end.
Are you using the tunnel subnet?
If so, why?
Where'd ::3 come from?
If your server is on LAN (or even a Network/Interface/Zone you call "DMZ"), you should use the IPv6 address you assigned to it from that subnet.
What is the /64 prefix you assigned to the DMZ network?
If you already used that /64, did you request a /48 so you can divide more /64's?
Tested: ok; by on friend on other in FR, on OpenBSD station.
% ping6 2001:470:cc33::3
PING 2001:470:cc33::3 (2001:470:cc33::3): 56 data bytes
64 bytes from 2001:470:cc33::3: icmp_seq=0 hlim=57 time=49.508 ms
64 bytes from 2001:470:cc33::3: icmp_seq=1 hlim=57 time=51.251 ms
64 bytes from 2001:470:cc33::3: icmp_seq=2 hlim=57 time=49.970 ms
64 bytes from 2001:470:cc33::3: icmp_seq=3 hlim=57 time=50.336 ms
64 bytes from 2001:470:cc33::3: icmp_seq=4 hlim=57 time=50.530 ms