dpjanda
September 4, 2024, 3:56pm
1
Greetings forum
I am having no luck blocking inbound IPv6 to my lan.
EDIT:
All sorted. Here is my solution,
A catch-all IPv6 traffic rule to block IPv6 inbound is done with:
config rule
option name 'DROP IPv6 >'
option family 'ipv6'
option dest 'lan'
option target 'DROP'
option src '*'
For LuCI users, From ANY ZONE for option src '*'
Of course, should you want to allow an IPv6 port to a specific IPv6 address, then further up in priority you can have this:
config rule
option name 'IPv6 > Cloud'
option family 'ipv6'
option src '*'
option dest 'lan'
option dest_port '443'
option target 'ACCEPT'
list proto 'tcp'
list dest_ip 'whatever'
This will allow IPv6 to connect to 'whatever' with port 443. Again ANY ZONE for option src '*', for LuCI users.
Works a treat. Tested with god knows how many online tools.
Hope this helps someone.
krazeh
September 4, 2024, 4:00pm
2
The default firewall config will already block IPv6 traffic. What exact issue are you having?
Also, please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
2 Likes
dpjanda
September 4, 2024, 4:12pm
3
The problem I am having is that IPv6 port scans are showing open ports when I explicitly block them.
What is the default rule you mention?
Preformatted text
{
type or paste code here
"hostname": "OpenWrt",
"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
"model": "TP-Link Archer A7 v5",
"board_name": "tplink,archer-a7-v5",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "ath79/generic",
"description": "OpenWrt 23.05.2 r23630-842932a63d"
}
}
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.1'
option delegate '0'
list ip6addr 'x'
config device
option name 'eth0.2'
option macaddr 'x'
config interface 'wan'
option device 'eth0.2'
option ipaddr 'x'
option proto 'pppoe'
option username 'x'
option password 'x'
option delegate '0'
option ipv6 'auto'
option peerdns '0'
list dns 'x'
list dns 'x'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2 3 4 5'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1'
option vid '2'
config interface 'IOT'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option ipaddr '192.168.3.1'
option device 'iot'
config device
option name 'iot'
option type 'bridge'
list ports 'eth0.3'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '0t'
option vid '3'
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.1'
option delegate '0'
list ip6addr ''
config device
option name 'eth0.2'
option macaddr 'b0:a7:b9:18:4a:16'
config interface 'wan'
option device 'eth0.2'
option ipaddr ''
option proto 'pppoe'
option username ''
option password ''config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'ppp+'
list network 'lan'
list network 'wan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTPS -> Server'
option src 'wan'
option dest_ip '192.168.1.100'
option src_dport '443'
option family 'ipv4'
list proto 'tcp'
list proto 'udp'
option src_dip '81.187.25.54'
option dest_port '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTPS -> Cloud'
option family 'ipv4'
option src 'wan'
option dest_ip '192.168.1.150'
option dest_port '443'
option src_dip '81.2.115.74'
list proto 'tcp'
list proto 'udp'
option enabled '0'
option src_dport '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SMTP -> Server'
list proto 'tcp'
option src 'wan'
option src_dport '25'
option dest_ip '192.168.1.100'
option dest_port '25'
option family 'ipv4'
option src_dip '81.187.25.54'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'IMAPS -> Server'
list proto 'tcp'
option src 'wan'
option src_dport '993'
option dest_ip '192.168.1.100'
option dest_port '993'
option family 'ipv4'
option src_dip '81.187.25.54'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SUBMISSION -> Server'
list proto 'tcp'
option src 'wan'
option src_dport '587'
option dest_ip '192.168.1.100'
option dest_port '587'
option family 'ipv4'
option src_dip '81.187.25.54'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SSH -> Cloud'
list proto 'tcp'
option src 'wan'
option src_dport '2022'
option dest_ip '192.168.1.150'
option dest_port '2022'
option src_dip '81.2.115.74'
config redirect
option dest 'lan'
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option dest_ip '192.168.1.100'
option src_dport '32001'
option dest_port '32001'
option name 'SSH -> Server'
option family 'ipv4'
option src_dip '81.187.25.54'
config rule
option family 'ipv6'
option src 'wan'
option dest 'lan'
list dest_ip '2001:8B0:1596:FF02::3'
option dest_port '53'
option target 'ACCEPT'
option name '+ DNS -> SERVER'
config zone
option name 'iot'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'IOT'
config forwarding
option src 'lan'
option dest 'iot'
config forwarding
option src 'iot'
option dest 'wan'
config nat 'snat3'
option src 'wan'
option snat_ip '81.2.115.73'
option target 'SNAT'
option family 'ipv4'
option src_ip '192.168.3.1/24'
option name 'Outbound IOT'
list proto 'all'
config rule
option name 'IGMP'
list proto 'igmp'
option target 'ACCEPT'
option src 'lan'
list src_ip '192.168.1.100'
option dest 'iot'
list dest_ip '192.168.3.205'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option src_dport '32000'
option dest_port '32000'
option name 'SSH -> Router'
list proto 'tcp'
option dest_ip '192.168.1.1'
config rule
option family 'ipv6'
list proto 'tcp'
option src 'wan'
option dest 'lan'
list dest_ip '2001:8b0:1596:ff02::3'
option target 'ACCEPT'
option name 'IPv6 -> Server'
option dest_port '25 587 993 443 32001'
config redirect 'dnat3'
option src 'wan'
option src_dip '81.2.115.73'
option target 'DNAT'
option dest 'lan'
option dest_ip '192.168.3.1/24'
option name 'Inbound IOT'
option family 'ipv4'
list proto 'all'
option enabled '0'
config rule
option name 'IPv6 -> Cloud'
option family 'ipv6'
option src 'wan'
option dest 'lan'
list dest_ip '2001:8b0:1596:ff02::5'
option dest_port '443'
option target 'ACCEPT'
list proto 'tcp'
config rule
option name 'TV Block INBOUND'
option src 'wan'
option dest 'lan'
list dest_ip '192.168.1.250'
option target 'DROP'
config rule
option name 'iot DNS / DHCP / DLNA'
option src 'iot'
option target 'ACCEPT'
option family 'ipv4'
option dest_port '53 67 68'
config rule
option name 'TV Block OUTBOUND'
option target 'DROP'
option src 'lan'
list src_ip '192.168.1.250'
option dest 'wan'
config nat
option name 'Outbound Cloud'
option family 'ipv4'
option src 'wan'
option src_ip '192.168.1.150'
option target 'SNAT'
option snat_ip '81.2.115.74'
list proto 'all'
option delegate '0'
option ipv6 'auto'
option peerdns '0'config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'ppp+'
list network 'lan'
list network 'wan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTPS -> Server'
option src 'wan'
option dest_ip '192.168.1.100'
option src_dport '443'
option family 'ipv4'
list proto 'tcp'
list proto 'udp'
option src_dip '81.187.25.54'
option dest_port '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTPS -> Cloud'
option family 'ipv4'
option src 'wan'
option dest_ip '192.168.1.150'
option dest_port '443'
option src_dip '81.2.115.74'
list proto 'tcp'
list proto 'udp'
option enabled '0'
option src_dport '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SMTP -> Server'
list proto 'tcp'
option src 'wan'
option src_dport '25'
option dest_ip '192.168.1.100'
option dest_port '25'
option family 'ipv4'
option src_dip '81.187.25.54'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'IMAPS -> Server'
list proto 'tcp'
option src 'wan'
option src_dport '993'
option dest_ip '192.168.1.100'
option dest_port '993'
option family 'ipv4'
option src_dip '81.187.25.54'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SUBMISSION -> Server'
list proto 'tcp'
option src 'wan'
option src_dport '587'
option dest_ip '192.168.1.100'
option dest_port '587'
option family 'ipv4'
option src_dip '81.187.25.54'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SSH -> Cloud'
list proto 'tcp'
option src 'wan'
option src_dport '2022'
option dest_ip '192.168.1.150'
option dest_port '2022'
option src_dip '81.2.115.74'
config redirect
option dest 'lan'
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option dest_ip '192.168.1.100'
option src_dport '32001'
option dest_port '32001'
option name 'SSH -> Server'
option family 'ipv4'
option src_dip '81.187.25.54'
config rule
option family 'ipv6'
option src 'wan'
option dest 'lan'
list dest_ip '2001:8B0:1596:FF02::3'
option dest_port '53'
option target 'ACCEPT'
option name '+ DNS -> SERVER'
config zone
option name 'iot'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'IOT'
config forwarding
option src 'lan'
option dest 'iot'
config forwarding
option src 'iot'
option dest 'wan'
config nat 'snat3'
option src 'wan'
option snat_ip '81.2.115.73'
option target 'SNAT'
option family 'ipv4'
option src_ip '192.168.3.1/24'
option name 'Outbound IOT'
list proto 'all'
config rule
option name 'IGMP'
list proto 'igmp'
option target 'ACCEPT'
option src 'lan'
list src_ip '192.168.1.100'
option dest 'iot'
list dest_ip '192.168.3.205'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option src_dport '32000'
option dest_port '32000'
option name 'SSH -> Router'
list proto 'tcp'
option dest_ip '192.168.1.1'
config rule
option family 'ipv6'
list proto 'tcp'
option src 'wan'
option dest 'lan'
list dest_ip '2001:8b0:1596:ff02::3'
option target 'ACCEPT'
option name 'IPv6 -> Server'
option dest_port '25 587 993 443 32001'
config redirect 'dnat3'
option src 'wan'
option src_dip '81.2.115.73'
option target 'DNAT'
option dest 'lan'
option dest_ip '192.168.3.1/24'
option name 'Inbound IOT'
option family 'ipv4'
list proto 'all'
option enabled '0'
config rule
option name 'IPv6 -> Cloud'
option family 'ipv6'
option src 'wan'
option dest 'lan'
list dest_ip '2001:8b0:1596:ff02::5'
option dest_port '443'
option target 'ACCEPT'
list proto 'tcp'
config rule
option name 'TV Block INBOUND'
option src 'wan'
option dest 'lan'
list dest_ip '192.168.1.250'
option target 'DROP'
config rule
option name 'iot DNS / DHCP / DLNA'
option src 'iot'
option target 'ACCEPT'
option family 'ipv4'
option dest_port '53 67 68'
config rule
option name 'TV Block OUTBOUND'
option target 'DROP'
option src 'lan'
list src_ip '192.168.1.250'
option dest 'wan'
config nat
option name 'Outbound Cloud'
option family 'ipv4'
option src 'wan'
option src_ip '192.168.1.150'
option target 'SNAT'
option snat_ip '81.2.115.74'
list proto 'all'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'ppp+'
list network 'lan'
list network 'wan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTPS -> Server'
option src 'wan'
option dest_ip '192.168.1.100'
option src_dport '443'
option family 'ipv4'
list proto 'tcp'
list proto 'udp'
option src_dip '81.187.25.54'
option dest_port '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTPS -> Cloud'
option family 'ipv4'
option src 'wan'
option dest_ip '192.168.1.150'
option dest_port '443'
option src_dip '81.2.115.74'
list proto 'tcp'
list proto 'udp'
option enabled '0'
option src_dport '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SMTP -> Server'
list proto 'tcp'
option src 'wan'
option src_dport '25'
option dest_ip '192.168.1.100'
option dest_port '25'
option family 'ipv4'
option src_dip '81.187.25.54'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'IMAPS -> Server'
list proto 'tcp'
option src 'wan'
option src_dport '993'
option dest_ip '192.168.1.100'
option dest_port '993'
option family 'ipv4'
option src_dip '81.187.25.54'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SUBMISSION -> Server'
list proto 'tcp'
option src 'wan'
option src_dport '587'
option dest_ip '192.168.1.100'
option dest_port '587'
option family 'ipv4'
option src_dip '81.187.25.54'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SSH -> Cloud'
list proto 'tcp'
option src 'wan'
option src_dport '2022'
option dest_ip '192.168.1.150'
option dest_port '2022'
option src_dip '81.2.115.74'
config redirect
option dest 'lan'
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option dest_ip '192.168.1.100'
option src_dport '32001'
option dest_port '32001'
option name 'SSH -> Server'
option family 'ipv4'
option src_dip '81.187.25.54'
config rule
option family 'ipv6'
option src 'wan'
option dest 'lan'
list dest_ip '2001:8B0:1596:FF02::3'
option dest_port '53'
option target 'ACCEPT'
option name '+ DNS -> SERVER'
config zone
option name 'iot'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'IOT'
config forwarding
option src 'lan'
option dest 'iot'
config forwarding
option src 'iot'
option dest 'wan'
config nat 'snat3'
option src 'wan'
option snat_ip '81.2.115.73'
option target 'SNAT'
option family 'ipv4'
option src_ip '192.168.3.1/24'
option name 'Outbound IOT'
list proto 'all'
config rule
option name 'IGMP'
list proto 'igmp'
option target 'ACCEPT'
option src 'lan'
list src_ip '192.168.1.100'
option dest 'iot'
list dest_ip '192.168.3.205'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option src_dport '32000'
option dest_port '32000'
option name 'SSH -> Router'
list proto 'tcp'
option dest_ip '192.168.1.1'
config rule
option family 'ipv6'
list proto 'tcp'
option src 'wan'
option dest 'lan'
list dest_ip '2001:8b0:1596:ff02::3'
option target 'ACCEPT'
option name 'IPv6 -> Server'
option dest_port '25 587 993 443 32001'
config redirect 'dnat3'
option src 'wan'
option src_dip '81.2.115.73'
option target 'DNAT'
option dest 'lan'
option dest_ip '192.168.3.1/24'
option name 'Inbound IOT'
option family 'ipv4'
list proto 'all'
option enabled '0'
config rule
option name 'IPv6 -> Cloud'
option family 'ipv6'
option src 'wan'
option dest 'lan'
list dest_ip '2001:8b0:1596:ff02::5'
option dest_port '443'
option target 'ACCEPT'
list proto 'tcp'
config rule
option name 'TV Block INBOUND'
option src 'wan'
option dest 'lan'
list dest_ip '192.168.1.250'
option target 'DROP'
config rule
option name 'iot DNS / DHCP / DLNA'
option src 'iot'
option target 'ACCEPT'
option family 'ipv4'
option dest_port '53 67 68'
config rule
option name 'TV Block OUTBOUND'
option target 'DROP'
option src 'lan'
list src_ip '192.168.1.250'
option dest 'wan'
config nat
option name 'Outbound Cloud'
option family 'ipv4'
option src 'wan'
option src_ip '192.168.1.150'
option target 'SNAT'
option snat_ip '81.2.115.74'
list proto 'all'
list dns 'x'
list dns 'x'`Preformatted text`
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'ppp+'
list network 'lan'
list network 'wan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTPS -> Server'
option src 'wan'
option dest_ip '192.168.1.100'
option src_dport '443'
option family 'ipv4'
list proto 'tcp'
list proto 'udp'
option dest_port '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTPS -> Cloud'
option family 'ipv4'
option src 'wan'
option dest_ip '192.168.1.150'
option dest_port '443'
list proto 'tcp'
list proto 'udp'
option enabled '0'
option src_dport '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SMTP -> Server'
list proto 'tcp'
option src 'wan'
option src_dport '25'
option dest_ip '192.168.1.100'
option dest_port '25'
option family 'ipv4'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'IMAPS -> Server'
list proto 'tcp'
option src 'wan'
option src_dport '993'
option dest_ip '192.168.1.100'
option dest_port '993'
option family 'ipv4'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SUBMISSION -> Server'
list proto 'tcp'
option src 'wan'
option src_dport '587'
option dest_ip '192.168.1.100'
option dest_port '587'
option family 'ipv4'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SSH -> Cloud'
list proto 'tcp'
option src 'wan'
option src_dport '2022'
option dest_ip '192.168.1.150'
option dest_port '2022'
config redirect
option dest 'lan'
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option dest_ip '192.168.1.100'
option src_dport '32001'
option dest_port '32001'
option name 'SSH -> Server'
option family 'ipv4'
option src_dip ''
config rule
option family 'ipv6'
option src 'wan'
option dest 'lan'
list dest_ip ''
option dest_port '53'
option target 'ACCEPT'
option name '+ DNS -> SERVER'
config zone
option name 'iot'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'IOT'
config forwarding
option src 'lan'
option dest 'iot'
config forwarding
option src 'iot'
option dest 'wan'
config nat 'snat3'
option src 'wan'
option snat_ip ''
option target 'SNAT'
option family 'ipv4'
option src_ip '192.168.3.1/24'
option name 'Outbound IOT'
list proto 'all'
config rule
option name 'IGMP'
list proto 'igmp'
option target 'ACCEPT'
option src 'lan'
list src_ip '192.168.1.100'
option dest 'iot'
list dest_ip '192.168.3.205'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option src_dport '32000'
option dest_port '32000'
option name 'SSH -> Router'
list proto 'tcp'
option dest_ip '192.168.1.1'
config rule
option family 'ipv6'
list proto 'tcp'
option src 'wan'
option dest 'lan'
list dest_ip ''
option target 'ACCEPT'
option name 'IPv6 -> Server'
option dest_port '25 587 993 443 32001'
config redirect 'dnat3'
option src 'wan'
option src_dip ''
option target 'DNAT'
option dest 'lan'
option dest_ip '192.168.3.1/24'
option name 'Inbound IOT'
option family 'ipv4'
list proto 'all'
option enabled '0'
config rule
option name 'IPv6 -> Cloud'
option family 'ipv6'
option src 'wan'
option dest 'lan'
list dest_ip ''
option dest_port '443'
option target 'ACCEPT'
list proto 'tcp'
config rule
option name 'TV Block INBOUND'
option src 'wan'
option dest 'lan'
list dest_ip '192.168.1.250'
option target 'DROP'
config rule
option name 'iot DNS / DHCP / DLNA'
option src 'iot'
option target 'ACCEPT'
option family 'ipv4'
option dest_port '53 67 68'
config rule
option name 'TV Block OUTBOUND'
option target 'DROP'
option src 'lan'
list src_ip '192.168.1.250'
option dest 'wan'
config nat
option name 'Outbound Cloud'
option family 'ipv4'
option src 'wan'
option src_ip '192.168.1.150'
option target 'SNAT'
option snat_ip ''
list proto 'all'
type or paste code here
krazeh
September 4, 2024, 4:13pm
4
Please edit your previous post and mark your pasted config as 'preformatted text'.
krazeh
September 4, 2024, 4:15pm
5
Where are these scans being run from? What software is being used?
dpjanda
September 4, 2024, 4:17pm
6
Just about every publicly available online IPv6 scaner
brada4
September 4, 2024, 4:19pm
7
Format initial reply and add /etc/config/firewall
brada4
September 4, 2024, 4:24pm
9
Aint playing that game here, format your post and add firewall config. Cant help you without that.
brada4
September 4, 2024, 4:24pm
10
dpjanda:
"rootfs_type": "ext4",
Care to explain this too?
dpjanda
September 4, 2024, 4:26pm
11
Well good for you pal. Did not think you were.
dpjanda
September 4, 2024, 4:27pm
12
dpjanda:
"rootfs_type": "ext4",
Really? I don't care to explain!
krazeh
September 4, 2024, 4:38pm
13
Well that's a big issue. The wan network should not be in the lan
firewall zone.
And please go back and double check your posted configs. What you've posted is a mess.
dpjanda
September 4, 2024, 4:40pm
14
Ah, so tat needs removing - thanks.
_bernd
September 4, 2024, 4:41pm
15
For a start... What does your port scan report.... For fukk sake be explicit in your wording!
Second, you have a bunch of rules which allow connections from wan to lan...
Third, by default all incoming traffic is blocked. You seam to have deleted that rule.
dpjanda
September 4, 2024, 4:42pm
16
May I ask what "that rule" is?
The scan(s) report IPv6 port open on 443
wan to lan - sure do. I thought that was the right thing.
_bernd
September 4, 2024, 4:46pm
17
dpjanda:
"that rule"
config zone
option name wan
list network wan
list network wan6
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
You have this, but you somehow removed wan6
from it...
dpjanda
September 4, 2024, 4:49pm
18
Mighty!
Thanks. I thinks that's it.
dpjanda
September 4, 2024, 4:52pm
19
config zone 'wan'
17 option name 'wan'
18 option input 'REJECT'
19 option output 'ACCEPT'
20 option forward 'REJECT'
21 option masq '1'
22 option mtu_fix '1'
23 list network 'wan6'
24 list network 'wan'
I do have it.
krazeh
September 4, 2024, 4:54pm
20
You also have a mess of other rules. To be honest you'd be better off starting from scratch and getting advice about what specific rules to add for your needs.
1 Like