SOLVED: Blocking inbound IPv6

Greetings forum

I am having no luck blocking inbound IPv6 to my lan.

EDIT:

All sorted. Here is my solution,

A catch-all IPv6 traffic rule to block IPv6 inbound is done with:

config rule
         option name 'DROP IPv6 >'
         option family 'ipv6'
         option dest 'lan'
         option target 'DROP'
         option src '*'

For LuCI users, From ANY ZONE for option src '*'

Of course, should you want to allow an IPv6 port to a specific IPv6 address, then further up in priority you can have this:

config rule
         option name 'IPv6 > Cloud'
         option family 'ipv6'
         option src '*'
         option dest 'lan'
         option dest_port '443'
         option target 'ACCEPT'
         list proto 'tcp'
         list dest_ip 'whatever'

This will allow IPv6 to connect to 'whatever' with port 443. Again ANY ZONE for option src '*', for LuCI users.

Works a treat. Tested with god knows how many online tools.

Hope this helps someone.

The default firewall config will already block IPv6 traffic. What exact issue are you having?

Also, please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
2 Likes

The problem I am having is that IPv6 port scans are showing open ports when I explicitly block them.

What is the default rule you mention?

Preformatted text{

type or paste code here
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link Archer A7 v5",
	"board_name": "tplink,archer-a7-v5",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ath79/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.1.1'
	option delegate '0'
	list ip6addr 'x'

config device
	option name 'eth0.2'
	option macaddr 'x'

config interface 'wan'
	option device 'eth0.2'
	option ipaddr 'x'
	option proto 'pppoe'
	option username 'x'
	option password 'x'
	option delegate '0'
	option ipv6 'auto'
	option peerdns '0'
	list dns 'x'
	list dns 'x'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 3 4 5'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'

config interface 'IOT'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr '192.168.3.1'
	option device 'iot'

config device
	option name 'iot'
	option type 'bridge'
	list ports 'eth0.3'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t'
	option vid '3'

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.1.1'
	option delegate '0'
	list ip6addr ''

config device
	option name 'eth0.2'
	option macaddr 'b0:a7:b9:18:4a:16'

config interface 'wan'
	option device 'eth0.2'
	option ipaddr ''
	option proto 'pppoe'
	option username ''
	option password ''config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'ppp+'
	list network 'lan'
	list network 'wan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTPS -> Server'
	option src 'wan'
	option dest_ip '192.168.1.100'
	option src_dport '443'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'
	option src_dip '81.187.25.54'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTPS -> Cloud'
	option family 'ipv4'
	option src 'wan'
	option dest_ip '192.168.1.150'
	option dest_port '443'
	option src_dip '81.2.115.74'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'
	option src_dport '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'SMTP -> Server'
	list proto 'tcp'
	option src 'wan'
	option src_dport '25'
	option dest_ip '192.168.1.100'
	option dest_port '25'
	option family 'ipv4'
	option src_dip '81.187.25.54'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'IMAPS -> Server'
	list proto 'tcp'
	option src 'wan'
	option src_dport '993'
	option dest_ip '192.168.1.100'
	option dest_port '993'
	option family 'ipv4'
	option src_dip '81.187.25.54'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'SUBMISSION -> Server'
	list proto 'tcp'
	option src 'wan'
	option src_dport '587'
	option dest_ip '192.168.1.100'
	option dest_port '587'
	option family 'ipv4'
	option src_dip '81.187.25.54'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'SSH -> Cloud'
	list proto 'tcp'
	option src 'wan'
	option src_dport '2022'
	option dest_ip '192.168.1.150'
	option dest_port '2022'
	option src_dip '81.2.115.74'

config redirect
	option dest 'lan'
	option target 'DNAT'
	list proto 'tcp'
	option src 'wan'
	option dest_ip '192.168.1.100'
	option src_dport '32001'
	option dest_port '32001'
	option name 'SSH -> Server'
	option family 'ipv4'
	option src_dip '81.187.25.54'

config rule
	option family 'ipv6'
	option src 'wan'
	option dest 'lan'
	list dest_ip '2001:8B0:1596:FF02::3'
	option dest_port '53'
	option target 'ACCEPT'
	option name '+ DNS -> SERVER'

config zone
	option name 'iot'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'IOT'

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'iot'
	option dest 'wan'

config nat 'snat3'
	option src 'wan'
	option snat_ip '81.2.115.73'
	option target 'SNAT'
	option family 'ipv4'
	option src_ip '192.168.3.1/24'
	option name 'Outbound IOT'
	list proto 'all'

config rule
	option name 'IGMP'
	list proto 'igmp'
	option target 'ACCEPT'
	option src 'lan'
	list src_ip '192.168.1.100'
	option dest 'iot'
	list dest_ip '192.168.3.205'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'wan'
	option src_dport '32000'
	option dest_port '32000'
	option name 'SSH -> Router'
	list proto 'tcp'
	option dest_ip '192.168.1.1'

config rule
	option family 'ipv6'
	list proto 'tcp'
	option src 'wan'
	option dest 'lan'
	list dest_ip '2001:8b0:1596:ff02::3'
	option target 'ACCEPT'
	option name 'IPv6 -> Server'
	option dest_port '25 587 993 443 32001'

config redirect 'dnat3'
	option src 'wan'
	option src_dip '81.2.115.73'
	option target 'DNAT'
	option dest 'lan'
	option dest_ip '192.168.3.1/24'
	option name 'Inbound IOT'
	option family 'ipv4'
	list proto 'all'
	option enabled '0'

config rule
	option name 'IPv6 -> Cloud'
	option family 'ipv6'
	option src 'wan'
	option dest 'lan'
	list dest_ip '2001:8b0:1596:ff02::5'
	option dest_port '443'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option name 'TV Block INBOUND'
	option src 'wan'
	option dest 'lan'
	list dest_ip '192.168.1.250'
	option target 'DROP'

config rule
	option name 'iot DNS / DHCP / DLNA'
	option src 'iot'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest_port '53 67 68'

config rule
	option name 'TV Block OUTBOUND'
	option target 'DROP'
	option src 'lan'
	list src_ip '192.168.1.250'
	option dest 'wan'

config nat
	option name 'Outbound Cloud'
	option family 'ipv4'
	option src 'wan'
	option src_ip '192.168.1.150'
	option target 'SNAT'
	option snat_ip '81.2.115.74'
	list proto 'all'

	option delegate '0'
	option ipv6 'auto'
	option peerdns '0'config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'ppp+'
	list network 'lan'
	list network 'wan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTPS -> Server'
	option src 'wan'
	option dest_ip '192.168.1.100'
	option src_dport '443'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'
	option src_dip '81.187.25.54'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTPS -> Cloud'
	option family 'ipv4'
	option src 'wan'
	option dest_ip '192.168.1.150'
	option dest_port '443'
	option src_dip '81.2.115.74'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'
	option src_dport '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'SMTP -> Server'
	list proto 'tcp'
	option src 'wan'
	option src_dport '25'
	option dest_ip '192.168.1.100'
	option dest_port '25'
	option family 'ipv4'
	option src_dip '81.187.25.54'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'IMAPS -> Server'
	list proto 'tcp'
	option src 'wan'
	option src_dport '993'
	option dest_ip '192.168.1.100'
	option dest_port '993'
	option family 'ipv4'
	option src_dip '81.187.25.54'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'SUBMISSION -> Server'
	list proto 'tcp'
	option src 'wan'
	option src_dport '587'
	option dest_ip '192.168.1.100'
	option dest_port '587'
	option family 'ipv4'
	option src_dip '81.187.25.54'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'SSH -> Cloud'
	list proto 'tcp'
	option src 'wan'
	option src_dport '2022'
	option dest_ip '192.168.1.150'
	option dest_port '2022'
	option src_dip '81.2.115.74'

config redirect
	option dest 'lan'
	option target 'DNAT'
	list proto 'tcp'
	option src 'wan'
	option dest_ip '192.168.1.100'
	option src_dport '32001'
	option dest_port '32001'
	option name 'SSH -> Server'
	option family 'ipv4'
	option src_dip '81.187.25.54'

config rule
	option family 'ipv6'
	option src 'wan'
	option dest 'lan'
	list dest_ip '2001:8B0:1596:FF02::3'
	option dest_port '53'
	option target 'ACCEPT'
	option name '+ DNS -> SERVER'

config zone
	option name 'iot'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'IOT'

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'iot'
	option dest 'wan'

config nat 'snat3'
	option src 'wan'
	option snat_ip '81.2.115.73'
	option target 'SNAT'
	option family 'ipv4'
	option src_ip '192.168.3.1/24'
	option name 'Outbound IOT'
	list proto 'all'

config rule
	option name 'IGMP'
	list proto 'igmp'
	option target 'ACCEPT'
	option src 'lan'
	list src_ip '192.168.1.100'
	option dest 'iot'
	list dest_ip '192.168.3.205'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'wan'
	option src_dport '32000'
	option dest_port '32000'
	option name 'SSH -> Router'
	list proto 'tcp'
	option dest_ip '192.168.1.1'

config rule
	option family 'ipv6'
	list proto 'tcp'
	option src 'wan'
	option dest 'lan'
	list dest_ip '2001:8b0:1596:ff02::3'
	option target 'ACCEPT'
	option name 'IPv6 -> Server'
	option dest_port '25 587 993 443 32001'

config redirect 'dnat3'
	option src 'wan'
	option src_dip '81.2.115.73'
	option target 'DNAT'
	option dest 'lan'
	option dest_ip '192.168.3.1/24'
	option name 'Inbound IOT'
	option family 'ipv4'
	list proto 'all'
	option enabled '0'

config rule
	option name 'IPv6 -> Cloud'
	option family 'ipv6'
	option src 'wan'
	option dest 'lan'
	list dest_ip '2001:8b0:1596:ff02::5'
	option dest_port '443'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option name 'TV Block INBOUND'
	option src 'wan'
	option dest 'lan'
	list dest_ip '192.168.1.250'
	option target 'DROP'

config rule
	option name 'iot DNS / DHCP / DLNA'
	option src 'iot'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest_port '53 67 68'

config rule
	option name 'TV Block OUTBOUND'
	option target 'DROP'
	option src 'lan'
	list src_ip '192.168.1.250'
	option dest 'wan'

config nat
	option name 'Outbound Cloud'
	option family 'ipv4'
	option src 'wan'
	option src_ip '192.168.1.150'
	option target 'SNAT'
	option snat_ip '81.2.115.74'
	list proto 'all'
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'ppp+'
	list network 'lan'
	list network 'wan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTPS -> Server'
	option src 'wan'
	option dest_ip '192.168.1.100'
	option src_dport '443'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'
	option src_dip '81.187.25.54'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTPS -> Cloud'
	option family 'ipv4'
	option src 'wan'
	option dest_ip '192.168.1.150'
	option dest_port '443'
	option src_dip '81.2.115.74'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'
	option src_dport '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'SMTP -> Server'
	list proto 'tcp'
	option src 'wan'
	option src_dport '25'
	option dest_ip '192.168.1.100'
	option dest_port '25'
	option family 'ipv4'
	option src_dip '81.187.25.54'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'IMAPS -> Server'
	list proto 'tcp'
	option src 'wan'
	option src_dport '993'
	option dest_ip '192.168.1.100'
	option dest_port '993'
	option family 'ipv4'
	option src_dip '81.187.25.54'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'SUBMISSION -> Server'
	list proto 'tcp'
	option src 'wan'
	option src_dport '587'
	option dest_ip '192.168.1.100'
	option dest_port '587'
	option family 'ipv4'
	option src_dip '81.187.25.54'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'SSH -> Cloud'
	list proto 'tcp'
	option src 'wan'
	option src_dport '2022'
	option dest_ip '192.168.1.150'
	option dest_port '2022'
	option src_dip '81.2.115.74'

config redirect
	option dest 'lan'
	option target 'DNAT'
	list proto 'tcp'
	option src 'wan'
	option dest_ip '192.168.1.100'
	option src_dport '32001'
	option dest_port '32001'
	option name 'SSH -> Server'
	option family 'ipv4'
	option src_dip '81.187.25.54'

config rule
	option family 'ipv6'
	option src 'wan'
	option dest 'lan'
	list dest_ip '2001:8B0:1596:FF02::3'
	option dest_port '53'
	option target 'ACCEPT'
	option name '+ DNS -> SERVER'

config zone
	option name 'iot'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'IOT'

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'iot'
	option dest 'wan'

config nat 'snat3'
	option src 'wan'
	option snat_ip '81.2.115.73'
	option target 'SNAT'
	option family 'ipv4'
	option src_ip '192.168.3.1/24'
	option name 'Outbound IOT'
	list proto 'all'

config rule
	option name 'IGMP'
	list proto 'igmp'
	option target 'ACCEPT'
	option src 'lan'
	list src_ip '192.168.1.100'
	option dest 'iot'
	list dest_ip '192.168.3.205'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'wan'
	option src_dport '32000'
	option dest_port '32000'
	option name 'SSH -> Router'
	list proto 'tcp'
	option dest_ip '192.168.1.1'

config rule
	option family 'ipv6'
	list proto 'tcp'
	option src 'wan'
	option dest 'lan'
	list dest_ip '2001:8b0:1596:ff02::3'
	option target 'ACCEPT'
	option name 'IPv6 -> Server'
	option dest_port '25 587 993 443 32001'

config redirect 'dnat3'
	option src 'wan'
	option src_dip '81.2.115.73'
	option target 'DNAT'
	option dest 'lan'
	option dest_ip '192.168.3.1/24'
	option name 'Inbound IOT'
	option family 'ipv4'
	list proto 'all'
	option enabled '0'

config rule
	option name 'IPv6 -> Cloud'
	option family 'ipv6'
	option src 'wan'
	option dest 'lan'
	list dest_ip '2001:8b0:1596:ff02::5'
	option dest_port '443'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option name 'TV Block INBOUND'
	option src 'wan'
	option dest 'lan'
	list dest_ip '192.168.1.250'
	option target 'DROP'

config rule
	option name 'iot DNS / DHCP / DLNA'
	option src 'iot'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest_port '53 67 68'

config rule
	option name 'TV Block OUTBOUND'
	option target 'DROP'
	option src 'lan'
	list src_ip '192.168.1.250'
	option dest 'wan'

config nat
	option name 'Outbound Cloud'
	option family 'ipv4'
	option src 'wan'
	option src_ip '192.168.1.150'
	option target 'SNAT'
	option snat_ip '81.2.115.74'
	list proto 'all'

	list dns 'x'
	list dns 'x'`Preformatted text`

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'ppp+'
	list network 'lan'
	list network 'wan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTPS -> Server'
	option src 'wan'
	option dest_ip '192.168.1.100'
	option src_dport '443'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'

	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTPS -> Cloud'
	option family 'ipv4'
	option src 'wan'
	option dest_ip '192.168.1.150'
	option dest_port '443'

	list proto 'tcp'
	list proto 'udp'
	option enabled '0'
	option src_dport '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'SMTP -> Server'
	list proto 'tcp'
	option src 'wan'
	option src_dport '25'
	option dest_ip '192.168.1.100'
	option dest_port '25'
	option family 'ipv4'


config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'IMAPS -> Server'
	list proto 'tcp'
	option src 'wan'
	option src_dport '993'
	option dest_ip '192.168.1.100'
	option dest_port '993'
	option family 'ipv4'


config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'SUBMISSION -> Server'
	list proto 'tcp'
	option src 'wan'
	option src_dport '587'
	option dest_ip '192.168.1.100'
	option dest_port '587'
	option family 'ipv4'


config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'SSH -> Cloud'
	list proto 'tcp'
	option src 'wan'
	option src_dport '2022'
	option dest_ip '192.168.1.150'
	option dest_port '2022'


config redirect
	option dest 'lan'
	option target 'DNAT'
	list proto 'tcp'
	option src 'wan'
	option dest_ip '192.168.1.100'
	option src_dport '32001'
	option dest_port '32001'
	option name 'SSH -> Server'
	option family 'ipv4'
	option src_dip ''

config rule
	option family 'ipv6'
	option src 'wan'
	option dest 'lan'
	list dest_ip ''
	option dest_port '53'
	option target 'ACCEPT'
	option name '+ DNS -> SERVER'

config zone
	option name 'iot'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'IOT'

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'iot'
	option dest 'wan'

config nat 'snat3'
	option src 'wan'
	option snat_ip ''
	option target 'SNAT'
	option family 'ipv4'
	option src_ip '192.168.3.1/24'
	option name 'Outbound IOT'
	list proto 'all'

config rule
	option name 'IGMP'
	list proto 'igmp'
	option target 'ACCEPT'
	option src 'lan'
	list src_ip '192.168.1.100'
	option dest 'iot'
	list dest_ip '192.168.3.205'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'wan'
	option src_dport '32000'
	option dest_port '32000'
	option name 'SSH -> Router'
	list proto 'tcp'
	option dest_ip '192.168.1.1'

config rule
	option family 'ipv6'
	list proto 'tcp'
	option src 'wan'
	option dest 'lan'
	list dest_ip ''
	option target 'ACCEPT'
	option name 'IPv6 -> Server'
	option dest_port '25 587 993 443 32001'

config redirect 'dnat3'
	option src 'wan'
	option src_dip ''
	option target 'DNAT'
	option dest 'lan'
	option dest_ip '192.168.3.1/24'
	option name 'Inbound IOT'
	option family 'ipv4'
	list proto 'all'
	option enabled '0'

config rule
	option name 'IPv6 -> Cloud'
	option family 'ipv6'
	option src 'wan'
	option dest 'lan'
	list dest_ip ''
	option dest_port '443'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option name 'TV Block INBOUND'
	option src 'wan'
	option dest 'lan'
	list dest_ip '192.168.1.250'
	option target 'DROP'

config rule
	option name 'iot DNS / DHCP / DLNA'
	option src 'iot'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest_port '53 67 68'

config rule
	option name 'TV Block OUTBOUND'
	option target 'DROP'
	option src 'lan'
	list src_ip '192.168.1.250'
	option dest 'wan'

config nat
	option name 'Outbound Cloud'
	option family 'ipv4'
	option src 'wan'
	option src_ip '192.168.1.150'
	option target 'SNAT'
	option snat_ip ''
	list proto 'all'
type or paste code here

Please edit your previous post and mark your pasted config as 'preformatted text'.

Where are these scans being run from? What software is being used?

Just about every publicly available online IPv6 scaner

Format initial reply and add /etc/config/firewall

I have added firewall

Aint playing that game here, format your post and add firewall config. Cant help you without that.

Care to explain this too?

Well good for you pal. Did not think you were.

Really? I don't care to explain!

Well that's a big issue. The wan network should not be in the lan firewall zone.

And please go back and double check your posted configs. What you've posted is a mess.

Ah, so tat needs removing - thanks.

For a start... What does your port scan report.... For fukk sake be explicit in your wording!
Second, you have a bunch of rules which allow connections from wan to lan...
Third, by default all incoming traffic is blocked. You seam to have deleted that rule.

May I ask what "that rule" is?

The scan(s) report IPv6 port open on 443

wan to lan - sure do. I thought that was the right thing.

config zone
    option  name            wan
    list    network         wan
    list    network         wan6
    option  input           REJECT
    option  output          ACCEPT
    option  forward         REJECT
    option  masq            1
    option  mtu_fix         1

You have this, but you somehow removed wan6 from it...

Mighty!

Thanks. I thinks that's it.

 config zone 'wan'
 17         option name 'wan'
 18         option input 'REJECT'
 19         option output 'ACCEPT'
 20         option forward 'REJECT'
 21         option masq '1'
 22         option mtu_fix '1'
 23         list network 'wan6'
 24         list network 'wan'

I do have it.

You also have a mess of other rules. To be honest you'd be better off starting from scratch and getting advice about what specific rules to add for your needs.

1 Like