Hi
I try to set up some traffic rules for IPv6. As I don't have a static prefix I thought of entering an address with negative prefix like ::xxx:xxx:xxx/-64. I think I ahve seen something like this, but LuCi doesn't accept it.
Any idea how to solve this?
You could set up the firewall rules with uci on the command line.
Example for opening TCP port 9990 for IPv6 interface ID ::1:22:333:4444:
name=ipv6_rule_name # TODO Your firewall rule name
uci set "firewall.$name"="rule"
uci set "firewall.$name".name="$name"
uci set "firewall.$name".target="ACCEPT"
uci set "firewall.$name".src="wan"
uci set "firewall.$name".dest="lan"
uci set "firewall.$name".proto="tcp" # TODO Or "udp" for UDP, maybe "tcp udp" for both
uci set "firewall.$name".family="ipv6"
uci set "firewall.$name".src_dport="9990" # TODO Incoming port, "9990:9999" for a port range
uci set "firewall.$name".dest_ip="::1:22:333:4444/-64" # TODO Your IPv6 interface identifier
uci set "firewall.$name".dest_port="9990" # TODO Destination port, "9990:9999" for a port range
uci commit firewall
This did the trick for me, but I only tested it with matching incoming and destination ports, and only with either .proto="tcp" or .proto="udp".
Watch out, it is .src_dport="9990", not .src_port="9990".
I tried to set it with LuCi and it didn't work. I'd like to have the interface identifer plus the network id minus prefix (/48). At the moment it looks like:
config rule
option dest_port '5060'
option src 'wan'
option name 'Sipgate(SIP)'
option dest 'IoT'
list dest_ip '::44:2e3a:fdff:fe09:614b'
list dest_ip '192.168.44.206'
option target 'ACCEPT'
So I assume it would be:
list dest_ip '::44:2e3a:fdff:fe09:614b/-80'
Correct?
Use ::ffff:ffff:ffff:ffff instead of -64 - that should work with LuCI too
I would suppose so, for the IPv6 and mask part.
I have no idea if you can use lists here.
Also, I do not think this rule is the place where you can set IPv4 forwarding, you would need a separate DNAT redirect for that.
A few days ago I had to work out how to forward IPv4 and IPv6 connections, and I wrote it down here at chapters 7.g) and 7.h). Maybe these examples are of some help.
Regarding your IPv6 and mask, chapter 1.1 of this RFC indicates that a positive mask number means "the first n bits", so I am inclined to assume a negative number means "the last n bits".
From that I also assume that the masked address bits (i.e. the ones where the corresponding mask bit is 1) are the ones that are tested, and the others are ignored.
As @jow already pointed out, you can alternatively supply the mask in the same hexadecimal notation as the address. See also this comment on this superuser.com answer.
If it still does not work, maybe you need to set src_dport=5060? Otherwise it looks to me as if you want to route?/forward? all incoming connections (any port) to your destination at port 5060.
I have never tried anything like this, and I do not know if it makes sense.
using /::ffff:ffff:ffff:ffff notation worked with LuCi.
I got it solved for me with getting a static prefix which allows me to simly use the address without any mask for the rules.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.