[SOLVED] How to make server with public ipv6 address reachable

I have a server with a public ip6 address

ip a shows
inet6 {redacted}/64 scope global dynamic mngtmpaddr noprefixroute

and from another system i can ping that server using ping -6 {ip6 address of server}

according to mailinabox status checks the DNS server is running on port 53 but is only accessible from the outside on ip4 (i have setup port forwarding for that)

the server is not reachable from the outside using ip6.

The server has gotten it's ip6 using DHCP.
Is there anything I overlooked in the interface settings or the DHCP6 settings?

I also tried a firewall traffic rule to specifically allow udp and tcp port 53 to the server to no avail.

any ideas how to set this up?

That should be all that you need. IPv6 is an allow rule not a port forward since there is no NAT involved. Run some packet captures to see if packets are coming in on wan (ISP may be blocking them) and being forwarded to lan. The server must be configured to reply to requests from the general Internet not just the lan.

3 Likes

I can ping the server from WAN so openwrt and my isp seem to allow for it.

when i uci show firewall I see this

firewall.@rule[0]=rule
firewall.@rule[0].name='DNS Allow to MX'
firewall.@rule[0].src='wan'
firewall.@rule[0].dest='{redacted}'
firewall.@rule[0].dest_port='53'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].proto='tcp' 'udp'
firewall.@rule[0].dest_ip='{redacted}'
firewall.@rule[0].family='ipv6'

That should be 'tcp udp' or write a separate rule for each.

dest here would just be the zone the server is in, probably lan.

In order for pings to go through, you also have an allow ping rule, right? Are you doing the ping test from outside or only from a LAN machine?

Here is a guide to allow your IPv6 in your firewall https://www.saudiqbal.com/blog/ipv6-home-server-with-dynamic-prefix-for-vpn-web-server-rdp-and-firewall-setup-guide.php

I use the LUCI web interface to create firewall traffic rules so does that mean there is somekind of bug there. I am running
OpenWrt 22.03.4 r20123-38ccc47687 / LuCI openwrt-22.03 branch git-23.119.80898-65ef406

yeah something like that. I am just a little paranoid these days regarding what is safe to share and not :wink:

yes there is by default

firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ICMPv6-Forward'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='*'
firewall.@rule[8].proto='icmp'
firewall.@rule[8].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[8].limit='1000/sec'
firewall.@rule[8].family='ipv6'
firewall.@rule[8].target='ACCEPT'

thank you for the suggestion but unless I overlooked the important bit I did what was suggested there.

So still stuck ;(

I forgot to mention that I am pinging from outside the LAN. I ssh into a server somewhere far away and then do the ping -6

I would run tcpdump on the router and then test various ports/protocols from the outside.
Since you have a remote host, you can probably run nmap tool there, otherwise services like https://check-host.net/check-udp and https://www.ipvoid.com/port-scan/ could be used.
I suggest to start from ports above 1024, as low numbered ports may be blocked by the ISP.

thanks guys for pitching in.

the matter seems to have been resolved automagically. well I did do several reinstalls of the mailinabox stack so I am assuming something went wrong there.