[Solved] Problem opening a port in IPv6 firewall

Hi

I'm having a problem with the firewall in my OpenWrt router, and I'm looking for some help.

Background
I've got a home server that I do a bit of hobby web hosting on. I had the appropriate port forwarding set up so that it was accessible at my public IPv4 address, which was fine until I switched ISP to one that uses CGNAT. So now I'm trying to expose the server on its IPv6 address.

My assumption is that I should assign my server a static IPv6 suffix, then open the relevant ports to that suffix. I've got a dynamic IPv6 prefix from my ISP [0], but from what I understand from the documentation that shouldn't be an issue.

Problem
I've added a firewall rule, and I can't access my server from outside of my network. Here are the results from desktop (home network) and laptop (tethered to my phone using mobile data) of requesting a text file:

me@desktop $ curl -v [2001:db8:cafe:beef::483]
*   Trying [2001:db8:cafe:beef::483]:80...
* Connected to 2001:db8:cafe:beef::483 (2001:db8:cafe:beef::483) port 80
> GET / HTTP/1.1
> Host: [2001:db8:cafe:beef::483]
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/1.1 200 OK
...[snip]...
hello, world!

* Connection #0 to host 2001:db8:cafe:beef::483 left intact
me@laptop $ curl -v [2001:db8:cafe:beef::483]
*   Trying [2001:db8:cafe:beef::483]:80...
* Immediate connect fail for 2001:db8:cafe:beef::483: Network is unreachable
* Failed to connect to 2001:db8:cafe:beef::483 port 80 after 0 ms: Couldn't connect to server
* Closing connection 0
curl: (7) Failed to connect to 2001:db8:cafe:beef::483 port 80 after 0 ms: Couldn't connect to server

Current config

OPENWRT_RELEASE="OpenWrt 24.10.1 r28597-0425664679"
OPENWRT_BUILD_DATE="1744562312"
/etc/config/firewall 

config rule
        option src 'wan'
        option dest 'lan'
        option dest_ip '::483/-64'
        option dest_port '80'
        option family 'ipv6'
        option proto 'tcp'
        option target 'ACCEPT'

My firewall config is only opening port 80 because I'm testing. When this works I'll open 22, 80, 443.


I'm not sure what the problem is. I think it's a firewall problem, because I can hit the server from inside the network and not outside, but I could be wrong.

If anyone can point me in the right direction I'd really appreciate it, and if there's anything else I should provide then please let me know.


[0] I assume. My ISP hasn't explicitly said that that I can see, but they have said that I've got a dynamic IPv4 address so it seems like a reasonable assumption to me.

That has nothing to do with port or firewall.
Show the output of ifstatus wan6 and ifstatus wan

I've masked public IPs (obviously) but I've left a few characters in that I don't understand in case they're relevant, specifically $.ipv6-address[0].address and $.ipv6-prefix[0].address. Masks are consistent (i.e. yyyy is the same all over). Maybe you're expecting that though!

# ifstatus wan6
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 849339,
	"l3_device": "eth1",
	"proto": "dhcpv6",
	"device": "eth1",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "2a10:xxx3:2:yyyy:zzzz:c4ff:fea8:791f",
			"mask": 64,
			"preferred": 604758,
			"valid": 2591958
		}
	],
	"ipv6-prefix": [
		{
			"address": "2a10:xxx5:yyyy::",
			"mask": 48,
			"preferred": 57896,
			"valid": 57896,
			"class": "wan6",
			"assigned": {
				"lan": {
					"address": "2a10:xxx5:yyyy::",
					"mask": 60
				}
			}
		}
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "2a10:xxx3:2:yyyy::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 2591958,
			"source": "::/0"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::8a90:9ff:fe83:3033",
			"metric": 512,
			"valid": 1758,
			"source": "2a10:xxx5:yyyy::/48"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::8a90:9ff:fe83:3033",
			"metric": 512,
			"valid": 1758,
			"source": "2a10:xxx3:2:yyyy:zzzz:c4ff:fea8:791f/64"
		}
	],
	"dns-server": [
		"2a10:xxx0::1",
		"2a10:xxx0::2"
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		
	}
}

# ifstatus wan
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 849905,
	"l3_device": "eth1",
	"proto": "dhcp",
	"device": "eth1",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "aaa.bbb.ccc.78",
			"mask": 13
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "0.0.0.0",
			"mask": 0,
			"nexthop": "aaa.bbb.0.1",
			"source": "aaa.bbb.ccc.78/32"
		}
	],
	"dns-server": [
		"ddd.eee.fff.1",
		"ddd.eee.fff.2"
	],
	"dns-search": [
		"customers.brsk.co.uk"
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		"dhcpserver": "ddd.eee.fff.245",
		"leasetime": 600
	}
}

EDIT: missed that you asked for wan as well

Since the ISP provides a /48 routed prefix, you can set up a separate "DMZ" lan for the server(s) with its own /64 then allow forwarding generally into the dmz zone. The address need not be checked when there is only one host on that LAN. or all hosts are considered safe against the Internet.

That is pretty much unusable.
Use any looking glass service on Internet, run traceroute there and see if your IPv6 addresses are reachable.
Use tcpdump on your router and see if you receive any incoming IPv6 traffic.

1 Like

The default firewall allows incoming pings to forward to LAN hosts. If you can't even ping from outside the ISP may be blocking it. Running tcpdump would be useful to check that.

1 Like

Testing with https://cogentco.com/en/looking-glass seems to show the server is visible. An IPv6 traceroute and then ping with tcpdump running on the router gives the following output:

# tcpdump -n -i eth1 dst host 2a10:xxxx:yyyy::483
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:56:04.295288 IP6 2001:978:1:31d::2.56734 > 2a10:xxxx:yyyy::483.33448: UDP, length 32
12:56:04.295288 IP6 2001:978:1:31d::2.53662 > 2a10:xxxx:yyyy::483.33449: UDP, length 32
12:56:04.305922 IP6 2001:978:1:31d::2.58513 > 2a10:xxxx:yyyy::483.33450: UDP, length 32
12:56:04.305922 IP6 2001:978:1:31d::2.34727 > 2a10:xxxx:yyyy::483.33452: UDP, length 32
12:56:04.305922 IP6 2001:978:1:31d::2.33387 > 2a10:xxxx:yyyy::483.33451: UDP, length 32
12:56:04.315043 IP6 2001:978:1:31d::2.35996 > 2a10:xxxx:yyyy::483.33455: UDP, length 32
12:56:04.315043 IP6 2001:978:1:31d::2.33983 > 2a10:xxxx:yyyy::483.33456: UDP, length 32
12:56:04.315043 IP6 2001:978:1:31d::2.59442 > 2a10:xxxx:yyyy::483.33454: UDP, length 32
12:56:04.315043 IP6 2001:978:1:31d::2.60585 > 2a10:xxxx:yyyy::483.33453: UDP, length 32
12:56:19.259105 IP6 2001:978:1:31d::2 > 2a10:xxxx:yyyy::483: ICMP6, echo request, id 96, seq 1, length 64
12:56:20.259786 IP6 2001:978:1:31d::2 > 2a10:xxxx:yyyy::483: ICMP6, echo request, id 96, seq 2, length 64
12:56:21.261839 IP6 2001:978:1:31d::2 > 2a10:xxxx:yyyy::483: ICMP6, echo request, id 96, seq 3, length 64
12:56:22.262481 IP6 2001:978:1:31d::2 > 2a10:xxxx:yyyy::483: ICMP6, echo request, id 96, seq 4, length 64
12:56:23.263042 IP6 2001:978:1:31d::2 > 2a10:xxxx:yyyy::483: ICMP6, echo request, id 96, seq 5, length 64

@mk24 your suggestion of a "DMZ" LAN with a single server is interesting. I'd like to understand what's wrong with my current setup, but I'm glad to have a backup plan (and I'm not ignoring you, thanks for your help as well!).

Update: I asked some family members to repeat the test I started with (load http://[2001:db8:cafe:beef::483] in a web browser). Some got This site can't be reached as I expected, but one of them loaded my hello world file. She doesn't use the same ISP as me.

Check the counters on the rule, either in LuCI / Status / Firewall or nft list chain inet fw4 forward_wan. Are they increasing with each test? Does the web server have its own firewall preventing access from a non-local subnet?

To ensure that the external user has IPv6 connectivity, ask them to check http://[2a00:801:f::195]/ or http://ipv6.tlund.se/ first.

Never a reply in the tcpdump? Or try tcpdump on the br-lan interface. Check the web server for any restrictions.

Edit: I see you specified dst. Nevermind.

I'd made an assumption without realising - I'd assumed that my phone network had IPv6 connectivity. And it doesn't. So my test wasn't valid at all, and my setup had been working all along (just only on the IPv6 internet).

Thanks for your help everyone. I have further problems to solve, but they're outside the scope of my router.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.