Hi
I'm having a problem with the firewall in my OpenWrt router, and I'm looking for some help.
Background
I've got a home server that I do a bit of hobby web hosting on. I had the appropriate port forwarding set up so that it was accessible at my public IPv4 address, which was fine until I switched ISP to one that uses CGNAT. So now I'm trying to expose the server on its IPv6 address.
My assumption is that I should assign my server a static IPv6 suffix, then open the relevant ports to that suffix. I've got a dynamic IPv6 prefix from my ISP [0], but from what I understand from the documentation that shouldn't be an issue.
Problem
I've added a firewall rule, and I can't access my server from outside of my network. Here are the results from desktop
(home network) and laptop
(tethered to my phone using mobile data) of requesting a text file:
me@desktop $ curl -v [2001:db8:cafe:beef::483]
* Trying [2001:db8:cafe:beef::483]:80...
* Connected to 2001:db8:cafe:beef::483 (2001:db8:cafe:beef::483) port 80
> GET / HTTP/1.1
> Host: [2001:db8:cafe:beef::483]
> User-Agent: curl/8.5.0
> Accept: */*
>
< HTTP/1.1 200 OK
...[snip]...
hello, world!
* Connection #0 to host 2001:db8:cafe:beef::483 left intact
me@laptop $ curl -v [2001:db8:cafe:beef::483]
* Trying [2001:db8:cafe:beef::483]:80...
* Immediate connect fail for 2001:db8:cafe:beef::483: Network is unreachable
* Failed to connect to 2001:db8:cafe:beef::483 port 80 after 0 ms: Couldn't connect to server
* Closing connection 0
curl: (7) Failed to connect to 2001:db8:cafe:beef::483 port 80 after 0 ms: Couldn't connect to server
Current config
OPENWRT_RELEASE="OpenWrt 24.10.1 r28597-0425664679"
OPENWRT_BUILD_DATE="1744562312"
/etc/config/firewall
config rule
option src 'wan'
option dest 'lan'
option dest_ip '::483/-64'
option dest_port '80'
option family 'ipv6'
option proto 'tcp'
option target 'ACCEPT'
My firewall config is only opening port 80 because I'm testing. When this works I'll open 22, 80, 443.
I'm not sure what the problem is. I think it's a firewall problem, because I can hit the server from inside the network and not outside, but I could be wrong.
If anyone can point me in the right direction I'd really appreciate it, and if there's anything else I should provide then please let me know.
[0] I assume. My ISP hasn't explicitly said that that I can see, but they have said that I've got a dynamic IPv4 address so it seems like a reasonable assumption to me.