[SOLVED] Remote access: LEDE Router behind ISP's AVM FRITZ!Box (DS-Lite), IPv6

Hello everyone,

I have been struggling to get remote access to my local (virtual) machines working.
Maybe you could help me with that.

My set-up is as follows:

I have an aDSL Internet connection from my ISP (1&1, Germany), where I use a FRITZ!Box 7560 (FB) as a DSL router. Unfortunately, the ISP offers only DS-Lite, so that I don't have an externally accessible IP adress.
The FB is connected to the WAN Port of my LinkSys Router (LS) running LEDE as an exposed host and to nothing else.
The LS then provides LAN/WLAN to all the devices in my local network.

In my local network there are several virtual machines running (web)servers, which I would like to make accessible from outside.

The problem is that the internet connection from my ISP is a DS-Lite, so I don't have a unique externally accessible IPv4, so I need to do with IPv6.

After having to fiddle around with the IPv6 prefix settings, I managed to get IPv6 working in my LAN, meaning that I can resolve local (LAN) and global (WAN) IPv6 addresses and sites like test-ipv6.com report an external public ipv6 address of the form XXXX:XXXX:XXXX:YYZZ::ZZZ, where the XX..XX:YY-part is the IPv6-prefix indicated on the FB.
I then set up a ddns service (myonlineportal) on the LS, which then reports an address ipv6 address XXXX:XXXX:XXXX:LLLL:LLLL:LL.

The idea now was to forward requests to this address to the webservers running in my local network, to have them externally accessible. How do I have to set up the LEDE-firewall on the LS to make this happen? How does this work with the ports?

I understand that I do not quite grasp yet the architecture of ipV6, but am thinking that this should be possible?
Or is the "correct" way to do so my setting up a ddns for my FB, and then try to forward this to the LS, which then forwards to the machines in the LAN?

Or is an entirely different set-up the better way to achieve what I want to do?

Thank you so much already for your help, it is really appreciated.

You would use the Traffic Rules portion of the firewall to open the relevant ports on the IPv6 address. You would specify the ports as normal.

1 Like

Could you elaborate on this a little bit?
I am not sure what/where exactly I should do this.

Maybe you could help me with an example:
In my local network, I have a plex mediaserver running. From the inside (LAN), its web interface its accessible via
Given my public (internet) ipv6 address (which is associated with the FB), I would like to access the mediaserver interface. As the FB forwards all traffic to the LS, I thought this should work with the following rule:

Any tcp
From any host in wan
To IP at port 32400 in lan
Accept input

But it is not working. Probably I am doing it totally wrong...

Is there a way to check if there are incoming packets on the LS to make sure the forward from the FB works?
Or any other suggestions how to figure out what is going wrong where?

Of course it's not working, that's an IPv4 address, your title says IPv6. You must use the IPv6 address!

This is an IPv4 address, perhaps you should better explain what you're trying to do with IPv6.

As I said in the OP, my ISP uses DS-Lite for my connection, meaning that I do not have a public IPv4 address, but only a public IPv6 address.
So connecting to my router (FB) is only possible via IPv6.

What I am trying is to get the route

remote machine --(IPv6)--> FB --(exposed host)--> LinkSys with OpenWRT --(IPv4 or IPv6, I don't care)--> machine on LAN


In the LUCI menu where I tried to set the traffic rule, I can only pick my network devices by their IPv4 addresses, so the rule that is created has this form.

With IPv6, each device gets a unique, globally routable address. There is no NAT or port forwarding involved, just routing and packet filters.

Each webserver should run a dyndns client and register its own IPv6 address.

Fritzbox and Linksys both block new connections from WAN to LAN by default. You need to set up firewall rules on both routers to allow traffic towards the webservers' IPv6 addresses.

These rules should only refer to the rightmost 64 address bits (the interface identifier) and ignore your IPv6 prefix, assuming the prefix is not stable. Be sure to pick the constant interface identifier (often based on the ethernet MAC address), not one from a privacy address.

Here is an OpenWrt example as it would appear in /etc/config/firewall:

config rule                                                                     
	option name 'webserver'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option dest_ip '::2345:67ff:fe89:abcd/-64'
	option dest_port '80 443'
	option family 'ipv6'
	option target 'ACCEPT'

Select Destination address -- custom -- and enter the value.

Hello mpa,

thanks already for your input. I think I am making progress :slight_smile:

Although I am not quite there yet. I now understand how hardware addresses are mapped to constant interface identifiers (the standard way, via inserting the FFFE into the 48-bit mac adress to get a 64-bit address and flipping the second bit in the resulting identifier).
However, using ip -6 addr or ifconfig I do not see such an adress. However, it shows another link-local address:
inet6 fe80::1c0d:9b01:7c57:96d2 prefixlen 64 scopeid 0x20<link>

I assume that this would be a constant interface identifier, is this correct?

Unfortunately, it still doesn't work:
Neither when I enter fe80::1c0d:9b01:7c57:96d2 at the LuCI interface (which does not accept ::1c0d:9b01:7c57:96d2/-64 in the field) nor when I manually set up a rule for ::1c0d:9b01:7c57:96d2/-64 manually in /etc/config/firewall.

I suspect that this might be a problem with the port forwarding at the FB. So far I tried both the "exposed host" option and manually setting a forward rule on the FB.

A link-local address is not globally routable. It cannot be used to access a device in your LAN from the internet.

Your next step should be to fix the IPv6 address assignment. Please look at:

  • Fritzbox: Prefix delegated
  • Linksys Status > Overview > IPv6 Upstream: Prefix delegated
  • Linksys Network > Interfaces > LAN: IPv6 (address that starts with digit '2' or '3')

and check where the prefix or IPv6 address is missing.

I did not try to save the value, but I wondered why the field was shown in red. You could submit this as a feature request for LuCI.

Port forwarding and exposed host settings are not needed here.

Ok, I understand. But am I correct in assuming that 1c0d:9b01:7c57:96d2 is my constant identifier and I should use the config rule with ::1c0d:9b01:7c57:96d2/-64?

Here are what I get from the FB:

IPv6-Adresse: XXXX:XXXX:2702:352b:eadf:70ff:feea:d46c
IPv6-Präfix: XXXX:XXXX:2dd5:2d00::/56

And here some information from the LS

Linksys: Overview/IPv6 WAN Status
Type: dhcpv6-pd
Prefix Delegated: XXXX:XXXX:3855:4b80::/57
Address: XXXX:XXXX:2dd5:2d00:5aef:68ff:feb7:6acc/64

Linksys: Interfaces: LAN (br-lan)
IPv6: XXXX:XXXX:3855:4b80::1/57

Linksys: Interfaces: WAN6 (eth1)
IPv6: XXXX:XXXX:2dd5:2d00:5aef:68ff:feb7:6acc/64
IPv6: XXXX:XXXX:3855:4b00:5aef:68ff:feb7:6acc/64
IPv6: XXXX:XXXX:3859:700:5aef:68ff:feb7:6acc/64

I am pretty confused. Somehow, the prefix lengths seem very inconsistent.
Should I try to force the prefix-length everywhere to /64?

Please ignore the link-local address for now. Once the webserver has a global IPv6 address, use its interface identifier.

No, don't do that, the prefix lengths are fine.

The next step is to make OpenWrt send router advertisements onto the LAN (should be the default) and set up the webserver machines to assign themselves an IPv6 address based on these advertisements.
How to do this depends on their operating system / Linux distribution.

The webserver (my desktop pc running arch linux with an apache server just to test) has a global IPv6 address.
In fact, it has multiple starting with the global prefix, but none where the last 64 bits have the form derived from the MAC-address via the EUI-64-algorithm...

So I have trouble finding out what my interface identifier is to continue trouble-shooting

I don't know why there is no IPv6 address derived from the MAC address on your system.

However, any global unicast address should be fine, unless it is marked temporary, which indicates a privacy address. Choose one of those without temporary and use its interface identifier for the firewall rules on both routers.
Your ddns client might choose an address automatically, use this one if it is sane.


I managed to get it working. Most of the problems where with the internal ipv6 network at home. Ultimately, forwarding works if I did it like mpa suggested.

To summarize:

  • I got routing through my FB fixed by making the LS an "exposed host" with all ipv6 traffic forwarded to the LS.
  • On the LS with LUCI, I had to set up rules in /etc/config/firewall of the form
config rule                                                                     
	option name 'webserver'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option dest_ip '::2345:67ff:fe89:abcd/-64'
	option dest_port '80 443'
	option family 'ipv6'
	option target 'ACCEPT'

where the value of option dest_ip part was ::<immutable fixed ipv6 device identifier>/-64. Unfortunately, you cannot set the /-64 masking in the LUCI interface.

Thanks a lot @mpa for helping me figuring this out!