Some questions about uhttpd and disabling ipv6[solved]

  1. Is there an option to limit access to the luci webserver to the LAN interface only for IPv6? I've already modified /etc/config/uhttpd listen_http to '' but don't know what to do with listen_http '[::]:80'.

  2. Is IPv6 backwards compatible with IPv4 and are there any issues I should be aware of? For example I use port forwarding for torrents and the settings are only for IPv4. I think things like trackers and peer lists only support ipv4 at this time. Am I wrong or is there a workaround?

  3. How do I disable ipv6 on the router? Is it by changing the
    IPv6 assignment length to disabled (in the Interface menu)
    and also setting the following 3 options under DHCP server->IPv6 settings to disabled?
    Router Advertisement-Service

Remove the 2 lines below from the config file and reboot the router / restart uhttpd:

list listen_http [::]:80
list listen_https [::]:443

It should only accept connections over IPv4 now.

Is there any way to allow ipv6 for webserver access only on the LAN instead of just disallowing it?
Any ideas on my other questions (made an edit on question 3). Thanks.

If you want to allow access by IPv4 only remove those two lines from the config file (and keep the other 2):

list listen_http [::]:80
list listen_https [::]:443

If you want to allow access by IPv6 only remove those two lines from the config file instead (and keep the other 2):

list listen_http
list listen_https

The default settings will allow access from any IPv6 interface on the router. If you want to restrict it to a specific interface put the IPv6 address of that interface between the brackets.

The default settings will allow access from any IPv4 interface on the router. If you want to restrict it to a specific interface replace the zeroes with the specific IPv4 address.

If you want to add more interfaces just add an additional line per interface to the config file.

As an alternative you can leave the uhttpd config file on the default values and selectively allow / disallow HTTP(S) traffic to the router via the firewall config.

For your second question:
IPv4 and IPv6 are not compatible but you can use them both at once (dual stack). You don't have to chose one over the other.

Actually that's wrong. You don't automatically restrict access from a specific interface by not including some IP addresses in listen_http or listen_https. Yes, you are changing which IP address(es) you can use to contact the web server. For example if you have got a Guest network then it isn't enough to remove the IP address of the Guest network from the list, the guests will still be able to access the router using its LAN address if allowed by the firewall. If you want to limit access from a specific interface then you need to configure "INPUT" as drop or reject for the zone in the firewall, or add traffic rules.

I'm not really wrong as this restricts uhttpd to only listen to specific address instead of any address. And that's all I wrote.

Even if a request is then routed between different interfaces / zones uhttpd will still only listen on the configured address.

Don't set the "input" chain to reject or drop carelessly as this can lock you out of the router.

Add specific traffic rules to block HTTP/HTTPS only for the zones where you don't want to allow access to the web interface.

I think I'm not making myself clear.

I changed "list listen_http" to "list listen_http" so LUCI is only accessible to those devices which are connected via LAN or WIFI on the router and not open to the entire WAN. Now how do I do the same for IPv6? What is the equivalent for for IPv6?

Even if you leave the "listen" settings at their defaults LUCI is not accessible from WAN unless you also allow incoming HTTP/HTTPS connection from WAN to the router in the firewall.

You will find the IPv6 addresses of each interface under Network -> Interfaces in LUCI, just add them to the uhttpd config.

The ones starting with "f" are roughly the IPv6 equivalent of "192.x.x.x".

1 Like

Thanks. I forgot about the firewall settings which I think default to rejecting incoming HTTP from WAN.