Ssh from one ipv6(only) router to another with ipv6(only)

Hi there,

I have a two routers (R1 and R2)having only ipv6 addresses.
They both have cellular connection and the ifconfig details of both are as below.

R1:
usb0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 metric 1
inet6 2401:4900:402c:f39e:49fb:b81d:92d9:f914 prefixlen 64 scopeid 0x0
inet6 fe80::89f:2216:3762:2838 prefixlen 64 scopeid 0x20
ether 02:0c:29:a3:9b:6d txqueuelen 1000 (Ethernet)
RX packets 352 bytes 41045 (40.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 598 bytes 74851 (73.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

R2:
usb0 Link encap:Ethernet HWaddr 02:0C:29:A3:9B:6D
inet6 addr: fe80::c:29ff:fea3:9b6d/64 Scope:Link
inet6 addr: 2401:4900:61bb:8ca7:c:29ff:fea3:9b6d/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:187 errors:0 dropped:0 overruns:0 frame:0
TX packets:186 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:23259 (22.7 KiB) TX bytes:21869 (21.3 KiB)

I want to ssh from R1 to R2 using global address. I am able to ping from R1-> R2 and vice versa. But while running command below for ssh I get

ssh root@2401:4900:402c:f39e:49fb:b81d:92d9:f914
ssh: Connection to root@2401:4900:402c:f39e:49fb:b81d:92d9:f914:22 exited: Remote closed the connection

What are the changes I need to do in my openwrt 19 based router ?

Hey.

So they are only interconnected through the Internet aka you are trying to SSH via WAN?

AFAIR the default is to block everything on WAN except (certain) ICMPv6. So you will need an ALLOW rule for port 22 on the WAN ZONE.

2 Likes

Hi @_bernd

I have added this in my /etc/config/firewall. But its still not working

config rule
option src 'wan6c1'
option proto 'tcp udp'
option dest_port '22'
option family 'ipv6'
option target 'ACCEPT'

config zone 'wan6c1'
option name 'wan6c1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'wan6c1'
option masq '1'
option mtu_fix '1'

Yes. Exactly .

(please backticks "`" to format code next time please)

I would remove masq and mtu_fix but I would be surprised if that prevents the rule from working. Did you have reloaded the firewall rule set after you have made the change?
Edit: if I'm not mistaken you will now allow everything on wan because of your INPUT rule...

Delete your rule and zone, then add a rule on R2:

config rule
        option name 'test_ssh'
        option family 'ipv6'
        list proto 'tcp'
        option src 'wan'
        option dest_port '22'
        option target 'ACCEPT'

Make sure dropbear is listening on all the addresses/interfaces:
netstat -tlpn | grep dropbear

Finally, use tcpdump to see if any packet can reach the router from outside.

2 Likes

I think upd is needed under some circumstances too but I would have to reread the man page to be sure...

I do get ICMP6 packets at R2 using tcpdump when I ping from R1 to R2 . But ssh packets I am unable to get.

I had reloaded firewall after I updated the firewall file. Also removing masq and mtu_fix I tried. No results.

Then there is a possibility that some ports/protocols are filtered upstream.
Try to make a tcp connection to a port like 8022 and see if it will be captured by tcpdump.

1 Like