Traffic rules to be able to request DHCPv6 from Router on restrictive firewall zone

willowen100 · April 16, 2022, 1:02pm

I've created a DMZ for one of my servers essentially creating an interface, a firewall zone and assigning a VLAN in the DSA. Currently the firewall's zone input is set to ACCEPT, however, I would like to lockdown the firewall further by setting the input to REJECT and using traffic rules to allow specific traffic through such as DNS, DHCP, ICMP etc.

DNS. DHCP and ICMP seem to work but I'm unable to request an IPv6 address from the server as it seems the DHCPv6 traffic rule doesn't seem to be working. The rule I have created to allow DHCPv6 is called Allow VLAN_101 DHCPv6 Input which is shown in the configuration below.
**/
/etc/config/firewall

...
config zone 'vlan_101' 
        option name 'vlan_101' 
        list network 'vlan_101' 
        option output 'ACCEPT' 
        option forward 'REJECT' 
        option input 'REJECT'

config forwarding 
        option src 'vlan_101' 
        option dest 'wan'

config rule 
        option target 'ACCEPT' 
        option dest_port '53' 
        option name 'Allow VLAN_101 DNS Input' 
        option src 'vlan_101' 
        list proto 'udp'

config rule 
        option target 'ACCEPT' 
        option dest_port '67-68' 
        option name 'Allow VLAN_101 DHCP Input' 
        option src 'vlan_101' 
        option proto 'udp' 
        option family 'ipv4'

config rule 
        option target 'ACCEPT' 
        option name 'Allow VLAN_101 DHCPv6 Input' 
        option family 'ipv6' 
        list proto 'udp' 
        option src 'vlan_101' 
        option dest_port '546-547'

config rule 
        list proto 'icmp' 
        option target 'ACCEPT' 
        option dest 'vlan_101' 
        option name 'Allow VLAN_101 Ping from Private' 
        option src 'private' 

config rule 
        option name 'Allow Private SSH to vlan_101' 
        list proto 'tcp' 
        option src 'private' 
        option dest 'vlan_101' 
        option dest_port '22' 
        option target 'ACCEPT'
...

Where am I going wrong?

willowen100 · April 16, 2022, 2:13pm

I've solved it by having to specify FF00::/8 in the destination address which is for IPv6 multicast. I couldn't of done it without Wireshark and tcpdump which showed the traffic between the server and the router.

lleachii · April 16, 2022, 2:14pm

Change to:

option dest_port '546:547'

ummmmmm...ok....cool...setting the correct ports works too along with the correct iptables syntax woulda worked (the IP didn't matter as long as you accepted the correct traffic btw)!

willowen100 · April 16, 2022, 2:34pm

I'm running the following command:

dhclient -6 -v eth0

on my Linux server without specififying FF00::/8 as shown in the config below and it can't establish a DHCP connection.

config rule
        option target 'ACCEPT'
        option name 'Allow VLAN_101 DHCPv6 Input'
        option family 'ipv6'
        list proto 'udp'
        option src 'vlan_101'
        option src_port '546'
        option dest_port '547'

It's weird I have to specify the multicast address whereas the DHCP (IPv4) traffic rules is happy to just accept Device (input).

In regards to the colon rather than the hyphen, only hyphens are allowed in LuCI but I have used iptables before which is obviosuly accepts the colon instead.

trendy · April 16, 2022, 10:28pm

The problem is not with the multicast address, which is anyway not needed, but with the lack of icmp6.

config zone 'iot'
        option forward 'REJECT'
        option name 'iot'
        option output 'ACCEPT'
        option input 'REJECT'
        list network 'iot'

config rule
        option src 'iot'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option name 'Allow-iot-ICMPv6'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'fragmentation-needed'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'port-unreachable'
        list icmp_type 'protocol-unreachable'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        option limit_burst '100'

config rule
        option target 'ACCEPT'
        option proto 'udp'
        option family 'ipv6'
        option src 'iot'
        option src_port '546'
        option dest_port '547'
        option name 'Allow-iot-DHCPv6'

willowen100 · April 17, 2022, 12:50pm

I'll give this a go.

UPDATE
This works a treat.

system · April 27, 2022, 12:51pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.