Unable To "Forward" Ipv6


So the above image is an example of how my network is being used.

However Any type of forwarding rules/traffic rules/Napt6 Won't work.
Used this as a guide.

Unfortunately none of that has worked.

I've been trying to host some servers to play some games with friends through ipv6, as that's the only way as the ipv4 won't allow any traffic due to being through CGNAT.

Has anyone had any experience in port forwarding ipv6 on openwrt and getting it to work. I am using the latest build~ as of 06/28/2024 (MM/DD/YYYY)

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

The system is a R6S, I've tried on a pi4 aswell(too lazy to get it out again)

{
        "kernel": "6.6.34",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 0",
        "model": "FriendlyElec NanoPi R6S",
        "board_name": "friendlyelec,nanopi-r6s",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r0-8092e3f",
                "target": "rockchip/armv8",
                "description": "OpenWrt SNAPSHOT r0-8092e3f"
        }
}

Network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix ffff::FFFF:/48'
        option packet_steering '2'
        option steering_flows '256'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth2'
        list ports 'eth0'

config device
        option name 'eth2'
        option macaddr 'ff:ff:ff:ff:ff:ff'

config device
        option name 'eth0'
        option macaddr 'ff:ff:ff:ff:ff:ff'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.10.10.20'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list ip6class 'wan6ra'

config device
        option name 'eth1'
        option macaddr 'FF:FF:FF:FF:FF:FF'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option metric '10'

config interface 'wan6ra'
        option device 'eth1'
        option proto 'static'
        option metric '5'
        list dns '2001:4860:4860::8888'
        list dns '2001:4860:4860::8844'
        list ip6class 'wan6ra'
        option ip6ifaceid '::1:5'
        option ip6weight '10'
        option ip6gw 'FFFF:FFFF:FFFF:FFFF::f'
        option ip6prefix '2FFF:FFFF:FFFF:FFFF::/56'
        list ip6addr '2FFF:FFFF:FFFF:FFFF::FFFF'

config interface 'wanmap'
        option proto 'map'
        option maptype 'map-e'
        option peeraddr 'ffff::ffff'
        option ipaddr '1**.***.***.***'
        option ip4prefixlen '20'
        option ip6prefix 'FFFF:FFFF:FFFF::'
        option ip6prefixlen '38'
        option ealen '18'
        option psidlen '6'
        option offset '6'
        option legacymap '1'
        option mtu '1460'
        option metric '30'

config device
        option type 'macvlan'
        option ifname 'eth1'
        option mode 'vepa'
        option name 'eth1mac0'

DHCP

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        option port '53535'
        option noresolv '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'relay'
        option ndp 'relay'
        option force '1'
        list dhcp_option 'option:dns-server,10.10.10.20'
        option preferred_lifetime '7d'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'
        option master '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'
        option preferred_lifetime '7d'

Firewall

config defaults
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'
        list network 'wanmap'
        list network 'pp'
        list network 'wanmap'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan6'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan6'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan6'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan6'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

config include 'bcp38'
        option type 'script'
        option path '/usr/lib/bcp38/run.sh'

config zone
        option name 'wan6'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'DROP'
        option family 'ipv6'
        list network 'wan6'
        list network 'wan6ra'

config forwarding
        option src 'lan'
        option dest 'wan6'

config rule
        option name 'Test'
        option family 'ipv6'
        option src 'wan6'
        option src_port '8120'
        list dest_ip 'IPAD:RRTH:ATIM:TEST:INGB:UTNO:WORK:FFFF' (ipadrr im testing but its not working)
        option dest_port '8120'
        option target 'ACCEPT'

You do not have to port forward ipv6, it suffices to just open up a port for the target.
See : IPV6 Firewall Port Opening Help - #2 by egc

That is bad. Input on a zone containing wan interfaces should not be ACCEPT.

Is there a reason to have separate firewall zones for ipv4 and ipv6? Are you wanting to treat the traffic from the interfaces differently? If not, just put all the wan interfaces into a single zone.

Get rid of option src_port '8120'. Add option dest 'lan' (replace lan with whatever firewall zone the end device is in). Reload the firewall (/etc/init.d/firewall reload).

I have reverted all rules for wan~ all interfaces and rules have been set.
Unfortunately the.... port isnt seen.

config rule
        option name 'Test'
        option family 'ipv6'
        option src 'wan'
        option dest_port '8120'
        option target 'ACCEPT'
        option dest 'lan'

Unfortunately results remain the same :confused:

I have came across your post and tried it first, unfortunately it didn't work for me. I am unsure as to why.

You removed the destination IP. That wasn't what you were asked to do.

1 Like
config rule
        option name 'Test'
        option family 'ipv6'
        option src 'wan'
        option dest_port '55120'
        option target 'ACCEPT'
        option dest 'lan'
        list dest_ip 'F:F:F:F:F:F:F:FFFF'

Sorry about that, I misinterpret the previous.

Unfortunately the results remain the same, I've tried a higher port to see if it was causing an issue.

Have you checked for a local firewall on the device?

1 Like

Some ISPs block all incoming connections within their network. So the first test is to run tcpdump on the wan port and confirm that the test packets originated from outside are actually reaching your router, not being blocked by the ISP.

The simplest way to allow incoming connections to the lan would be a general forward rule wan to lan. This of course exposes all LAN devices to the potential of malicious incoming connections, so it should be done only for testing.

1 Like

This was unfortunately the issue... seems this isp is anti-consumerism

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.