Understanding questions about IPv6 and firewall settings

      !     !        !    --------
      !     !        !---! Host-1 !
      !     !        !    --------
      !     ! VLAN-1 !
      !     !        !    --------
ISP --! WAN !        !---! Host-2 !
      !     !        !    --------
      !     !--------!
      !     !        !    --------
      !     ! VLAN-2 !---! Host-3 !
      !     !        !    --------
       OpenWrt Router

Let's assume a relatively simple scenario with only 4 devices and no IPv4 at all. 1 OpenWrt router, 3 hosts (without own firewall), 2 VLAN's

Let's assume that the router gets a /56 network from the ISP. An interface is created for each VLAN and each VLAN interface and each host receives a public IPv6 address via prefix delegation.
So far so good. But what about the firewall? In standard firewall settings, a few ports and protocols (e.g. ICMP) are opened on the WAN interface. There are no default entries for VLAN-1 and VLAN-2.
In the IPv6 case, both Host-1 and Host-2 would have their own public address. This suggests that a host is completely publicly accessible. Without a firewall, that would be deadly...
Or does the upstream firewall still work?
This means that - in default configuration - all hosts would only be accessible via ICMP. Otherwise everything would be blocked. Which variant is correct?

For example, if I now want to set up external ssh access to Host-3, I would do this in the IPv4 world with port forwarding. This would only open a single port. The rest would be blocked by the firewall.

But how do I do that under IPv6? Do traffic rules have to be created there as usual?
One for input for each port I want to open, and who needs to be targeted ? "This device" or the desired VLAN or host?
And an additional forwarding rule? And who does it have to point to? On the VLAN interface, or on the interface of the host?


Assuming you haven't messed with the defaults the OpenWRT firewall blocks both ipv4 and ipv6 traffic. So yes.

It's not hugely different for ipv6. You just use a traffic rule instead of a port forward. You want to allow traffic from the wan zone with a destination port of 22 (or whatever port you have SSH on) through to the relevant LAN zone and specific host.

Here is the guide if you want to setup IPv6 servers.