The real problem here is that the vast majority of users are stuck with ipv4 feeds from their ISPs.
I would agree it is ridiculous that ipv6 is not yet the default for the majority of ISPs on the planet, but that is how it is. Provision of ipv4 by ISPs is not broken so why should they spend money fixing it and retraining help desks etc.?
No we are on an ipv4 planet in 2024 because it is cheaper for the ISP's to stick with ipv4.
Why don't i just get what i configure? What's this special "hey i show you that i have done it for you, but i do something completly different".. i'm going crazy
The firewall4 syntax is meant to be an abstraction of the underlying rules. The firewall status view is parsing the underlying nftables rules directly. Are there multiple rules present for port 5553 (e.g. 1 udp, 1 tcp)?
After spending hours and hours i came to the following conlusion: Even 2024 openwrt isn't able to add correct port forward rules for ipv4 and ipv6 with luci. Maybe 2026?
I can add manually option family 'any' to every config redirect rule in /etc/config/firewall ... and then the rules are really working for ipv4 and ipv6
But woe betide you if you change settings via Luci, everything is lost
Backwards compatibility. Automatic here means „unspecified, derive family from IP addresses or referenced ipsets in rule, fall back to IPv4 only if inconclusive“.
Historically (firewall3 and earlier) only IPv4 DNAT was supported. Firewall4 uses the same configuration syntax but supports IPv6 DNAT. Automatically performing IPv6 port forwarding for unchanged configurations that previously forwarded IPv4 only might pose a security risk (changed firewall behavior with unchanged config), hence the deliberate decision to default to IPv4 only fir DNAT rules without any family specific criteria.
Sure, albeit a simple „please expose the missing 'any' family option choice for DNAT rules in LuCI“ would have been sufficient, instead of throwing a dramatic temper tantrum.
I don't see what the issue is here. In 23.05, you can create rules in LuCI with address family "IPv4 and IPv6", or you can easily switch existing rules. There's no drama there.
But as @jow said, automatically making every IPv4 firewall rule also apply to IPv6 without careful consideration seems dangerous and not desirable.
So... everything works as it should? There's no conspiracy against IPv6?
So it is ok that luci tells me "rule is for ipv4 and ipv6" but under the hood you only get ipv4? Why is luci not telling me ipv4 like it did in pre 23.05?
Yes i'm a drama queen. From your standpoint it's all easy, you know each setting in the firewall config and what it is doing. I had to dig into this and reveal that there is a missing 'any' family option which cant be set and will be overridden by luci
And my question in the subject was really simple. Ok i forgot to mention forward rule. Fact is: It is impossible to add one forward rule for both ipv4 and ipv6 with luci
Really "IPv6 and IPv6"? How? Please? I'm excited about it!
My 23.05 port forward options look like this:
Is your version 23.05 other than mine? Or do i miss an update? (just kidding!)
Where did i wrote that? Please read my subject again there you see these words:
generate rules for ipv4 ipv6 in one step, not "making all ipv4 rules automagically appear to be ipv6 rules as well"...
See if you have an opkg update available for luci-app-firewall. If so, and you feel adventurous, upgrade just that package and see if it works as you expect it to.
There are ways to present facts that don't require losing your composure, though.
Remember that this is a community forum, the software is maintained by a community of volunteer developers, and if you post in a way that's equivalent to running into a pub and yelling at the barman and all the customers because they haven't got your favourite beer, they may reserve the right not to serve you.
