Why do I have to leave the port on the IPV6 traffic rule as "any" to make it work?

I have successfully configured a traffic rule for ipv6 that lets me access my Linux PC over SSH from the internet with the following configuration:

Even though it works fine, it only works if I don't put any source port on the traffic rule configuration. For example, if I put the source port as 22 (the default SSH port), I will not be able to access my Linux server from the internet using its IPV6 address. In my mind it doesn't make sense, I don't think there'll be any negative consequence of leaving it as it is now since there's only one destination port for it. But why does it work that way? Shouldn't it work fine when I put the source port as 22 (I have actually spent a few hours figuring out why it wasn't working)?

For an inbound SSH connection, the remote source port will be random, and only the local destination port will be 22.

1 Like

I see... But does that happen only with IPV6? I mean, with a valid public IPV4 address I use the port forwarding rule with both the external and internal port as 22 and it works fine.

In a port forward rule, the external port is the “destination” port that the traffic arrives at the router on. The internal port is the port on the LAN device that the traffic is forwarded to. Sometimes they match, but don’t need to. For example, you could forward external port 2222 to internal port 22.

Since IPv6 doesn’t need NAT, you’re just allowing the forwarded traffic through the firewall directly without any port remapping.

There are subtle differences in the fields of a traffic rule and a port forward (redirect) rule.

1 Like

Thanks, I didn't know they had different behaviors...

But then is there any situation I should specify a source port for traffic rules? Since they're randomly arriving on the router, I'll always (or at least most of the time) have to leave it as "any", right?