Had enabled IPv6 and noticed that IPv6 LAN devices are accessible from the internet. AX3600 is not filtering and accepting all the IPv6 connections Internet to LAN, exposing all the IPv6 LAN devices to the Internet.
Traced and found the 'zone_wan_dest_REJECT' chain has a rule resulting in all forwards from WAN (before the reject rule). This rule is not in the vanilla OpenWRT and it exposes LAN to the Internet. It is added when IPv6 is enabled and the mode is not NAT (/etc/config/firewall include 'ipv6_masq' ->'/lib/firewall.sysapi.loader ipv6_masq' -> '/usr/sbin/sysapi.firewall ipv6_masq').
root@XiaoQiang:~# ip6tables -L zone_wan_dest_REJECT -n -v Chain zone_wan_dest_REJECT (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all eth1 * ::/0 ::/0 0 0 reject all * eth1 ::/0 ::/0 /* !fw3 */
As a workaround to prevent LAN from being accessible, I had disabled the ipv6_masq and included firewall.user to delete the rule and restart odhcpd.
# Disable ipv6_masq (optional) uci set firewall.ipv6_masq.enabled='0' # include custom /etc/firewall.user rules uci set firewall.firewall_user=include uci set firewall.firewall_user.path='/etc/firewall.user' uci commit cat << "EOF" >> /etc/firewall.user ### Delete the ip6tables rule which forwards WAN -> LAN. It will expose LAN to the global (internet) ip6tables -D zone_wan_dest_REJECT -i eth1 -j ACCEPT # need to restart odhcpd for IPv6 to work /etc/init.d/odhcpd restart EOF