Topic: ipv6: routing to local machine from the internet

Hello, reciently i've switched to a dual stack connection, however this has caused me some trouble in some ways

first and most important, is the problem of the dynamic dns, when using ipv4 the ip is the ip of the router, however when using ipv6 the should be the one of the server, how should i implement that with the ddns scripts?

the other choice i think would be to use some sort of masquerading, and using port forwarding like its normally done in ipv4, hence incoming connections to port a at router's ip should be routed to a target ip, however im not sure this is a choice in ipv6

what i have done as of today is to open the port 22 from wan zone to lan zone, however that would let all the computers connected to lan exposed, since the isp prefix is dynamic and hence the server ip would change with it, how should i open the port only when the destination is a given address? should it be done with suffix somehow?

thank you for your time

Re: ipv6: routing to local machine from the internet

diegogmx wrote:

first and most important, is the problem of the dynamic dns, when using ipv4 the ip is the ip of the router, however when using ipv6 the should be the one of the server, how should i implement that with the ddns scripts?

Maybe you should run it on the server, at least for ipv6.

diegogmx wrote:

what i have done as of today is to open the port 22 from wan zone to lan zone, however that would let all the computers connected to lan exposed, since the isp prefix is dynamic and hence the server ip would change with it, how should i open the port only when the destination is a given address? should it be done with suffix somehow?

You could put the server in a separate firewall-zone using VLAN (trunk or port based) , then you would only allow incoming connections to port 22 from wan to that zone.

Re: ipv6: routing to local machine from the internet

about point 2, ill try implementing it that way
about topic 1, i think you are right, however do you know how to get the external ip by using ifconfig or something?
as in the ipv6 section it shows many ips with many scopes, i need just the external one to make the script of the updater

Re: ipv6: routing to local machine from the internet

You can make a ubus call to get the current ipv6-prefix. At least it works with a HE prefix I use.

$ ubus call network.interface.wan6 status
{
...
    "ipv6-prefix": [
        {
            "address": "2001:470:XXXX::",
            "mask": 48,
...
        }
...
}

Re: ipv6: routing to local machine from the internet

You have got some good ideas there for your DDNS script. It is fairly easy to pick up the new prefix. Even the 'ip' command will show you the LAN addresses, then it is just a matter of parsing it.

As for the SSH access, I suggest you use a 64 bit ip6tables entry, which points the last 64 bits of your server you wish to expose. Something like this:

ip6tables -I INPUT -d ::a3a3:beff:fe89:93af/::ffff:ffff:ffff:ffff -j ACCEPT

Then regardless of your prefix, access will be allowed. BTW, this exposes all ports, not just SSH, but you can restrict it further to just SSH.

Re: ipv6: routing to local machine from the internet

Hi diegogmx,

Both points can be solved by the ip6neigh script, which is especially helpful with dynamic prefixes. Take a look at https://github.com/AndreBL/ip6neigh#con … c-dns-ddns . Since you are setting up a dual-stack environment, it might organize other things as well.