These examples refer to IPv6 topologies and were pasted from the old wiki. I have not tested or verified correctness.
To open port 80 so that a local webserver at
2001:db8:42::1337 can be reached from the Internet:
config rule option src wan option proto tcp option dest lan option dest_ip 2001:db8:42::1337 option dest_port 80 option family ipv6 option target ACCEPT
To open SSH access to all IPv6 hosts in the local network:
config rule option src wan option proto tcp option dest lan option dest_port 22 option family ipv6 option target ACCEPT
To open all TCP/UDP port between 1024 and 65535 towards the local IPv6 network:
config rule option src wan option proto tcpudp option dest lan option dest_port 1024:65535 option family ipv6 option target ACCEPT
This example is for IPv6 tunnels only, and does not apply to native dual-stack interfaces.
Unverified Information! From my experience all you need to do is just add the interface name of your ipv6 tunnel to the wan zone of your firewall. This worked for me: remove the information below if this is the correct way to proceed. Caveat: The above will only work if the tunnel is bringing IPv6 connectivity to the router itself. If you use the tunnel to route a prefix into your lan as well, you will additionally need to allow Inter-Zone Forwarding from wan to lan (not enabled by default). Creating a separate firewall zone (as described below) is a cleaner solution, though.
IPv6 packets are by default not forwarded from lan to your wan6 interface and vice versa. Make sure to add
/etc/sysctl.conf to enable it permanently. Assuming your tunnel interface is called
henet, add the following sections to
/etc/config/firewall to create a new zone
henet and allowing forwarding betweeen
lan in both directions:
config zone option name wan6 option network henet option family ipv6 option input ACCEPT option output ACCEPT option forward REJECT config forwarding option dest lan option src wan6 #you don't need the below as you can a firewall rule to open the port that you need config forwarding option dest wan6 option src lan
family option ensures that the zone and all associated entries (
redirect sections) are only added to ip6tables but not iptables.