These examples refer to IPv6 topologies and were pasted from the old wiki.
I have not tested or verified correctness.
To open port 80 so that a local webserver at
2001:db8:42::1337 can be reached from the Internet:
config rule option src 'wan' option proto 'tcp' option dest 'lan' option dest_ip '2001:db8:42::1337' option dest_port '80' option family 'ipv6' option target 'ACCEPT'
To open SSH access to all IPv6 hosts in the local network:
config rule option src 'wan' option proto 'tcp' option dest 'lan' option dest_port '22' option family 'ipv6' option target 'ACCEPT'
To open all TCP/UDP port between 1024 and 65535 towards the local IPv6 network:
config rule option src 'wan' option proto 'tcpudp' option dest 'lan' option dest_port '1024:65535' option family 'ipv6' option target 'ACCEPT'
This example is for IPv6 tunnels only, and does not apply to native dual-stack interfaces.
Unverified Information! From my experience all you need to do is just add the interface name of your ipv6 tunnel to the wan zone of your firewall. This worked for me: remove the information below if this is the correct way to proceed. Caveat: The above will only work if the tunnel is bringing IPv6 connectivity to the router itself. If you use the tunnel to route a prefix into your lan as well, you will additionally need to allow Inter-Zone Forwarding from wan to lan (not enabled by default). Creating a separate firewall zone (as described below) is a cleaner solution, though.
IPv6 packets are by default not forwarded from lan to your wan6 interface and vice versa. Make sure to add
/etc/sysctl.conf to enable it permanently. Assuming your tunnel interface is called
wan6, add the following sections to
/etc/config/firewall to create a new zone
wan6 and allowing forwarding betweeen
lan in both directions:
config zone option name 'wan6' option network 'wan6' option family 'ipv6' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config forwarding option dest 'lan' option src 'wan6' #you don't need the below as you can a firewall rule to open the port that you need config forwarding option dest 'wan6' option src 'lan'
family option ensures that the zone and all associated entries (
redirect sections) are only added to ip6tables but not iptables.
Configure a static DHCPv6 lease and add a forwarding rule:
uci add firewall rule uci set firewall.@rule[-1].name="Forward-IPv6" uci set firewall.@rule[-1].src="wan" uci set firewall.@rule[-1].dest="lan" uci set firewall.@rule[-1].dest_ip="::123/::ffff:ffff:ffff:ffff" uci set firewall.@rule[-1].family="ipv6" uci set firewall.@rule[-1].proto="tcpudp" uci set firewall.@rule[-1].target="ACCEPT" uci commit firewall /etc/init.d/firewall restart