User Tools

Site Tools


docs:guide-user:firewall:fw3_configurations:fw3_ipv6_examples

fw3 IPv6 configuration examples

These examples refer to IPv6 topologies and were pasted from the old wiki.
I have not tested or verified correctness.

Port accept for IPv6

To open port 80 so that a local webserver at 2001:db8:42::1337 can be reached from the Internet:

config rule
	option src 'wan'
	option proto 'tcp'
	option dest 'lan'
	option dest_ip '2001:db8:42::1337'
	option dest_port '80'
	option family 'ipv6'
	option target 'ACCEPT'

To open SSH access to all IPv6 hosts in the local network:

config rule
	option src 'wan'
	option proto 'tcp'
	option dest 'lan'
	option dest_port '22'
	option family 'ipv6'
	option target 'ACCEPT'

To open all TCP/UDP port between 1024 and 65535 towards the local IPv6 network:

config rule
	option src 'wan'
	option proto 'tcpudp'
	option dest 'lan'
	option dest_port '1024:65535'
	option family 'ipv6'
	option target 'ACCEPT'

Forwarding IPv6 tunnel traffic

:!: This example is for IPv6 tunnels only, and does not apply to native dual-stack interfaces.

The example below assumes your tunnel interface is configured on it's own zone. An alternative setup that may also be used is having your IPv6 tunnel on an interface like henet and attached to the wan zone. This is also correct, but if you plan on passing a prefix down to your LAN and want to firewall appropriately it is better to create a separate firewall zone as described below.

IPv6 packets may not be forwarded from lan to your wan6 interface and vice versa by default. Make sure that net.ipv6.conf.all.forwarding=1 is enabled, you can run sysctl -a | grep net.ipv6.conf.all.forwarding to confirm the value set. (This is likely already enabled by default on newer OpenWrt builds).

Assuming your tunnel interface is called wan6, add the following sections to /etc/config/firewall to create a new zone wan6.

config zone
	option name 'wan6'
	option network 'wan6'
	option family 'ipv6'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
 
config forwarding
        option dest 'wan6'
        option src 'lan'

Forwarding lan → wan6 will allow your IPv6 prefix to work on the lan side, you can confirm this by going to https://test-ipv6.com.

The family option ensures that the zone and all associated entries (rule, forwarding and redirect sections) are only added to ip6tables but not iptables.

Opening IPv6 ports to LAN clients

CAUTION: Adding the following forwarding rule below will expose ALL IPv6 ports behind a v6 host on the LAN, which is potentially very dangerous. Instead, you should selectively define allow IPv6 firewall rules to avoid this. The documentation was previously worded in a way that stated this forwarding rule was needed to allow IPv6 traffic to flow properly. This is not true. You do not need to allow wan6 → lan to everything.

# Only enable this if you know what you're doing and have additional firewall rules blocking access to IPv6 TCP/UDP ports.
config forwarding
        option dest 'lan'
        option src 'wan6'

Any firewall rules required to open one or more ports would follow the same syntax as the examples above, with the exception of the src value being wan6, rather than wan.

Dynamic prefix forwarding

Configure a static DHCPv6 lease and add a forwarding rule:

uci add firewall rule
uci set firewall.@rule[-1].name="Forward-IPv6"
uci set firewall.@rule[-1].src="wan"
uci set firewall.@rule[-1].dest="lan"
uci set firewall.@rule[-1].dest_ip="::23/-64"
uci set firewall.@rule[-1].family="ipv6"
uci set firewall.@rule[-1].proto="tcpudp"
uci set firewall.@rule[-1].target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

IPv6 firewall testing

You can confirm the state of your IPv6 firewall using a couple of tools:

These tools will allow you to query one or more ports against an IPv6 address to determine the response. In most cases you should not have open ports, unless these have been explicitly opened via a firewall rule.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/firewall/fw3_configurations/fw3_ipv6_examples.txt · Last modified: 2020/08/03 06:05 by vgaetera