These examples refer to IPv6 topologies and were pasted from the old wiki.
I have not tested or verified correctness.
To open port 80 so that a local webserver at
2001:db8:42::1337 can be reached from the Internet:
config rule option src 'wan' option proto 'tcp' option dest 'lan' option dest_ip '2001:db8:42::1337' option dest_port '80' option family 'ipv6' option target 'ACCEPT'
To open SSH access to all IPv6 hosts in the local network:
config rule option src 'wan' option proto 'tcp' option dest 'lan' option dest_port '22' option family 'ipv6' option target 'ACCEPT'
To open all TCP/UDP port between 1024 and 65535 towards the local IPv6 network:
config rule option src 'wan' option proto 'tcpudp' option dest 'lan' option dest_port '1024:65535' option family 'ipv6' option target 'ACCEPT'
This example is for IPv6 tunnels only, and does not apply to native dual-stack interfaces.
The example below assumes your tunnel interface is configured on it's own zone. An alternative setup that may also be used is having your IPv6 tunnel on an interface like
henet and attached to the
wan zone. This is also correct, but if you plan on passing a prefix down to your LAN and want to firewall appropriately it is better to create a separate firewall zone as described below.
IPv6 packets may not be forwarded from lan to your wan6 interface and vice versa by default. Make sure that
net.ipv6.conf.all.forwarding=1 is enabled, you can run
sysctl -a | grep net.ipv6.conf.all.forwarding to confirm the value set. (This is likely already enabled by default on newer OpenWrt builds).
Assuming your tunnel interface is called
wan6, add the following sections to
/etc/config/firewall to create a new zone
config zone option name 'wan6' option network 'wan6' option family 'ipv6' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config forwarding option dest 'wan6' option src 'lan'
Forwarding lan → wan6 will allow your IPv6 prefix to work on the lan side, you can confirm this by going to https://test-ipv6.com.
family option ensures that the zone and all associated entries (
redirect sections) are only added to ip6tables but not iptables.
CAUTION: Adding the following forwarding rule below will expose ALL IPv6 ports behind a v6 host on the LAN, which is potentially very dangerous. Instead, you should selectively define allow IPv6 firewall rules to avoid this. The documentation was previously worded in a way that stated this forwarding rule was needed to allow IPv6 traffic to flow properly. This is not true. You do not need to allow wan6 → lan to everything.
# Only enable this if you know what you're doing and have additional firewall rules blocking access to IPv6 TCP/UDP ports. config forwarding option dest 'lan' option src 'wan6'
Any firewall rules required to open one or more ports would follow the same syntax as the examples above, with the exception of the
src value being
wan6, rather than
Configure a static DHCPv6 lease and add a forwarding rule:
uci add firewall rule uci set firewall.@rule[-1].name="Forward-IPv6" uci set firewall.@rule[-1].src="wan" uci set firewall.@rule[-1].dest="lan" uci set firewall.@rule[-1].dest_ip="::123/-64" uci set firewall.@rule[-1].family="ipv6" uci set firewall.@rule[-1].proto="tcpudp" uci set firewall.@rule[-1].target="ACCEPT" uci commit firewall /etc/init.d/firewall restart
You can confirm the state of your IPv6 firewall using a couple of tools:
These tools will allow you to query one or more ports against an IPv6 address to determine the response. In most cases you should not have open ports, unless these have been explicitly opened via a firewall rule.