User Tools

Site Tools


docs:guide-user:firewall:fw3_configurations:fw3_ipv6_examples

fw3 IPv6 Configuration Examples

These examples refer to IPv6 topologies and were pasted from the old wiki. I have not tested or verified correctness.

Port accept for IPv6

To open port 80 so that a local webserver at 2001:db8:42::1337 can be reached from the Internet:

config rule
        option src       wan
        option proto     tcp
        option dest      lan
        option dest_ip   2001:db8:42::1337
        option dest_port 80
        option family    ipv6
        option target    ACCEPT

To open SSH access to all IPv6 hosts in the local network:

config rule
        option src       wan
        option proto     tcp
        option dest      lan
        option dest_port 22
        option family    ipv6
        option target    ACCEPT

To open all TCP/UDP port between 1024 and 65535 towards the local IPv6 network:

config rule
        option src       wan
        option proto     tcpudp
        option dest      lan
        option dest_port 1024:65535
        option family    ipv6
        option target    ACCEPT

Forwarding IPv6 tunnel traffic

:!: This example is for IPv6 tunnels only, and does not apply to native dual-stack interfaces.

Unverified Information! From my experience all you need to do is just add the interface name of your ipv6 tunnel to the wan zone of your firewall. This worked for me: remove the information below if this is the correct way to proceed. Caveat: The above will only work if the tunnel is bringing IPv6 connectivity to the router itself. If you use the tunnel to route a prefix into your lan as well, you will additionally need to allow Inter-Zone Forwarding from wan to lan (not enabled by default). Creating a separate firewall zone (as described below) is a cleaner solution, though.

IPv6 packets are by default not forwarded from lan to your wan6 interface and vice versa. Make sure to add net.ipv6.conf.all.forwarding=1 in /etc/sysctl.conf to enable it permanently. Assuming your tunnel interface is called henet, add the following sections to /etc/config/firewall to create a new zone wan6, covering henet and allowing forwarding betweeen wan6 and lan in both directions:

config zone
	option name wan6
	option network henet
	option family ipv6
	option input ACCEPT
	option output ACCEPT
	option forward REJECT

config forwarding
	option dest lan
	option src wan6
#you don't need the below as you can a firewall rule to open the port that you need
config forwarding
	option dest wan6
	option src lan

The family option ensures that the zone and all associated entries (rule, forwarding and redirect sections) are only added to ip6tables but not iptables.

docs/guide-user/firewall/fw3_configurations/fw3_ipv6_examples.txt · Last modified: 2018/09/16 12:48 by bobafetthotmail