User Tools

Site Tools


docs:guide-user:firewall:fw3_configurations:fw3_ipv6_examples

fw3 IPv6 configuration examples

These examples refer to IPv6 topologies and were pasted from the old wiki.
I have not tested or verified correctness.

Port accept for IPv6

To open port 80 so that a local webserver at 2001:db8:42::1337 can be reached from the Internet:

config	rule
	option	src		'wan'
	option	proto		'tcp'
	option	dest		'lan'
	option	dest_ip		'2001:db8:42::1337'
	option	dest_port	'80'
	option	family		'ipv6'
	option	target		'ACCEPT'

To open SSH access to all IPv6 hosts in the local network:

config	rule
	option	src		'wan'
	option	proto		'tcp'
	option	dest		'lan'
	option	dest_port	'22'
	option	family		'ipv6'
	option	target		'ACCEPT'

To open all TCP/UDP port between 1024 and 65535 towards the local IPv6 network:

config	rule
	option	src		'wan'
	option	proto		'tcpudp'
	option	dest		'lan'
	option	dest_port	'1024:65535'
	option	family		'ipv6'
	option	target		'ACCEPT'

Forwarding IPv6 tunnel traffic

:!: This example is for IPv6 tunnels only, and does not apply to native dual-stack interfaces.

FIXME Unverified Information! From my experience all you need to do is just add the interface name of your ipv6 tunnel to the wan zone of your firewall. This worked for me: remove the information below if this is the correct way to proceed. Caveat: The above will only work if the tunnel is bringing IPv6 connectivity to the router itself. If you use the tunnel to route a prefix into your lan as well, you will additionally need to allow Inter-Zone Forwarding from wan to lan (not enabled by default). Creating a separate firewall zone (as described below) is a cleaner solution, though.

IPv6 packets are by default not forwarded from lan to your wan6 interface and vice versa. Make sure to add net.ipv6.conf.all.forwarding=1 in /etc/sysctl.conf to enable it permanently. Assuming your tunnel interface is called wan6, add the following sections to /etc/config/firewall to create a new zone wan6, covering wan6 and allowing forwarding betweeen wan6 and lan in both directions:

config	zone
	option	name		'wan6'
	option	network		'wan6'
	option	family		'ipv6'
	option	input		'ACCEPT'
	option	output		'ACCEPT'
	option	forward		'REJECT'
 
config	forwarding
	option	dest		'lan'
	option	src		'wan6'
 
#you don't need the below as you can a firewall rule to open the port that you need
config	forwarding
	option	dest		'wan6'
	option	src		'lan'

The family option ensures that the zone and all associated entries (rule, forwarding and redirect sections) are only added to ip6tables but not iptables.

Dynamic prefix forwarding

Configure a static DHCPv6 lease and add a forwarding rule:

uci add firewall rule
uci set firewall.@rule[-1].name="Forward-IPv6"
uci set firewall.@rule[-1].src="wan"
uci set firewall.@rule[-1].dest="lan"
uci set firewall.@rule[-1].dest_ip="::123/::ffff:ffff:ffff:ffff"
uci set firewall.@rule[-1].family="ipv6"
uci set firewall.@rule[-1].proto="tcpudp"
uci set firewall.@rule[-1].target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/firewall/fw3_configurations/fw3_ipv6_examples.txt · Last modified: 2019/09/22 07:11 by vgaetera