2

First of all, I have a domain with dns configured to point to my device global address witch is set to static with my ISP gloabl prefix as xxxx:xxxx:xxxx:de01::3/64 in dhcpcd.conf.

I'm using Openwrt router as my main router plugged in my ISP ONT. I have internet connection in IPv4 and IPv6 working: I can ping or ping6 to internet. From OpenWRT, my ISP give me a Prefix Delegated xxxx:xxxx:xxxx:de00/56.

When I replace the OpenWRT router by my ISP router, my ISP (or itself, I don't know) give to it the address xxxx:xxxx:xxxx:de01::1/64.

With the ISP router my server is reachable at address xxxx:xxxx:xxxx:de01::3 from the internet (my mobile phone in 4G) when I allow trafic from the firewall, but since I see /56 prefix from my ISP, I'm a little bit confused.

I try to put IPv6 assignment length to 64 and IPv6 assignment hint to 1 on lan interface, and now my OpenWRT router has the same address that my ISP give to the original router (xxxx:xxxx:xxxx:de01::1/64 on LAN1). So I try to configure a Trafic rule from WAN 443 to LAN xxxx:xxxx:xxxx:de01::3 443 on the Firewall, but my server stay unreachable from my mobile phone.

I'm probably missing something because I'm new to IPv6, and can't understand what's happening since I test a lot of configuration without to acheive what I want.

I someone can't help me to understand deeply what's going on?

This is my config (OpenWRT 19.07):

network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda0:71fe:ea0f::/48'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ifname 'lan1'
        option ip6class 'wan6'
        option ip6assign '64'
        option ip6hint '1'

config interface 'wan'
        option ifname 'lan0'
        option proto 'dhcp'
        option vendorid 'neufbox_NB6V-MAIN-bypassed'

config interface 'wan6'
        option ifname 'lan0'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option reqaddress 'try'

firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'
config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
       option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule
        option name 'server_80'
        list proto 'tcp'
        option src 'wan'
        option src_port '80'
        option dest 'lan'
        option dest_port '80'
        option target 'ACCEPT'
        list dest_ip 'xxxx:xxxx:xxxx:de01::3'
        option family 'ipv6'

config rule
        option name 'Server_443'
        list proto 'tcp'
        option src 'wan'
        option src_port '443'
        option dest 'lan'
        option dest_port '443'
        option target 'ACCEPT'
        list dest_ip 'xxxx:xxxx:xxxx:de01::3'
        option family 'ipv6'
JB_DELR
  • 121
  • 2
  • The firewall rules look OK. Can you access IPv6 sites from this server? – Michael Hampton Jan 03 '21 at 19:06
  • Also, if the ISP is giving you a `/56`, you should set up IPv6 Prefix Delegation to break it into `/64` networks for use in your network. That will give you 256 `/64` networks. – Ron Maupin Jan 03 '21 at 20:59
  • @MichaelHampton thanks for your awnser. I see I have to forward Wan to Lan, it works but this way it's opening the firewall to all my IPv6 local device with Global address, so I try to restrict all trafic in traffic rules and then open 443 to my global ipv6 device. But unfortunatly all traffic from wan to my device stay blocked. – JB_DELR Jan 04 '21 at 09:58
  • 1
    Could you plese edit your question? It is hard to decode the setup when all ip-adresses is substituted with x'es. Use the subnet range `2001:db8::/32` instead. That range is dedicated to documentation like proof of concept. – Lasse Michael Mølgaard Dec 28 '21 at 15:44

1 Answers1

0

So, I make it work by adding custom rules in firewall.user. To open a specific port on specific Lan device with Global IPv6 I do:

ip6tables -t filter -I FORWARD 1 -p tcp --dport 443 -d xxxx:xxxx:xxxx:de01::3 -j ACCEPT
JB_DELR
  • 121
  • 2