[TriLUG] OpenWRT, IPv6 and Firewall

Brian McCullough bdmc at buadh-brath.com
Sun Feb 2 20:57:35 EST 2014 

On Sun, Feb 02, 2014 at 08:10:13PM -0500, Igor Partola wrote:
> Brian,
> 
> I was thinking of luci-proto-6x4. You would also need the following:`6in4
> ip6tables kmod-ip6tables kmod-ipv6`.
> 
> The firewall rules I have (all defined in the GUI, but as listed in
> /etc/config/firewall) are:
> 
> # Allow pinging over IPv6 of any host on the LAN
> config rule
>         option target 'ACCEPT'
>         option src '*'
>         option dst '*'
>         option name 'Allow-Ping6'
>         option family 'ipv6'
>         option proto 'icmp'
>         list icmp_type 'echo-request'

OK, I see, Igor.

Yes, I have all of that, with appropriate variations, with a later
comment, already.

However, the section that I need has to do with port forwarding, and
looks something like:

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '25'
        option dest_ip '192.168.1.133'
        option dest_port '25'
        option name 'Mail'


Unfortunately, both according to the documentation and error messages
when I try it, this does NOT work for IPv6, so I need to do it with
"manual" ip6tables commands, I guess.

I could probably copy the iptables rules and make appropriate address
changes, but the generated rules have explicit Source addresses.

Several rules are generated from the above paragraph. They look like:

-A nat_reflection_in -s 192.168.0.0/24 -d <public wan addr>/32 -p tcp -m tcp --dport 25 -m comment --comment "wan" -j DNAT --to-destination 192.168.1.133:25

-A zone_wan_prerouting -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.1.133:25


There are similar rules for udp.

If I was writing the first rule, in a different environment, I might
have used "-i eth0 " instead of the addresses.


> As for the networking setup in /etc/config/network, here's what I had:
> 
> # Added this at the end of `config interface 'lan'`:
> 
>         option ip6addr '2001:470:xxxx:xxxx::1/64' # first address in the
> routed subnet from Tunnel Broker

Don't have this, I'll add it.


> # Added this at the end (once again defined via the web GUI):
> 
> config interface 'henet'
>         option proto '6in4'
>         option peeraddr '209.51.161.14'
>         option ip6addr '2001:470:xxxx:xxxx::2'
>         option tunnelid 'SECRET'
>         option username 'SECRET'
>         option password 'BIG SECRET'
>         option ttl '64'
>         option mtu '1480'

I have the same, from tunnelbroker.


> My radvd config in /etc/config/radvd looks like this:

Thank you.  I didn't have that.  I had written /etc/radvd.conf.


> Hope that helps. I really should either figure out how to update the
> OpenWRT Wiki or just write a blog post about this since questions about
> OpenWRT + TunnelBroker keep coming up.

Thank you for the pieces that I was missing.


Brian

More information about the TriLUG mailing list