🛡️OpenWRT IPv6 Firewall Rules: How to Allow Client Address and Port

2024-9-20|2024-9-20
Yawatasensei
Yawatasensei
type
status
date
slug
summary
tags
category
icon
password
😀
In a home network with a bypass router architecture, when IPv6 is enabled, traffic will, by default, pass through the main router’s firewall. In an external network environment, if you wish to access services within your home LAN, these requests will be blocked by the firewall by default. Therefore, you need to add allow rules in the main router’s firewall so you can access the home LAN services from outside the local network. Examples of such services include WireGuard, Jellyfin, and Sunshine for remote streaming.
 

📝 Configuration Method

Since OpenWRT’s bypass router does not have a WAN interface, by default, all traffic is exchanged locally through the LAN zone. Generally, there’s no need to configure the firewall separately on the bypass router; you only need to configure it on the main router, which is the only device connected to the external network.
It’s not recommended to disable the IPv6 firewall. Even though IPv6 address and port scanning are difficult, there is still a risk of being scanned. All LAN services may be exposed to the external network, and even if there are no attacks, your ISP might contact you because you're providing publicly accessible services via home broadband.

LUCI Web Interface Configuration

Open the OpenWRT router’s management page and navigate to Network - Firewall - Traffic Rules. Click Add to create a new rule. The rules added in the traffic section will take precedence over the default rules, so there’s no need to worry about conflicts with the router’s default firewall rules. However, be mindful of conflicts with other traffic rules on the same page. You can adjust the priority of firewall rules by dragging and dropping them.
notion image
  • Name: Choose a name that clearly identifies the rule, such as Sunshine IPv6.
  • Protocol: Choose the protocol based on your requirements. If unsure, select both TCP and UDP, which cover most applications.
  • Source Zone: Select WAN as the source zone, as this is where the traffic is entering from.
  • Source Address: Leave this blank.
  • Source Port: Leave this blank.
  • Output Zone: Select LAN as the destination zone.
  • Destination Address: Use the command ip -6 neigh show to find the Link-local IPv6 Address of the client you want to allow. This typically starts with fe80::. Once you’ve selected the address, remove the link-local prefix from the address. For example, if the address is fe80::65e8:ee2a:10b3:b2d5, remove the fe80:: prefix, leaving ::65e8:ee2a:10b3:b2d5. Then, append /::ffff:ffff:ffff:ffff to the address. This means you are matching all addresses with the same suffix ::65e8:ee2a:10b3:b2d5. Enter the full address ::65e8:ee2a:10b3:b2d5/::ffff:ffff:ffff:ffff into the destination address field. This ensures that the client can be matched regardless of any changes to the IPv6 prefix assigned by your ISP.
  • Destination Port: Enter the specific port you want to allow. You can specify a port range, such as 80-443. Leaving this blank allows all ports, but this poses a significant security risk and is not recommended.
  • Action: Select Accept.
  • In the Advanced Settings, modify the Address Family to IPv6. No further changes are necessary unless you have specific requirements. After saving, you can test external access to the local services. If you see the corresponding rule and counters in OpenWRT’s Status - Firewall section under the forward_wan chain, the rule has been successfully applied.

Using nftable Command Line

New users are not recommended to use the NFT command line for configuring firewall rules. The following is for reference only.
For example, to allow port 80 traffic for the client address ::65e8:ee2a:10b3:b2d5/::ffff:ffff:ffff:ffff, log into OpenWRT via SSH and enter the following command:
This command adds a rule to the fw4 table and forward chain, matching the destination address ::65e8:ee2a:10b3:b2d5/::ffff:ffff:ffff:ffff and TCP port 80, allowing forwarding of traffic from the WAN zone.
To allow UDP traffic, use the following command:

🤗 Additional Information

In theory, ::65e8:ee2a:10b3:b2d5/::ffff:ffff:ffff:ffff can be simplified as ::/64:65e8:ee2a:10b3:b2d5, which indicates that the first 64 bits of the IPv6 address are variable, and the last 64 bits are fixed. It should not be written as ::65e8:ee2a:10b3:b2d5/0, as /0 indicates the entire IPv6 address space, meaning no mask is applied, and the rule would match the entire 128-bit address range (i.e., all addresses).
 
About Fixed Suffixes:
In the article IPv6 and Bypass Routers: Balancing Proxy and Native Addressing, I recommend setting the IPv6 suffix to EUI-64 in the advanced settings of the LAN interface on the main router and on the LAN interface of the bypass router. This binds the client’s IPv6 address to its MAC address. As long as the device’s MAC address remains unchanged, the device’s IPv6 address suffix will also remain fixed, making firewall and routing configurations easier.

📎 Reference Articles

 
💡
Feel free to leave your questions or comments regarding OpenWRT installation or usage in the comment section below. Let's share and discuss together!
Technical Sharing
Solving the 'Failed to source defaults.vim' Error in OpenWRT VimUsing Neovim on OpenWRT
Loading...