Menu
What's new
By:
Filters Better Search

How to open ipv6 firewall to a port on the router?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

John Tetreault

John Tetreault

Occasional Visitor
My isp provides native ipv6 support and it's enabled. Ipv6 works as it should.

So let's say I run a web server, and I want to expose it via ipv6... That works, I put in my web servers ipv6 address and the port in the ipv6 firewall rules, and traffic is allowed through to that server... Perfect.

But here's the problem. What if I want to expose a port to a service I'm running ON THE ROUTER? For example... I want to contribute to the ntppool as a server.. I'm running chrony on the router through Entware and it is listening on my routers IPv6 address (ntpMerlin) so I want to allow traffic on port 123 to go to the router's ipv6 address of 2600:4041:3034:e500::1 (not my real address). If I put that forwarding rule in the IPv6 firewall, the traffic still isn't allowed through.... So it just refuses to open any port to the router's ipv6 address... But it happily opens ports to any other ipv6 address on my network.

Is there some trick to getting this to happen, or is it simply not possible?

I was thinking, perhaps if I could assign a 2nd ipv6 address to the br0 interface, I could forward to that address maybe and that might work, but I don't know how I can get br0 to pull a 2nd slaac address.
 
John Tetreault said:
My isp provides native ipv6 support and it's enabled. Ipv6 works as it should.

So let's say I run a web server, and I want to expose it via ipv6... That works, I put in my web servers ipv6 address and the port in the ipv6 firewall rules, and traffic is allowed through to that server... Perfect.

But here's the problem. What if I want to expose a port to a service I'm running ON THE ROUTER? For example... I want to contribute to the ntppool as a server.. I'm running chrony on the router through Entware and it is listening on my routers IPv6 address (ntpMerlin) so I want to allow traffic on port 123 to go to the router's ipv6 address of 2600:4041:3034:e500::1 (not my real address). If I put that forwarding rule in the IPv6 firewall, the traffic still isn't allowed through.... So it just refuses to open any port to the router's ipv6 address... But it happily opens ports to any other ipv6 address on my network.

Is there some trick to getting this to happen, or is it simply not possible?

I was thinking, perhaps if I could assign a 2nd ipv6 address to the br0 interface, I could forward to that address maybe and that might work, but I don't know how I can get br0 to pull a 2nd slaac address.
Click to expand...
So, after much digging, I found the answer to my question.

Seems you CAN'T open a port to the router's IPv6 address from the IPv6 firewall in the web UI. I expect this may have something to do with the fact that rules added there are added to the FORWARD chain in ip6tables, and when its the router's own IP address it simply ignores them (ip6tables -L doesn't show the rule at all, even though it appears on the web UI if its to the router's own ipv6 address)

However, I found I could open a port by adding a line to /jffs/scripts/firewall-start to open the ports in the INPUT chain.

#Open port for ipv6 Tor relay
ip6tables -I INPUT -p tcp --dport 9001 -s ::/0 -d 2600:4041:3034:e500::1/128 -j ACCEPT
#open port for ipv6 ntp server
ip6tables -I INPUT -p udp --dport 123 -s ::/0 -d 2600:4041:3034:e500::1/128 -j ACCEPT
 
John Tetreault said:
I want to contribute to the ntppool as a server
Click to expand...
Is that a good idea when your router doesn’t have a reliable clock (i.e. no battery backup, resets to 2018 during a reboot, etc.)?
 
dave14305 said:
Is that a good idea when your router doesn’t have a reliable clock (i.e. no battery backup, resets to 2018 during a reboot, etc.)?
Click to expand...
sure.... when you've got a USB gps plugged into it.... Chrony gets its time reference from the GPS, so by the time the router is actually responding to any ntp pool requests its got a stratum 1 time source.
 
dave14305 said:
Is that a good idea when your router doesn’t have a reliable clock (i.e. no battery backup, resets to 2018 during a reboot, etc.)?
Click to expand...

Not a problem if one has a reliable upstream NTP pool - one just drops a level down on the stratum...
 
You must log in or register to reply here.

Similar threads

A
DNS/TLS IPv6.
Replies
4
Views
429
NoLight
N
K
Have global ipv6 address but unable to access internet over ipv6
2
Replies
39
Views
827
klunk
K
V
IPv6 Passthrough failure on USB WAN
Replies
4
Views
563
Analog-1
A
icanfly
custom domains report NXDOMAIN for IPv6 DNS and fail to resolve in Alpine OS
Replies
2
Views
517
sfx2000
sfx2000
M
IPv6 and Router Advertisement adding route to delegated /56 via WAN interface
Replies
0
Views
228
MrC99
M
Similar threads
Thread starter Title Forum Replies Date
S Open ports query on AX88U Asuswrt-Merlin 6
M Solved aaews open two port random Asuswrt-Merlin 2
D Open VPN App No Longer Working Asuswrt-Merlin 3
G Solved aicloud ports open Asuswrt-Merlin 1
J Why does my RT-AX88u show ports 80,443 & 21 open from WAN? Asuswrt-Merlin 0
T Wireguard VPN Disable IPV6 Asuswrt-Merlin 0
K Have global ipv6 address but unable to access internet over ipv6 Asuswrt-Merlin 39
J Help - duckdns has started returning an IPv6 IP address Asuswrt-Merlin 1
M IPv6 and Router Advertisement adding route to delegated /56 via WAN interface Asuswrt-Merlin 0
A DNS/TLS IPv6. Asuswrt-Merlin 4

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 988 (members: 27, guests: 961)
Top