ipv6 firewall blocking port

[icsy7687]

I moved my nextcloud host (running on port 443) to another VM, set the ipv6 firewall to allow port 443 through to the ipv6 address and it seemed to work fine I could access it without issue by simply typing:

https://[ipv6address]

And it worked internally and from multiple outside sources (Work and 4g on cell phone). Now it only works internally and I cannot get packets through. I checked http://www.ipv6scanner.com which tells me

"The port is blocked by firewall or other network obstacle"

I know the VM is running fine, and I can access it without issue internally with https://[ipv6address], but anything past the router fails. Any ideas on what I can check? I am just confused because every now and then it seems like it works and I can access my webpage externally.

The IPv6 firewall table is setup as:
Remote IP/CIDR
Blank

Local IP or fixed Interface ID
[public ipv6 address]

Port Range
443

Protocol
TCP

 

[RMerlin]

Make sure you open your VM's IPv6 and not your WAN's. IPv6 is routed, not NATed, so you have to configure firewall rules for the specific client device's IP.

 

[icsy7687]

I appreciate the reply.

IPv6 is working fine on the VM. I can access https://[ipv6ipaddr] just fine internally on my LAN.

Outside the router, port 443 is still being blocked to that IP.

 

[ColinTaylor]

You said this setup (this VM and IPv6) was all working fine internally and externally, but then stopped working. What else changed on your network at that time?

 

[RMerlin]

I appreciate the reply.

IPv6 is working fine on the VM. I can access https://[ipv6ipaddr] just fine internally on my LAN.

Outside the router, port 443 is still being blocked to that IP.

The firewall will by default allow all outbound traffic and block all inbound traffic at the WAN interface. The fact that it works within your LAN doesn't imply that the firewall is correctly configured.

 

[icsy7687]

Nothing has changed since adding the port in the ipv6 firewall.

Had to travel out of town this weekend, while in the car, my nextcloud website pulled up fine over 4g. Tried again a couple hours later and no go.

The firewall will by default allow all outbound traffic and block all inbound traffic at the WAN interface. The fact that it works within your LAN doesn't imply that the firewall is correctly configured.

Sure, but shouldn't allowing that port through the IPv6 firewall solve that issue? I understand the basics of IPv6 and NATing vs a firewall. I just fear there is something else at play here

 

[ColinTaylor]

Nothing has changed since adding the port in the ipv6 firewall.

Had to travel out of town this weekend, while in the car, my nextcloud website pulled up fine over 4g. Tried again a couple hours later and no go.

So you are saying that the problem is intermittent, which would suggest that it's not a configuration problem as it would either work or not work all of the time.

 

[RMerlin]

Sure, but shouldn't allowing that port through the IPv6 firewall solve that issue? I understand the basics of IPv6 and NATing vs a firewall. I just fear there is something else at play here

It does. I just wanted to make sure that you opened the port to the client's IP rather than to your router's IP. With IPv6, the router and every single clients will all have different IPs, which means they need their own specific firewall rules. I.e. if the router's WAN interface has 2600:11::1 and your computer has 2600:22::1, then the firewall rule must open the port for 2600:22::1. And you must also ensure it's not their randomized Privacy Extension IP, but the permanent one.

 

[icsy7687]

Yeah, IPv6 address of the nextcloud machine is part of my pool from my isp. Port is added to the IPv6 firewall table in the router.

For the record, I have other rules that seem to be working. Ip6tables -L in the router seems to show the correct rules.

Currently the website is working externally (tested on cell phones 4g).

Website works using https://[IPv6 address] 100% of the time internally. Just can't figure out what's going on. Thanks for the quick replies

*EDIT*
This must be an issue with my docker configuration or something. I will just go back to normal VM's which seems to be working fine now. Sorry for all the back and forth. Ill poke at it more when I have some time.

 

[Hello World]

Hi Merlin,
I'm running 380.67_0 and I ran a Shields-up scan on my WAN/LAN. It shows my port 443 is not stealthed (bad, according to them). I do have my OpenVPN running on port 443 (to bypass blocked port 1159 wifi hot spots).

Is their a risk with 443 being open? If I left it at the default of port 1159, would that be any less dangerous if left open?

Thanks

 

[icsy7687]

Hi Merlin,
I'm running 380.67_0 and I ran a Shields-up scan on my WAN/LAN. It shows my port 443 is not stealthed (bad, according to them). I do have my OpenVPN running on port 443 (to bypass blocked port 1159 wifi hot spots).

Is their a risk with 443 being open? If I left it at the default of port 1159, would that be any less dangerous if left open?

Thanks

You might want to make your own thread.

But the port is showing up as open because openvpn is listening on that port. As you said this would probably be the same on 1159, or whichever port. A "port" is just a number in a packet.

If you are running a service on a port, it is normal for it to report as "open".

 

[Hello World]

You might want to make your own thread.

But the port is showing up as open because openvpn is listening on that port. As you said this would probably be the same on 1159, or whichever port. A "port" is just a number in a packet.

If you are running a service on a port, it is normal for it to report as "open".

Ok, thanks. Will start new thread.