Menu
What's new
By:
Filters Better Search

How to open ipv6 firewall to a port on the router?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

John Tetreault

John Tetreault

Occasional Visitor
My isp provides native ipv6 support and it's enabled. Ipv6 works as it should.

So let's say I run a web server, and I want to expose it via ipv6... That works, I put in my web servers ipv6 address and the port in the ipv6 firewall rules, and traffic is allowed through to that server... Perfect.

But here's the problem. What if I want to expose a port to a service I'm running ON THE ROUTER? For example... I want to contribute to the ntppool as a server.. I'm running chrony on the router through Entware and it is listening on my routers IPv6 address (ntpMerlin) so I want to allow traffic on port 123 to go to the router's ipv6 address of 2600:4041:3034:e500::1 (not my real address). If I put that forwarding rule in the IPv6 firewall, the traffic still isn't allowed through.... So it just refuses to open any port to the router's ipv6 address... But it happily opens ports to any other ipv6 address on my network.

Is there some trick to getting this to happen, or is it simply not possible?

I was thinking, perhaps if I could assign a 2nd ipv6 address to the br0 interface, I could forward to that address maybe and that might work, but I don't know how I can get br0 to pull a 2nd slaac address.
 
John Tetreault said:
My isp provides native ipv6 support and it's enabled. Ipv6 works as it should.

So let's say I run a web server, and I want to expose it via ipv6... That works, I put in my web servers ipv6 address and the port in the ipv6 firewall rules, and traffic is allowed through to that server... Perfect.

But here's the problem. What if I want to expose a port to a service I'm running ON THE ROUTER? For example... I want to contribute to the ntppool as a server.. I'm running chrony on the router through Entware and it is listening on my routers IPv6 address (ntpMerlin) so I want to allow traffic on port 123 to go to the router's ipv6 address of 2600:4041:3034:e500::1 (not my real address). If I put that forwarding rule in the IPv6 firewall, the traffic still isn't allowed through.... So it just refuses to open any port to the router's ipv6 address... But it happily opens ports to any other ipv6 address on my network.

Is there some trick to getting this to happen, or is it simply not possible?

I was thinking, perhaps if I could assign a 2nd ipv6 address to the br0 interface, I could forward to that address maybe and that might work, but I don't know how I can get br0 to pull a 2nd slaac address.
Click to expand...
So, after much digging, I found the answer to my question.

Seems you CAN'T open a port to the router's IPv6 address from the IPv6 firewall in the web UI. I expect this may have something to do with the fact that rules added there are added to the FORWARD chain in ip6tables, and when its the router's own IP address it simply ignores them (ip6tables -L doesn't show the rule at all, even though it appears on the web UI if its to the router's own ipv6 address)

However, I found I could open a port by adding a line to /jffs/scripts/firewall-start to open the ports in the INPUT chain.

#Open port for ipv6 Tor relay
ip6tables -I INPUT -p tcp --dport 9001 -s ::/0 -d 2600:4041:3034:e500::1/128 -j ACCEPT
#open port for ipv6 ntp server
ip6tables -I INPUT -p udp --dport 123 -s ::/0 -d 2600:4041:3034:e500::1/128 -j ACCEPT
 
John Tetreault said:
I want to contribute to the ntppool as a server
Click to expand...
Is that a good idea when your router doesn’t have a reliable clock (i.e. no battery backup, resets to 2018 during a reboot, etc.)?
 
dave14305 said:
Is that a good idea when your router doesn’t have a reliable clock (i.e. no battery backup, resets to 2018 during a reboot, etc.)?
Click to expand...
sure.... when you've got a USB gps plugged into it.... Chrony gets its time reference from the GPS, so by the time the router is actually responding to any ntp pool requests its got a stratum 1 time source.
 
dave14305 said:
Is that a good idea when your router doesn’t have a reliable clock (i.e. no battery backup, resets to 2018 during a reboot, etc.)?
Click to expand...

Not a problem if one has a reliable upstream NTP pool - one just drops a level down on the stratum...
 
Hi, bro. I have the same issue. How can I open a specific port on the router? For example, I'm running Nginx on my router, listening on IPv6 at port 8888. How do I add iptables rules for this? Thank you in advanced.
 
viwrtuser said:
Hi, bro. I have the same issue. How can I open a specific port on the router? For example, I'm running Nginx on my router, listening on IPv6 at port 8888. How do I add iptables rules for this? Thank you in advanced.
Click to expand...
See post #2.
 
You must log in or register to reply here.

Similar threads

M
wan dhcpv6 blocked by firewall
Replies
2
Views
755
M4tt
M
V
IPv6 Passthrough failure on USB WAN
Replies
4
Views
1K
Analog-1
A
B
IPv6 and NextDNS Configuration Assistance Request
Replies
19
Views
890
easyriider
easyriider
icanfly
custom domains report NXDOMAIN for IPv6 DNS and fail to resolve in Alpine OS
Replies
2
Views
1K
sfx2000
sfx2000
Yota
How to enable port randomization in Asuswrt-Merlin?
Replies
4
Views
360
Yota
Yota
Similar threads
Thread starter Title Forum Replies Date
A Open NAT game profiles Asuswrt-Merlin 8
D Nord Open VPN client connected but not secure? Asuswrt-Merlin 1
J Max number of open NAT connections on GT-AXE16000 and GT-BE98 Asuswrt-Merlin 9
R ASUS RT-AX86 Open VPN No LAN Access Asuswrt-Merlin 18
T Open ports on WAN for service running on the router Asuswrt-Merlin 8
S Open ports query on AX88U Asuswrt-Merlin 6
zquestz Dual WAN IPv6 Asuswrt-Merlin 2
N IPv6 6RD tunnel block/allow by mac/IP Asuswrt-Merlin 3
S How to obtain and change the IPv6 prefix Asuswrt-Merlin 3
J IPv6 WAN Prefix Length Setting in WebGUI (3004.388.8_2)? Asuswrt-Merlin 14

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 597 (members: 17, guests: 580)
Top