IPV6 Firewall Allow Ports 80 & 443 Through to NAS

[GHammer]

I have tried to get this working, but failed to get traffic through to the webserver I run on a local NAS.
This works fine via IPV4, but not via IPV6.

I have DNS set and I see packets being dropped from external sources, so the traffic is at least reaching the router.

Here's a sample of a dropped packet log.

Aug 17 14:50:27 kernel: DROP IN=eth0 OUT= MAC=2c:fd:a1:a1:e5:f8:f8:b7:e2:04:7c:22:86:dd SRC=2a04:b900:0000:0100:0000:0000:0000:0028 DST=2001:0558:6017:01a4:34a7:8c78:d117:ee12 LEN=80 TC=32 HOPLIMIT=55 FLOWLBL=855469 PROTO=TCP SPT=26370 DPT=443 SEQ=2580151939 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT

I have put the NAS local IP into the IPV6 firewall but, still see the drop.

Where have I went wrong?

 

[RMerlin]

Is the dropped destination your NAS's IP or your router's IP?

You can double check the firewall rules with ip6tables:

ip6tables -L -vn

 

[GHammer]

Is the dropped destination your NAS's IP or your router's IP?

You can double check the firewall rules with ip6tables:

ip6tables -L -vn

Looks like the router's IP.
Here's the output from ip6tables:

Chain FORWARD (policy DROP 0 packets, 0 bytes)

    0     0 ACCEPT     tcp      *      *       ::/0                 2601:19b:4800:2121::/64  state NEW tcp dpt:80
    0     0 ACCEPT     tcp      *      *       ::/0                 2601:19b:4800:2121::/64  state NEW tcp dpt:443

 

[RMerlin]

Make sure you connect using the NAS's IP, not with the router's IP. Don't forget that IPv6 is not NATed, it's routed.

 

[GHammer]

Make sure you connect using the NAS's IP, not with the router's IP. Don't forget that IPv6 is not NATed, it's routed.

The NAS has only a local IP, which is asked for in the firewall config UI.

So, how would traffic from the Internet get to the NAS via IPV6 then? I need an extra static public IP?

 

[RMerlin]

The NAS has only a local IP, which is asked for in the firewall config UI.

So, how would traffic from the Internet get to the NAS via IPV6 then? I need an extra static public IP?

Your NAS would need its own IPv6, yes. Typically, the ISP will give you one "front" IP for your router, and delegate a whole prefix (generally a /64) to use on all your LAN devices.

 

[GHammer]

Your NAS would need its own IPv6, yes. Typically, the ISP will give you one "front" IP for your router, and delegate a whole prefix (generally a /64) to use on all your LAN devices.

Thank you, I'll look into this and see if Comcast has provided me a /64
I read too much into 'Local IP'

 

[GHammer]

No, it looks like a /128

/128 Scope:Global

 

[RMerlin]

Someone with Comcast might be better able to help you there. I'd be surprised that they only provided a single /128, since that's not how IPv6 is intended to work.

 

[GHammer]

Geesh!
Could I be sillier!?

 

[GHammer]

No, I couldn't be sillier!
I had the router in stateless mode. Of course I'm only going to get local...

Disregard this entire thread, except for the caveat 'Double check config when things make no sense'