Hi All,
Thanks for the Asus-merlin firmware - I've found it really useful.
I've been using ipv6 to connect two locations together - both sides use an AC68U with the Asus-Merlin firmware. The one site is only reachable via ipv6, so I've been seeing how to make everything work that way. I've noticed that ipv6 doesn't seem to be considered by the UI when allowing services. Specifically, the option to "Allow SSH access from WAN" doesn't open the ipv6 firewall for the selected port. Similarly, when starting the OpenVPN client, the port used is blocked by the default ipv6 firewall rules. So the outgoing packets work, but the rules prevent the packets coming back from being delivered.
I've added these commands to the "firewall-start" script:
ip6tables -I INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -I INPUT -p udp --sport 1194 -j ACCEPT
Which fixes my problem, kind of.
Would it be possible for the UI to make these rules automatically, as appropriate for the enabled services? It seems something is already happening to open the ports on the ipv4 firewall. It only makes sense to do the same for the ipv6 firewall.
Thanks for the Asus-merlin firmware - I've found it really useful.
I've been using ipv6 to connect two locations together - both sides use an AC68U with the Asus-Merlin firmware. The one site is only reachable via ipv6, so I've been seeing how to make everything work that way. I've noticed that ipv6 doesn't seem to be considered by the UI when allowing services. Specifically, the option to "Allow SSH access from WAN" doesn't open the ipv6 firewall for the selected port. Similarly, when starting the OpenVPN client, the port used is blocked by the default ipv6 firewall rules. So the outgoing packets work, but the rules prevent the packets coming back from being delivered.
I've added these commands to the "firewall-start" script:
ip6tables -I INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -I INPUT -p udp --sport 1194 -j ACCEPT
Which fixes my problem, kind of.
Would it be possible for the UI to make these rules automatically, as appropriate for the enabled services? It seems something is already happening to open the ports on the ipv4 firewall. It only makes sense to do the same for the ipv6 firewall.