6

I want to make a web server running on my LAN available to the internet. My router runs OpenWrt 22.03 with firewall4.

With IPv4, I would give the server a stable RFC 1918 address, then enable port forwarding on the router.

With IPv6, as I understand it, I should just give the server its own public IPv6 address, and then configure the router's firewall to allow inbound access to port 443 on that address.

But I don't understand how to specify the destination address when it can change based on the IPv6 prefix assigned by my ISP. I could configure it for the specific address the server has now, but if my ISP assigns me a different prefix, that would make the server inaccessible until I edited the firewall config with the new address.

How can I specify a dynamic destination with OpenWrt firewall4?

Improve this question

3 Answers 3

Reset to default
1

According to:

OpenWRT specifically has a special feature called "dynamic prefix forwarding", which allows you to specify just the last N (rather than the first N) bits in a CIDR-like format. Or: specify the destination IP as e.g. "::123/-64" (note the negative 64). (Edit: specifically, as the complement of what "/N" would mask with traditional CIDR. If you have a V6 "/48", that specifies all addresses with these first-48-bits; if you specify "/-48" with dynamic prefix forwarding, it means "any address matching this, ignoring the first 48 bits. I.e. the part that is dynamically assigned by your ISP, and subject to change.)

(Also, this question might be a dupe of the linked superuser question, asked several years earlier.)

Improve this answer
0

ipv6 address can change, but there's still a static part of it, ipv6 address' format is like A:B:C:D:E:F:G:H, this A:B:C:D comes from your idc or local ipv6 prefix, this E:F:G:H is static, so you can put this part of address in openwrt's firewall, and it's format is like ::E:F:G:H/0. For example, you had a ipv6 address like 2001:0db8:3c4d:0015:0000:0000:1a2f:1a2b, the static part of it is 0000:0000:1a2f:1a2b, since the 0000 can be ignored, you can put ::1a2f:1a2b/0 in firewall as destination ip.

Improve this answer
2
  • from your IDC -> from your ISP Commented Oct 26, 2022 at 9:57
  • Nowadays, with semantically opaque interface identifiers as the default IID generation method for SLAAC, the generated suffix changes every time your ISP rotates your prefix. It really sucks having to configure for EUI-64 — which is still impossible on Android. Commented Jul 27 at 7:24
0

I am just allowing firewall to forward wan -> lan for any device using 443 as destination port:

config rule
        option name 'Allow-HTTPS'
        option src 'wan'
        option dest 'lan'
        option dest_port '443'
        option target 'ACCEPT'

It works perfect. I don't any reason to specify dest_ip.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.