OpenWRT IPv6 Firewall Configuration

By default, OpenWRT does not allow IPv6 outbound traffic. This article will guide you through configuring the firewall to permit IPv6 outbound traffic.

Testing

First, ensure that your ISP is not blocking your IPv6 traffic. The testing method is quite simple; generally, OpenWRT does not block ICMP traffic. You can obtain your local IPv6 address and ping it from an external environment that supports IPv6. If the ping is successful, it indicates that there is no strong blocking at the ISP level. If the ping fails, consider whether there are restrictions at the optical modem or ISP level.

If you directly use commands like <span>ifconfig</span> to check the IPv6 address on your local machine, you may find it confusing to distinguish which is the valid IPv6:

1
2
3
4
5
6
7
8
9
10
11

root@armbian:~# ifconfig eth0eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet 192.168.8.3  netmask 255.255.255.0  broadcast 192.168.8.255
        inet6 2409:56db:9b06:47f3:2173:5b3f:89d2:a20e  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::b379:19a4:99c4:48fe  prefixlen 64  scopeid 0x20<link>
        ether F4:FC:03:DF:25:05  txqueuelen 1000  (Ethernet)
        RX packets 149754056  bytes 129274231243 (120.3 GiB)
        RX errors 0  dropped 4004  overruns 0  frame 0
        TX packets 145761725  bytes 105393512031 (98.1 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 65

It is better to use an external API to obtain the current IPv6 address:

1
2

root@armbian:~# curl -6 ip.sb
2409:56db:9b06:47f3:2173:5b3f:89d2:a20e

Environment

• OpenWRT:<span>OpenWrt 21.02-SNAPSHOT r15812+879-46b6ee7ffc / LuCI openwrt-21.02 branch git-22.245.77575-63bfee6</span>
• Router: GL-MT3000

Can it Ping?

After obtaining your IPv6 address from <span>ip.sb</span>, you can ping from an external environment that supports IPv6. If the ping is successful, proceed to the next step. Generally, OpenWRT does not block ICMP traffic, so you can ping to check connectivity. If it fails at this stage, there is usually no need to proceed further.

Can it communicate?

Create a temporary rule to check if communication is possible: Open OpenWRT – Network – Firewall – Traffic Rules, scroll down, and add:

• Choose a name arbitrarily,but remember it
• Select protocol as <span>TCP</span>, <span>UDP</span>, and <span>ICMP</span>
• Select the zone where the WAN port is located
• Leave source address and source port empty
• Target zone: If testing with the router itself, select “Device (Input)”; if testing with a device connected below, select the LAN port zone (recommended)
• Leave target address and target port empty
• Select accept for action

Leave all other unspecified options empty.

At this point, start an HTTP service on the corresponding device in your target zone. I am using Caddy for testing, as it is quite convenient. Other articles mention testing ports 80, 443, etc., but I think it is unnecessary; it is unlikely to work (53, 80, 443, 8080).

1. Download caddy
2. Create a <span>caddyfile</span>:
   

   1 2 3 4 5 6 7

   Copy :6666 { respond "Port-6666-Respond" } :7788 { respond "Port-7788-Respond" }

3. Place the caddyfile and the caddy main program together, then start caddy:
   

   1	Copy ./caddy run --watch

4. Adjust the content of the caddyfile dynamically based on the tested ports, then use <span>curl</span> from outside. If you receive the correct response, it is successful.

After testing, go to the OpenWRT firewall and delete the newly created firewall rule, do not modify anything else.

Setting Up the Firewall

Open OpenWRT – Network – Firewall – Traffic Rules, scroll down, and add:

• General Settings
• Choose a name arbitrarily
• Select protocol as <span>TCP</span>, <span>UDP</span>, and <span>ICMP</span> (or specify according to actual needs, you can leave unselected if not needed)
• Select the zone where the WAN port is located
• Specify the source address if needed; leave empty if not
• Specify the source port if needed; leave empty if not
• Target zone: If exposing the router itself, select “Device (Input)”; if exposing a device connected below, select the LAN port zone (recommended)
• Refer to the explanation below for target address
• Specify the target port according to actual needs, which is the port to be exposed
• Select accept for action
• Advanced Settings
• Limit address type: IPv6
• Time Limit
• Fill in if necessary to control when the rule is effective

Leave all other unspecified options empty or at default, do not modify anything else.

Target Related

First, let’s briefly introduce the types of IPv6 addresses:

1. Link-Local Address: Appears only on a single link, each network interface has one such IPv6 address. This address can only appear on layer 2 links and cannot be routed through layer 3 devices. The address range is <span>fe80::/10</span>, and the address composition rule is: fe80 + 10 bits of 0 + MAC address extended to a 64-bit address.
2. Unique Local Address (ULA): ULA is conceptually closer to the concept of “local area network” under IPv4. It refers to IPv6 addresses that are reachable within an organization and cannot appear on the internet. Address range: <span>fc00::/7</span>.
3. Global Unicast Address (Public IP): Equivalent to IPv4 public addresses. Used for aggregatable links, ultimately provided to network service providers. This address type structure allows for the aggregation of routing prefixes, thus meeting the global routing table entry limit. The address includes a 48-bit routing prefix managed by the operator and a 16-bit subnet ID managed by the local site, plus a 64-bit interface ID. Among them, <span>2002::/16</span> is known as the 6to4 address, which is the IPv4 address converted to IPv6; additionally, <span>3ffe::/16</span> is used for testing purposes.

Only the third type is applicable for the firewall port opening settings in this article. Based on the method of obtaining IPv6, it can be divided into the following types:

1. EUI-64 (Most Recommended) EUI-64 addresses have the advantages we need: the suffix remains unchanged, and the prefix updates in real-time. Generally, we should use it. If the obtained subnet size is not /64, it may not work as expected. For more information on EUI-64, you can refer to this article (in English). If you are unsure whether your address is an EUI-64 address, you can calculate it using your MAC address in the EUI-64 Calculator and compare it with the suffix of the IPv6 obtained from APIs like <span>ip.sb</span>.
2. Temporary DHCPv6 Address (Not Recommended) In this case, all address parts are uncertain, not recommended.
3. Fixed Suffix DHCPv6 Address (Recommended) In OpenWRT, you can specify the DHCPv6 suffix for clients, requiring a fixed DHCPv6 suffix for devices that need to open ports. Open Network – DHCP/DNS – Static Address Assignment – Add, then specify the MAC address and IPv6 suffix. The IPv6 suffix can be specified arbitrarily. Note that the lease time needs to be set relatively short; otherwise, when DHCPv6 updates, the client may not receive the update.

If your address is an EUI64 address or a DHCPv6 address with a specified suffix, then in the above “Target Address,” you can fill in according to the following rules. If the subnet assigned to the router is not <span>/64</span>, adjust according to the actual situation:

1

::<suffix of the host to be exposed>/::ffff:ffff:ffff:ffff

For example:

1
2

::E6E8:D2FF:FE94:541B/::ffff:ffff:ffff:ffff
::6699/::ffff:ffff:ffff:ffff

Where <span>/::ffff:ffff:ffff:ffff</span> is the mask, and it needs to be included when writing the target address.

This part also applies to the source address, specifying the accessing device.

Enabling EUI64 Address on Windows

Reference Article: Configuring EUI-64 Based SLAAC IPv6 Address on Windows 11

Open PowerShell with administrator privileges, then enter <span>Get-NetIPv6Protocol</span> to obtain the current Windows IPv6 configuration:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

PS C:\Windows\system32> Get-NetIPv6Protocol

DefaultHopLimit               : 128
NeighborCacheLimit(Entries)   : 256
RouteCacheLimit(Entries)      : 4096
ReassemblyLimit(Bytes)        : 66057504
IcmpRedirects                 : Enabled
SourceRoutingBehavior         : DontForward
DhcpMediaSense                : Enabled
MediaSenseEventLog            : Disabled
MldLevel                      : All
MldVersion                    : Version2
MulticastForwarding           : Disabled
GroupForwardedFragments       : Disabled
RandomizeIdentifiers          : Enabled
AddressMaskReply              : Disabled
UseTemporaryAddresses         : Enabled
MaxTemporaryDadAttempts       : 3
MaxTemporaryValidLifetime     : 7.00:00:00
MaxTemporaryPreferredLifetime : 1.00:00:00
TemporaryRegenerateTime       : 00:00:05
MaxTemporaryDesyncTime        : 00:10:00
DeadGatewayDetection          : Enabled

You can see that <span>RandomizeIdentifiers</span> and <span>UseTemporaryAddresses</span> are enabled by default, meaning that random addresses and temporary addresses are generated. You need to disable these two options to use EUI-64 based IPv6 addresses.

1
2

Set-NetIPv6Protocol -UseTemporaryAddresses Disabled
Set-NetIPv6Protocol -RandomizeIdentifiers Disabled

After setting, reconnect to the network or restart.