IPv6 firewall

[fl4co]

I have full IPv6 connectivity from my ISP. I also have the

ipv6 firewall

command enabled as default, because otherwise my whole network would be exposed.

I'm trying to allow connections to some of the IPv6 addresses. For example, let's say I want to host a web server on one of my devices. As I understand, at the moment I have to use the command:

ipv6 static tcp <WAN interface> <device MAC> 80

This way, I can reach my web server from outside on its IPv6 address because I think that every TCP connection on port 80 on my prefix will be forwarded to the device, but at layer 2 level.

But what if the device has two IPv6 addresses?

Or, what if I want to host two web servers on the different devices? How can I allow connections to port 80 for two IPv6 addresses?

Why isn't an IP-based firewall avalable for IPv6, like for IPv4?

[Le ecureuil]

Any recognised IPv6 address on device will be forwarded, that's the reason to use MAC in command instead of explicit IPv6 address. By the way, IPv6 privacy extensions can be enabled on device, so effective IPv6 address will be changed every 3/6/12 hours by random. Router tracks current set of available IPv6 addresses for every host and update translation table automatically.

Forward will be performed at L3, so there is no reason to worry about possible L2 leaks.

[admin]

2 hours ago, fl4co said:

Why isn't an IP-based firewall avalable for IPv6, like for IPv4?

This is overcomplicated for an ordinary home user. We are for an "automatic" user-friendly approach.

[fl4co]

15 minutes ago, Le ecureuil said:

Any recognised IPv6 address on device will be forwarded, that's the reason to use MAC in command instead of explicit IPv6 address. By the way, IPv6 privacy extensions can be enabled on device, so effective IPv6 address will be changed every 3/6/12 hours by random. Router tracks current set of available IPv6 addresses for every host and update translation table automatically.

Forward will be performed at L3, so there is no reason to worry about possible L2 leaks.

I'm aware of the privacy extensions but I think anyone hosting a service will set a static address, there's not shortage of that in IPv6 anyway 😃

7 minutes ago, admin said:

This is overcomplicated for an ordinary home user. We are for an "automatic" user-friendly approach.

I can see that, but why not allowing this kind of configuration at least on the CLI? It's already available for IPv4 with the "access-list" commands where one can input IP addresses. One of the main points of IPv6 is having multiple public IP addresses. Currently on Keenetic routers it's not possible to accept multiple connections on the same port for different IPv6 addresses.

Edited November 7, 2021 by fl4co

[Le ecureuil]

17 минут назад, fl4co сказал:

I can see that, but why not allowing this kind of configuration at least on the CLI? It's already available for IPv4 with the "access-list" commands where one can input IP addresses. One of the main points of IPv6 is having multiple public IP addresses. Currently on Keenetic routers it's not possible to accept multiple connections on the same port for different IPv6 addresses.

Did you tried to connect to all IPv6 addresses on host from Internet? As far as I know port is forwarded for all addresses, so multiple connections are well supported.

[fl4co]

29 minutes ago, Le ecureuil said:

Did you tried to connect to all IPv6 addresses on host from Internet? As far as I know port is forwarded for all addresses, so multiple connections are well supported.

Yes, I tried and it works, but:

• If I have 1 device with 2 IP addresses, I can't host different services on different addresses but same port;
• Even worse, I can't host 2 services on 2 different addresses on DIFFERENT hosts. For example, if I wanted to host 2 web servers on 2 different comuters, on port 80, I coudn't because the router will forward every connection on port 80 to a single MAC address. So I'm forced to host web servers on one host for the entire network. This is just an example but applies to every kind of service, for example an IP cam.

Edited November 7, 2021 by fl4co

[Le ecureuil]

7 минут назад, fl4co сказал:

Yes, I tried and it works, but:

• If I have 1 device with 2 IP addresses, I can't host different services on different services but same port;
• Even worse, I can't host 2 services on 2 different addresses on DIFFERENT hosts. For example, if I wanted to host 2 web servers on 2 different comuters, on port 80, I coudn't because the router will forward every connection on port 80 to a single MAC address. So I'm forced to host web servers on one host for the entire network. This is just an example but applies to every kind of service, for example an IP cam.

Yes, you can. 'ipv6 stati'c doesn't perform any type of NAT/PAT, it is just about opening ports. So if your PC1 has addrs 2::1 and 3::1, and PC2 has addrs 2::2 and 3::2, you can host different services on PC1 on addresses 2::1 and 3::1, and access from Internet to [2::1]:80 an to [3::1]:80 will not be mixed, but delivered properly. Moreover, you can host another two services on PC2 on 2::2 and 3::2, and access to [2::2]:80 and [3::2]:80 will not be interleaved or confused with access to [2::1]:80 or [3::1]:80. All four {ip,port} combinations will be available from Internet directly without NAT or port forward.

[fl4co]

5 minutes ago, Le ecureuil said:

Yes, you can. 'ipv6 stati'c doesn't perform any type of NAT/PAT, it is just about opening ports. So if your PC1 has addrs 2::1 and 3::1, and PC2 has addrs 2::2 and 3::2, you can host different services on PC1 on addresses 2::1 and 3::1, and access from Internet to [2::1]:80 an to [3::1]:80 will not be mixed, but delivered properly. Moreover, you can host another two services on PC2 on 2::2 and 3::2, and access to [2::2]:80 and [3::2]:80 will not be interleaved or confused with access to [2::1]:80 or [3::1]:80. All four {ip,port} combinations will be available from Internet directly without NAT or port forward.

How do I do this? I'm looking at the manual and it seems to me I can set an input interface, not an address:

[Le ecureuil]

1 час назад, fl4co сказал:

How do I do this? I'm looking at the manual and it seems to me I can set an input interface, not an address:

Input interface is set here as incoming direction for applying rules, no address from this interface will be used.
Suppose you have ISP with addr 2::100, ISP2 with addr 3::100 and host in LAN with addrs 2::1 and 3::2.
so after cmd
ipv6 static tcpudp ISP <mac> 80
you will  be able to get access from the internet to [2::1]:80 when connection comes from ISP. When connection comes from ISP2 it will be rejected, the separate rule is needed to allow traffic from ISP2. Just notice, that ISP and it's address 2::100 is never used.

[fl4co]

14 minutes ago, Le ecureuil said:

Input interface is set here as incoming direction for applying rules, no address from this interface will be used.
Suppose you have ISP with addr 2::100, ISP2 with addr 3::100 and host in LAN with addrs 2::1 and 3::2.
so after cmd
ipv6 static tcpudp ISP <mac> 80
you will  be able to get access from the internet to [2::1]:80 when connection comes from ISP. When connection comes from ISP2 it will be rejected, the separate rule is needed to allow traffic from ISP2. Just notice, that ISP and it's address 2::100 is never used.

Ok, that's what I thought, but I want to access host 1 to [2::1]:80 and host 2 to [3::2]:80 behind the same ISP. Am I right that this is currently not possible?

[Le ecureuil]

13 часа назад, fl4co сказал:

Ok, that's what I thought, but I want to access host 1 to [2::1]:80 and host 2 to [3::2]:80 behind the same ISP. Am I right that this is currently not possible?

It's possible and works as expected. You need two rules: one per device mac.

[fl4co]

4 hours ago, Le ecureuil said:

It's possible and works as expected. You need two rules: one per device mac.

It works, thank you! I thought you could only add one rule per port.

By the way, I'd argue that this system with MAC addresses is not simpler than using the IP addresses, and you are using the CLI anyway... Also you are allowing connections to every IP address on that interface.

Anyway it works for what I want to do at the moment 🙂

Edited November 8, 2021 by fl4co
typo

[Le ecureuil]

5 минут назад, fl4co сказал:

It works, thank you! I thought you could only add one rule per port.

By the way, I'd argue that this system with MAC addresses is not simpler than using the IP addresses, and you are using the CLI anyway... Also you are allowing connections to every IP address on that interface.

Anyway it works for what I want to do at the moment 🙂

It has some drawbacks, of course, but in the world of dynamic and multiple addresses it's the easiest way for user to open port without messing with static ip.