OpenWrt Forum Archive

Topic: IPv6 public access is convoluted (newbie POV)

The content of this topic has been archived on 26 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

This is more of a rant post while trying to educate and question.

Background: I was wondering why I couldn't SSH or reach my website domain through public/global internet using IPv6. I'm familiar with IPv4, NAT, and port forwarding and didn't have any issue with it. I admit I'm a newbie compared to most other people, but I like to understand how things work.

After realizing IPv6 was supposed to give me direct access to my servers (instead of redirects with NAT and port forwarding), and after reading through numerous articles and forum posts along with many trials and error, nothing worked.  Then it finally dawned on me to try to adjust the firewall settings in regards to zone forwarding. By default, LAN to WAN was setup as INPUT ACCEPT, OUTPUT ACCEPT, FORWARD ACCEPT. But for some reason (hence my newbie-ness) WAN (wan & wan6) to LAN was setup as INPUT REJECT, OUTPUT ACCEPT, FORWARD REJECT. When I upgraded from Chaos Calmer to LEDE, i changed the firewall for “WAN to LAN” to INPUT ACCEPT, OUTPUT ACCEPT, FORWARD ACCEPT. Only then was I able to gain public/global/remote access to my home servers. So now I'm sitting here wondering why was this so  poorly documented and the default? Why did I spent time blaming myself and my ISP (as people suggested) due to a router issue? I spent hours researching this and entering appropriate keywords in this forum to get no result. Most results told me to use the command line and parsing through debug language to understand what was going on.

So now that I can access my servers via internet (outside of my local network), I have to ask: was this the best solution and how can I configure it to be better secured?

What you suggest basically removes any kind of security, with your configuration all of your network (at least the IPv6 enabled stations connected to it) are now exposed to the internet. That might be what you wanted for your servers, but is that also the case for your clients, your phones, your networked printers?

Unless you've audited your network extremely thoroughly (beyond the abilities of most users, read basically anyone), you should only whitelist specific hosts - I'd personally suggest even just the intended incoming ports of those hosts. Yes, this strategy is roughly equivalent to port forwardings in the IPv4 world, except that you do retain the end-to-end capabilities of IPv6 (as in multiple hosts reachable over their IPv6 address on, e.g., port 22).

Suggestions like yours are raised from time to time, mostly by users who do (claim to) know what they're doing - however for just about anyone else, such a default would be fatal. Security expectations are usually different between your LAN and the open internet.

(Last edited by slh on 6 Apr 2018, 00:00)

datnguyen.t26 wrote:

was this the best solution

Absolutely not. You've just turned your firewall into a router with no protection.

datnguyen.t26 wrote:

and how can I configure it to be better secured?

Reset everything back the way it was. Use Traffic Rules to allow only the traffic you want to allow.

All the responses have been good ones.

For those who are in a IPv4 mindset, the Firewall -> Traffic Rules, are _like_ port forwards. You should only open up specific hosts, and ports to the outside world.

OpenWrt defaults are to block ALL incoming connections on IPv4 and IPv6, this is a good starting point.

Just as a sidenote, given that you changed the defaults for the WAN zone (of which wan6 is a member), you not only opened your IPv6 hosts to the internet - you also did the same for IPv4. Yes, masquerading will still prevent your clients from being reachable from the outside - but that doesn't apply to the router itself, which now has (at least, in the default configuration) uhttpd/ luci, dropbear (sshd) and dnsmasq (DHCP/ DNS) exposed via your public IPv6 address, not only do each of those have security issues in the ancient versions present in Chaos Calmer, you are also vulnerable to simple brute force attacks of your root password via ssh and luci.

The discussion might have continued from here.