Re: [OpenWrt-Devel] Firewall settings must be manually changed for 6to4
On Sun, Dec 30, 2018 at 4:40 AM Jo-Philipp Wich wrote: > > Hi, > > > I recently set up an OpenWrt 18.06.1 router at a place where the ISP > > does not provide native IPv6, but does provide their own 6to4 > > tunnelling server. I installed 6to4 and ip-full on the router and > > configured WAN6, but was puzzled as to why IPv6 wasn't working until I > > discovered that the default firewall settings block forwarded traffic. > > Changing "Forward" from "reject" to "accept" under "General Settings" > > resolved the problem. > > This is a huge security issue, you should not do that, ever. > You likely need both an ingress rule allowing protocol 41 traffic and > join the wan6 interface to the existing wan zone. I didn't see an option in LuCI to allow protocol 41 traffic. How do I set that up? -Alex ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Firewall settings must be manually changed for 6to4
On Sun, Dec 30, 2018 at 1:38 PM Torbjorn Jansson wrote: > > On 2018-12-30 12:40, Jo-Philipp Wich wrote: > > Hi, > > > >> I recently set up an OpenWrt 18.06.1 router at a place where the ISP > >> does not provide native IPv6, but does provide their own 6to4 > >> tunnelling server. I installed 6to4 and ip-full on the router and > >> configured WAN6, but was puzzled as to why IPv6 wasn't working until I > >> discovered that the default firewall settings block forwarded traffic. > >> Changing "Forward" from "reject" to "accept" under "General Settings" > >> resolved the problem. > > > > This is a huge security issue, you should not do that, ever. > > You likely need both an ingress rule allowing protocol 41 traffic and > > join the wan6 interface to the existing wan zone. > > > > ~ Jo > > > > > your correct. > > this discussion made me wonder something related to 6rd. > assuming you have an isp that provides 6rd settings via dhcpv4 options openwrt > auto creates a 6rd interface for you, what firewall zone do this interface end > up in by default? > i assume it ends up in same zone as its associated ipv4 interface right? so > likely wan. > > reason for asking is that when looking at what interfaces is in what zone this > auto created interface is not listed. In case of an auto created 6rd interface the interface will end up by default in the zone of the associated ipv4 interface. This can be overruled by specifying the zone6rd uci parameter in the associated ipv4 network config Hans > ___ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Firewall settings must be manually changed for 6to4
On 2018-12-30 12:40, Jo-Philipp Wich wrote: Hi, I recently set up an OpenWrt 18.06.1 router at a place where the ISP does not provide native IPv6, but does provide their own 6to4 tunnelling server. I installed 6to4 and ip-full on the router and configured WAN6, but was puzzled as to why IPv6 wasn't working until I discovered that the default firewall settings block forwarded traffic. Changing "Forward" from "reject" to "accept" under "General Settings" resolved the problem. This is a huge security issue, you should not do that, ever. You likely need both an ingress rule allowing protocol 41 traffic and join the wan6 interface to the existing wan zone. ~ Jo your correct. this discussion made me wonder something related to 6rd. assuming you have an isp that provides 6rd settings via dhcpv4 options openwrt auto creates a 6rd interface for you, what firewall zone do this interface end up in by default? i assume it ends up in same zone as its associated ipv4 interface right? so likely wan. reason for asking is that when looking at what interfaces is in what zone this auto created interface is not listed. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Firewall settings must be manually changed for 6to4
Hi, > I recently set up an OpenWrt 18.06.1 router at a place where the ISP > does not provide native IPv6, but does provide their own 6to4 > tunnelling server. I installed 6to4 and ip-full on the router and > configured WAN6, but was puzzled as to why IPv6 wasn't working until I > discovered that the default firewall settings block forwarded traffic. > Changing "Forward" from "reject" to "accept" under "General Settings" > resolved the problem. This is a huge security issue, you should not do that, ever. You likely need both an ingress rule allowing protocol 41 traffic and join the wan6 interface to the existing wan zone. ~ Jo signature.asc Description: OpenPGP digital signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel