IPv6 traffic forwarding problem: connection hangs

[i0ntempest]

WAS: Options for providing services on IPv6 w/ ISP prefix delegation
EDIT: I'm close to successfully configuring a working IPv6 forwarding rule set, with one issue remaining (see my replies). Below is the original post.

Hi all,
I have some questions regarding IPv6 stuff. I'm new to v6 stuff so please be gentle.
I have a public IPv4 address (but that may change soon, to CGNAT) and a /64 IPv6 block from my ISP. Because prefix delegation does not give stable addresses, I also have v6 ULA setup. I also have a DDNS domain pointing to my router's v4 and v6 address. Currently I have some ports forwarded to my LAN devices' v4 addresses to provide VPN and stuff - they all work fine.
Now - what if I want to expose those services from IPv6 too? I have considered these options:
1. Open port thru IPv6 firewall, and update DDNS to point to the v6 address to the device running the service. The problem would be 1) as I said my v6 address isn't stable, and 2) the DDNS domain would point to only one device, but my services are on multiple devices. If there's a way to open port on the v6 firewall by MAC, then part of the problem is solved.
2. If such thing can be done, keep the DDNS pointing to my router's v6, and have some sort of "port forwarding" on v6 to forward traffic to devices' ULAs. This *seems* ideal and is similar to a v4 setup but can it be done?

Thoughts welcome, thanks in advance.

 

[bennor]

It may help if you provide or include router model and firmware version for others just in case a response is dependent on router and or firmware.

 

[i0ntempest]

I tried some ip6tables commands with some help from ChatGPT, and found out that if I open the port on IPv6 firewall using the ULA address, and use this command to create the forward rule:
ip6tables -t nat -A PREROUTING -i ppp0 -p tcp --dport 38443 -j DNAT --to-destination [fd00:d:e:f::e123]:38443
Then the service will become available on the router's public IP.
The problem is that, if the internal port and the external port is different, say:
ip6tables -t nat -A PREROUTING -i ppp0 -p tcp --dport 2222 -j DNAT --to-destination [fd00:d:e:f::e123]:22
Then the service is unstable. Using SSH as an example, the it would initially connect but before a shell prompt can be shown the connection hangs and eventually times out.
ChatGPT suggested these:

ip6tables -t nat -A POSTROUTING -p tcp -d fd00:d:e:f::e123 --dport 22 -j MASQUERADE
ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

But those are ineffective, and I'm out of ideas.
Prety unlikely the solution would be dependent on the router model but I have a TUF-AX3000 and an AX86U, both running the latest merlin firmware.

 

[ZebMcKayhan]

I tried some ip6tables commands with some help from ChatGPT, and found out that if I open the port on IPv6 firewall using the ULA address, and use this command to create the forward rule:
ip6tables -t nat -A PREROUTING -i ppp0 -p tcp --dport 38443 -j DNAT --to-destination [fd00:d:e:f::e123]:38443
Then the service will become available on the router's public IP.
The problem is that, if the internal port and the external port is different, say:
ip6tables -t nat -A PREROUTING -i ppp0 -p tcp --dport 2222 -j DNAT --to-destination [fd00:d:e:f::e123]:22
Then the service is unstable. Using SSH as an example, the it would initially connect but before a shell prompt can be shown the connection hangs and eventually times out.
ChatGPT suggested these:

ip6tables -t nat -A POSTROUTING -p tcp -d fd00:d:e:f::e123 --dport 22 -j MASQUERADE
ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

But those are ineffective, and I'm out of ideas.
Prety unlikely the solution would be dependent on the router model but I have a TUF-AX3000 and an AX86U, both running the latest merlin firmware.

Feels like you are thinking about this in an ipv4 type of way. For ipv6 each unit already have a publically routable ip.

I would imagine each ipv6 device update there own ddns record with their own public ip. I use dynv6 for this.

You don't need to port forward in that sense, neither should you need any port translation as each service has their own ip.

What you do need however is to open firewall for incoming data on this specific port to this specific destination. There are several ways to do this.

 

[i0ntempest]

Feels like you are thinking about this in an ipv4 type of way. For ipv6 each unit already have a publically routable ip.

I would imagine each ipv6 device update there own ddns record with their own public ip. I use dynv6 for this.

You don't need to port forward in that sense, neither should you need any port translation as each service has their own ip.

What you do need however is to open firewall for incoming data on this specific port to this specific destination. There are several ways to do this.

Indeed - I actually considered using public IPv6 addresses first. But to do this I'll need to configure a hostname for each device, and it won't be compatible with my existing port forwarding IPv4 setup so that need to be redone as well. I do have a plan to move everything to my cloudflare lvl 2 domain but that's something for the future me.

Right now I just need to figure out how to do IPv6 forwarding with different internal and external ports. I know this isn't how IPv6 is supposed to be used but it'll be fine for now.

 

[ZebMcKayhan]

Indeed - I actually considered using public IPv6 addresses first. But to do this I'll need to configure a hostname for each device, and it won't be compatible with my existing port forwarding IPv4 setup so that need to be redone as well. I do have a plan to move everything to my cloudflare lvl 2 domain but that's something for the future me.

Right now I just need to figure out how to do IPv6 forwarding with different internal and external ports. I know this isn't how IPv6 is supposed to be used but it'll be fine for now.

Alright, I understand. Meanwhile, please check out dynv6 as it is tailored for ipv6 operation.

I don't know why it becomes unstable when you change port. Ipv6 dnat is rather newly ported into the fw.

But besides to DNAT you posted, did you open the firewall for forwarding new packets for these services? Router uses a stateful ipv6 firewall, just as ipv4.

Something like:

ip6tables -t nat -A PREROUTING -i ppp0 -p tcp --dport 38443 -j DNAT --to-destination [fd00:d:e:f::e123]:38443
ip6tables -I FORWARD -i ppp0 -p tcp --dport 38443 -o [fd00:d:e:f::e123] -j ACCEPT

sorry if there is a typo, in a hurry...

 

[i0ntempest]

Alright, I understand. Meanwhile, please check out dynv6 as it is tailored for ipv6 operation.

I don't know why it becomes unstable when you change port. Ipv6 dnat is rather newly ported into the fw.

But besides to DNAT you posted, did you open the firewall for forwarding new packets for these services? Router uses a stateful ipv6 firewall, just as ipv4.

Something like:

ip6tables -t nat -A PREROUTING -i ppp0 -p tcp --dport 38443 -j DNAT --to-destination [fd00:d:e:f::e123]:38443
ip6tables -I FORWARD -i ppp0 -p tcp --dport 38443 -o [fd00:d:e:f::e123] -j ACCEPT

sorry if there is a typo, in a hurry...

Yea I did open the port in v6 firewall, just not on the cli but on the webui. I also tried disabling v6 firewall entirely and that didn't change anything. Maybe a bug in v6 DNAT?
Also I tried TPROXY as well but that doesn't seem to be included in the firmware.

 

[i0ntempest]

ip6tables -I FORWARD -i ppp0 -p tcp --dport 38443 -o [fd00:d:e:f::e123] -j ACCEPT

This command alone (typo corrected: ip6tables -A FORWARD -m state --state NEW -p tcp --dport 38443 -d fd00:d:e:f::e123 -j ACCEPT) isn't enough to make the service reachable outside, but opening a port in the webui firewall page does. So may I know what exactly is executed by the system for webui to open a port?