IPv6 firewall rules (GL-MT1300, Beryl)

I set up port forwarding to allow Transmission (BitTorrent) to receive incoming connections from my VPN. I can access the port if I use my public IPv4 address, but not my public IPv6 address. The release notes do not mention that IPv6 support was added to the firewall, so presumably this is something we can expect to see in a future firmware upgrade?

I’m new to IPv6, so I’m still not exactly sure what I need to do, if I want to open up ports. I saw this on the OpenWRT Wiki:

config rule
    option src 'wan'
    option proto 'tcp'
    option dest 'lan'
    option dest_ip '2001:db8:42::1337'
    option dest_port '80'
    option family 'ipv6'
    option target 'ACCEPT'

I haven’t tried it, but it looks like it might work. Trouble is, my IPv6 address is not static (as far as I’m aware), so this would not persist across VPN sessions.

This might not be a problem. Perhaps BitTorrent is robust enough to fall back to IPv4 if there are problems with IPv6?

You may just try.

The dest_ip in your config, is on your internal network. Your internal IPv6 address is fixed and should be fine.

1 Like

I figured it out. I needed to add a rule in Luci - Firewall - Traffic Rules.

1 Like

Today it seems to have stopped working. Now I’m having doubts whether I was looking at the right Transmission session, as I had two open, so it’s entirely possible I could have looked at the wrong one. sigh.

To clarify, one of my sessions is a remote session running on the router itself, and the port is open, no problem. The other one is my PC, where I’m having issues opening the port.

I’ll just keep an eye on it for now, in case it’s some weird transient issue.

OK. Getting somewhere.

I think that the Transmission session running on the router was reporting that the port was open, because, for some reason, it defaults to IPv4. If I type curl http://portcheck.transmissionbt.com/12345 in the CLI on my PC, I get a 400 (because it’s broken for IPv6), but if I run the same command on the router, it returns 1. I have to run curl -6 http://portcheck.transmissionbt.com/12345 on the router to force IPv6.

Because Transmission’s port checker is broken for IPv6, I almost definitely had the wrong session open when I falsely reported success a couple of days ago. What a plonker.

I’ve managed to open the port on the router itself but getting the port to open on my PC is still WIP. Because I’ve got one of the ports open, it’s given me confidence that at least my VPN is opening the ports for IPv6, so I can rule out problems with my VPN with a good level of confidence.