OpenWRT 防火墙开放IPv6访问群晖特定端口

之前不太熟悉IPv6的规则,使用的是全部开放局域网的所有机器同类端口,比如转发到所有机器的80端口等,这样子外面的访问就能访问内部所有的开放80端口的机器,存在安全隐患。

今天有空琢磨了一下IPv6资料,摸索了一下搞定了开放内部群晖的特定端口的规则写法。

有空的人可以看一下IPv6的地址定义和掩码的维基资料

https://en.wikipedia.org/wiki/IPv6_address

Special addresses

See also: Reserved IP addresses § IPv6

There are a number of addresses with special meaning in IPv6.[26] They represent less than 2% of the entire address space:

Address block (CIDR)First addressLast addressNumber of addressesUsagePurpose
::/0::ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff2128RoutingDefault route (no specific route)
::/128::::1SoftwareUnspecified address.
::1/128::1::11HostLoopback address to the local host.
::ffff:0:0/96::ffff:0.0.0.0::ffff:255.255.255.2552128−96 = 232 = 4294967296SoftwareIPv4 mapped addresses.
::ffff:0:0:0/96::ffff:0:0.0.0.0::ffff:0:255.255.255.255232SoftwareIPv4 translated addresses.
64:ff9b::/9664:ff9b::0.0.0.064:ff9b::255.255.255.255232Global InternetIPv4/IPv6 translation.[27]
100::/64100::100::ffff:ffff:ffff:ffff264RoutingDiscard prefix.[28]
2001::/322001::2001::ffff:ffff:ffff:ffff:ffff:ffff296Global InternetTeredo tunneling.
2001:20::/282001:20::2001:2f:ffff:ffff:ffff:ffff:ffff:ffff2100SoftwareORCHIDv2.[29]
2001:db8::/322001:db8::2001:db8:ffff:ffff:ffff:ffff:ffff:ffff296DocumentationAddresses used in documentation and example source code.[30]
2002::/162002::2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff2112Global InternetThe 6to4 addressing scheme (now deprecated).[31]
fc00::/7fc00::fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff2121Private networkUnique local address.[32]
fe80::/10fe80::febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff2118LinkLink-local address.
ff00::/8ff00::ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff2120Global InternetMulticast address.

在中国移动的IPv6网络下,OpenWRT设置正确的话,家里的所有的机器都能拿到公网的IPv6地址,但是OpenWRT的防火墙模式如下图只开放了ICMP协议和VPN协议。

先打开群晖信息中心查看获取的IPv6地址资料

找到规格如这个的地址资料2409:8a55:2240:e440::88a/64,然后打开OpenWRT添加防火墙规则。

比如我像开放电驴4672和BT 6881的UDP对外端口,提高下载速度。添加一条如下图的防火墙规则。

里面的Destination address是重点的地方,原来我们的群晖IPv6地址是这个2409:8a55:2240:e440::88a/64,但是移动分配的公网地址不是固定的,一段时间就会变动变动,组合方式是前面四段xxxx:xxxx:xxxx:xxxx,双冒号::后面的是家里OpenWRT分配的后四段地址0000:0000:0000:88a,因为前面三段都是0缩写成了::88a

突然发现不知道怎么说了,有空再补充资料,反正最后填进去的格式就是下面这个了。

所以Destination address的掩码地址全格式就是这样子::88a/0

保存生效,这样子外面IPv6公网就能访问这2个端口了。

Leave a Reply

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注