How to make IPv6 work more like IPv4 NAT on the Huawei DN8245X6-10

Forums › One NZ (including Farmside) › How to make IPv6 work more like IPv4 NAT on the Huawei DN8245X6-10

sleemanj

1514 posts

Uber Geek
+1 received by user: 315

#311274 1-Jan-2024 15:59

I don't know a whole lot about IPv6.

I was somewhat surprised to find that if I access my current IPv6 address (reported by www.whatismyip.com ) over HTTP from a remote server, it indeed connects directly to my (ethernet connected) workstation behind the One supplied Huawei DN8245X6-10 router and pulls up my local Apache server without any issue.

I do not recall doing anything to explicitly allow this on the router, so I guess it's the default way it works. I don't remember the old Ultrahub behaving that way, but maybe I just never knew.

I had naievly assumed all this time that the IPv6 DHCP would assign a private range IP6 address and NAT it much like IPv4. I would generally rather not allow arbitrary connections from the outside world to machines behind the router, but equally I would still like to use IPv6 to connect outbound, so I don't just want to disable IPv6 entirely.

Also I'd ideally like to have a more stable IPv6 address (or at least some specifically known prefix) presented to those outbound connections, the current one changes quite frequently (more frequently than the IPv4 external address) so for example setting an AWS Security Group rule to permit an inbound connection from only "my" ip requires frequent attention.

Current "DHCPv6 Server" settings from the Huawei below...

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

Aaron2222

218 posts

Master Geek
+1 received by user: 108

#3176791 1-Jan-2024 18:15

You wouldn't typically use NAT with IPv6 (although it is possible to). One of the main selling points of IPv6 is the elimination of the need to use NAT, instead having devices on your network be publicly routable. That being said, publicly routable doesn't mean publicly accessible. Normally, there would be a stateful firewall on the router that prevents incoming connections by default. If the router provided by One does indeed not have this enabled by default, that would be incredibly concerning. I suspect it's more likely you disabled it by accident however. I'd have a poke around the settings and look for IPv6 firewall settings.

As for a more stable IPv6 address, you'd need to look into getting a static IPv6 prefix.

SpartanVXL

1498 posts

Uber Geek
+1 received by user: 666

#3176799 1-Jan-2024 18:43

Yes the accessing internal resource issue would be the firewalls responsibility. It should be enabled by default and only allow related traffic in. Dhcpv6 pd and slaac would give your devices unique addresses that are routable globally as well as temporary addresses for some privacy.

I’m rusty as well so any corrections please point them out :)

sleemanj

1514 posts

Uber Geek
+1 received by user: 315

#3176809 1-Jan-2024 19:28

Well I found an IPv6 Filter settings page and enabled that with Whitelist mode seems to shut down IPv6 incoming connections entirely. Edit: Actually that kills IPv6 in both directions, outbound and inbound, I would have to add a rule to allow outbound, but not entirely clear how.

But damned if I can figure out how to allow specific IPv6 connections (by port) to a specific host on the LAN side, or even how to ensure a LAN side host has a stable ip6 handed out by the router so that could even be done in the first place.

In the IPv4 world, I just set a static DHCP local ip address for the MAC address in question and add port forwards for the desired ports to said local address.

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

SomeoneSomewhere

1882 posts

Uber Geek
+1 received by user: 1086

Lifetime subscriber

#3176820 1-Jan-2024 20:10

The choice of IPv6 address is actually made on the client side. https://superuser.com/questions/1192005/how-to-ensure-that-ipv6-temporary-address-is-the-preferred-address https://www.cellstream.com/2023/12/16/messing-around-with-ipv6-temporary-addresses-in-windows/

You can choose to either have:

A randomly-generated IPv6 address, or
An IPv6 address based on your network adapter MAC.

The latter has obvious privacy issues, which pushed a change to use the former as a default.

Both are essentially concatenated onto the end of the IPv6 prefix that your ISP gives your router. If this prefix is regularly changing, the resulting global IPv6 address will also change.

If the prefix does not regularly change, an option could be to whitelist the whole IPv6 prefix assigned to your router. This would allow any device in your house to access the service, much like whitelisting your shared IPv4 address.

sleemanj

1514 posts

Uber Geek
+1 received by user: 315

#3176837 1-Jan-2024 20:43

Ok, I think I figured out part of the "restrict inbound things except what you want" issue. It is not intuitive.

Need to use "IPv6 Filtering" under Security, Set to Hybrid, and Enable it, then add two rules. It seems that lower priority overrides higher priority, so make a rule with priority 255 that disables everything "Downstream" (which without explanation, is connections coming into you), and then rules with priority less than 255 to enable ports also for "Downstream", the Upstream rules can be left without any rules and they seem to be allowed by default then (or you could create one). Example of allowing HTTP inbound connections below.

The LAN-side IP is that which you would get from whatismyip or whatever if you connect from the machine which is going to be listening on that port. Which as the poster above explains, can change, frequently, as a privacy measure. I guess Google around to find out how to stop that happening or widen it to a prefix or something.

There does not seem to be a way to enter a range of ports, one rule one port. It's also quite flakey, sometimes you have to select and Apply again. Bit of a dogs breakfast all these settings pages really, and there is zero documentation that my Google reveals.

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

sleemanj

1514 posts

Uber Geek
+1 received by user: 315

#3176886 1-Jan-2024 20:54

~~Additional:~~

~~with the above rules, whatismyip gives an ip6, and I can connect to port 80 on the ip6 from one of my amazon instances, but interestingly https://test-ipv6.com/ fails, as does Google's test.~~

~~Disable the rules and it passes again.~~

Nope, I don't know what's going on here. Soemties the filtering works, sometimes it kills IPv6, sometimes it doesn't work. i really... Might have to pull out the old UltraHub and see how it behaved.

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

HP

Shop now for HP laptops and other devices (affiliate link).

Spyware

3818 posts

Uber Geek
+1 received by user: 1366

Lifetime subscriber

#3176890 1-Jan-2024 21:06

Pull out a Mikrotik.

Spark Max Fibre using Mikrotik CCR1009-8G-1S-1S+, CRS125-24G-1S, Unifi UAP, U6-Pro, UAP-AC-M-Pro, Apple TV 4K (2022), Apple TV 4K (2017), iPad Air 1st gen, iPad Air 4th gen, iPhone 13, SkyNZ3151 (the white box). If it doesn't move then it's data cabled.

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41038

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3176964 2-Jan-2024 00:12

I'd say the router is not fit for purpose. I use a Synology router and it's a bliss.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

SpartanVXL

1498 posts

Uber Geek
+1 received by user: 666

#3177137 2-Jan-2024 16:14

You have slaac enabled so clients are able to auto configure their own addresses. The other notable thing about ipv6 is that clients can have ‘many’ IP’s at once. Try to find the clients more ‘permanent’ address if you are trying to allow traffic to it.

I don’t think the filtering section is what you should be looking at. On these consumer routers there should be labelled ‘firewall’ or similar.

Otherwise as posted by others, may be better to get something easier to work with.

sleemanj

1514 posts

Uber Geek
+1 received by user: 315

#3177140 2-Jan-2024 16:29

SpartanVXL:
I don’t think the filtering section is what you should be looking at. On these consumer routers there should be labelled ‘firewall’ or similar.

Yeah there is no firewall config the, seemingly buggy, filtering config is the closest.

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

Aaron2222

218 posts

Master Geek
+1 received by user: 108

#3177164 2-Jan-2024 18:22

The other thing you could try is a factory reset. Assuming IPv6 was enabled by default, it should block incoming connections on it's default settings (as the alternative would be that One is providing routers to consumers with dangerously insecure default settings, assuming of course that IPv6 is enabled by default).

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

sleemanj

1514 posts

Uber Geek
+1 received by user: 315

#3177224 3-Jan-2024 01:44

OMG. I think I might have figured it.

There are two logins for the Huawei router, The one on the label is Username "user" and a password. You can also login with username "admin" and the same password, but this isn't written down anywhere you just have to know.

If you login as "admin" then you get a new section called "IPv6 Firewall", it was disabled, if enabled, then and only then does the "Forwarding > IPv6 Port Mapping" section, and "Security > IPv6 Filtering" actually do anything useful.

I dont' know if it was disabled originally or maybe I'd done it at some point in the past or something and forgotten, I haven't done a factory reset to check I don't want to lose my IPv4 settings unnecessarily. Would be interested if anybody else happens to have one and take a look.

The barmy thing is that "Forwarding > IPv6 Port Mapping" section, and "Security > IPv6 Filtering" are exposed in the user login even if the IPv6 firewall is disabled, and there is no warning that they will not work properly.

Oh yeah, and it's not really a Port Mapping at all for IPv6 despite the name, you can't have a different port number externally, and you connect to the internal hosts's actual IP6 address... it's more "these ports can transit if IPv6 firewall is on".

Anyway, for the future googlers for allowing/disallowing inbound IPv6 connections on the Huawei DN8245X6-10 as shipped by One NZ....

Security > IPv6 Firewall", ENABLE it, this will stop all inbound ipv6 connections.

Forwarding > IPv6 Port Mapping", select "Application" (User-defined interface seems broken) and pick any suitable application (eg HTTP), be sure to select the correct "WAN Name" for your active connection, for me it's "3_TR069_VOIP_INTERNET_R_GE_VID_10" I suppose it's the same for everybody these days but it gives you no clue as to which is the one you want. At that point you can select/enter your local host's IP6 address, and enter the port range. This will allow that port through the firewall to the internal host.

I think that is it, at least it's working here, so far, touch wood.

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

RunningMan

9185 posts

Uber Geek
+1 received by user: 4838

#3177341 3-Jan-2024 15:47

Good spotting @sleemanj