My OpenWrt IPv6 configuration

Allow HTTP/HTTPS IPv6 traffic for my homelab.

My network:

• WAN:
  • ISP: Viettel
  • IPv6 prefix: 2001:1900:iced:cafe::/64
• Host
  • MAC: bb:bf:1b:71:fe:20 (for example)
  • IPv6 address: 2001:1900:iced:cafe:b9bf:1bff:fe71:fe20 (calculated by EUI-64 Calculator)

My OpenWrt config:

Interfaces » wan

• Advanced Settings
  • Delegate IPv6 prefixes: ✅
• DHCP Server
  • IPv6 Settings
    • RA-Service: disabled
    • DHCPv6-Service: disabled
    • NDP-Proxy: disabled

Interfaces » lan

• Advanced Settings
  • Delegate IPv6 prefixes: ✅
• DHCP Server
  • IPv6 Settings
    • Designated master: ❌ (uncheck)
    • RA-Service: server mode
    • DHCPv6-Service: disabled
    • Announced IPv6 DNS servers: null
    • Local IPv6 DNS server: ✅
    • Announced DNS domains: null
    • NDP-Proxy: disabled
  • IPv6 RA Settings
    • Default router: automatic
    • Enable SLAAC: ✅
    • RA Flags: other config (O)
    • NAT64 prefix: null

Firewall - Traffic Rules

Allow-IPv6-HTTP

• General Settings
  • Name: Allow-IPv6-HTTP
  • Protocol: TCP
  • Source zone: wan
  • Source address: null
  • Source port: any
  • Destination zone: lan
  • Destination address: ::b9bf:1bff:fe71:fe20/-64
  • Destination port: 80
  • Action: accept

• Advanced Settings
  • Restrict to address family: IPv6 only

Allow-IPv6-HTTPS

• General Settings
  • Name: Allow-IPv6-HTTPS
  • Protocol: TCP,UDP
  • Source zone: wan
  • Source address: null
  • Source port: any
  • Destination zone: lan
  • Destination address: ::b9bf:1bff:fe71:fe20/-64
  • Destination port: 443
  • Action: accept

• Advanced Settings
  • Restrict to address family: IPv6 only

Tools:

• EUI-64 Calculator
• ping.pe

Ref:

• IPv6 configuration
• Dynamic prefix forwarding- negative netmask notation: /-64