怎么设置让内网 V6 可以正常被访问

V2EX = way to explore

V2EX 是一个关于分享和探索的地方

现在注册

已注册用户请登录

OpenWrt 是一个专门面向嵌入式设备的 Linux 发行版。你可以将 OpenWrt 支持的型号的嵌入式设备，比如各种路由器上的系统，换成一个有更多可能性可以折腾的 Linux 系统。

› OpenWrt 官方网站

这是一个创建于 641 天前的主题，其中的信息可能已经有所发展或是发生改变。

家里现在是公网 v4 v6 内网设备已经能拿到公网 v6 地址 v6 测试也能通过，但是没法直接在外网通过 v6 访问到内网设备，ddns 的 openwrt 可以正常访问，内网需要怎么设置才能公开？

内网

公网

访问

OpenWrt

10 条回复 • 2023-02-21 12:08:54 +08:00

kimking

2023-02-20 17:05:10 +08:00

防火墙入站放行。tplink 的家用路由就不用试了，默认开启 v6 防火墙且不可调整。

novolunt

2023-02-20 17:15:21 +08:00

@kimking 目前 ISP 企业宽带没开 ipV6 吧

pota

2023-02-20 17:28:18 +08:00

@novolunt #2 家宽

@kimking #1 需要怎么配置，我是裸机的软路由。按配置改了好多都不行。。

mcluyu

2023-02-20 17:52:40 +08:00

内网什么设备，设备自己也有防火墙的，比如 Windows

lovelylain

2023-02-20 18:26:31 +08:00 via Android

默认情况下 wan 是拒绝转发的，你可以改为接受，或者 wan 分离为 wan wan6 然后只对 wan6 转发，也可以自己加 ip6tables 规则

hertzry

2023-02-20 19:41:23 +08:00

”ddns 的 openwrt 可以正常访问“？

你先解决公网直接访问路由器的问题，然后才是访问路由器后面的设备。

neroxps

2023-02-21 05:27:26 +08:00 via iPhone

ip6tables -S 发出来大家看看就知道了

pota

2023-02-21 09:16:19 +08:00

@hertzry #6 就是 v4 v6 都能访问 openwrt 但是 v6 没法穿透到设备
@mcluyu #4 这个检查了没问题，威联通 nas 开了 v6 访问
@jobmailcn #5 防火墙 wan wan6 是接受转发的，内网通过 v4 转发已经能访问了现在是准备套 cf 直接访问内网 v6

pota

2023-02-21 09:16:28 +08:00

@neroxps #7 -P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N MINIUPNPD
-N SOCAT
-N forwarding_docker_rule
-N forwarding_lan_rule
-N forwarding_rule
-N forwarding_vpn_rule
-N forwarding_wan_rule
-N input_docker_rule
-N input_lan_rule
-N input_rule
-N input_vpn_rule
-N input_wan_rule
-N output_docker_rule
-N output_lan_rule
-N output_rule
-N output_vpn_rule
-N output_wan_rule
-N reject
-N syn_flood
-N zone_docker_dest_ACCEPT
-N zone_docker_forward
-N zone_docker_input
-N zone_docker_output
-N zone_docker_src_ACCEPT
-N zone_lan_dest_ACCEPT
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_ACCEPT
-N zone_vpn_dest_ACCEPT
-N zone_vpn_forward
-N zone_vpn_input
-N zone_vpn_output
-N zone_vpn_src_ACCEPT
-N zone_wan_dest_ACCEPT
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_ACCEPT
-A INPUT -j SOCAT
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i pppoe-Wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
-A INPUT -i docker0 -m comment --comment "!fw3" -j zone_docker_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i pppoe-Wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
-A FORWARD -i docker0 -m comment --comment "!fw3" -j zone_docker_forward
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o pppoe-Wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
-A OUTPUT -o docker0 -m comment --comment "!fw3" -j zone_docker_output
-A SOCAT -p tcp -m tcp --dport 8000 -m comment --comment Openwrt -j ACCEPT
-A SOCAT -p tcp -m tcp --dport 8001 -m comment --comment QNAP -j ACCEPT
-A SOCAT -p tcp -m tcp --dport 8389 -m comment --comment "远程桌面" -j ACCEPT
-A SOCAT -p udp -m udp --dport 500 -m comment --comment IKE -j ACCEPT
-A SOCAT -p udp -m udp --dport 4500 -m comment --comment IPsec -j ACCEPT
-A SOCAT -p tcp -m tcp --dport 1701 -m comment --comment L2TP -j ACCEPT
-A SOCAT -p udp -m udp --dport 1701 -m comment --comment L2TP -j ACCEPT
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_docker_dest_ACCEPT -o docker0 -m comment --comment "!fw3" -j ACCEPT
-A zone_docker_forward -m comment --comment "!fw3: Custom docker forwarding rule chain" -j forwarding_docker_rule
-A zone_docker_forward -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
-A zone_docker_input -m comment --comment "!fw3: Custom docker input rule chain" -j input_docker_rule
-A zone_docker_input -m comment --comment "!fw3" -j zone_docker_src_ACCEPT
-A zone_docker_output -m comment --comment "!fw3: Custom docker output rule chain" -j output_docker_rule
-A zone_docker_output -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
-A zone_docker_src_ACCEPT -i docker0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-Wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-Wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p tcp -m comment --comment "!fw3: 开放 v6" -j ACCEPT
-A zone_wan_forward -p udp -m comment --comment "!fw3: 开放 v6" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: pptp" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: kms" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 40000:65535 -m comment --comment "!fw3: wxedge" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 40000:65535 -m comment --comment "!fw3: wxedge" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 18888 -m comment --comment "!fw3: wxedge-port" -j reject
-A zone_wan_input -p udp -m udp --dport 18888 -m comment --comment "!fw3: wxedge-port" -j reject
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_src_ACCEPT -i pppoe-Wan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT

zbinlin

2023-02-21 12:08:54 +08:00

OpenWRT 的默认配置，我只需要添加一条 accept `wan` zone 到 `lan` zone 的 forward 就可以了