V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
OpenWrt 是一个专门面向嵌入式设备的 Linux 发行版。你可以将 OpenWrt 支持的型号的嵌入式设备,比如各种路由器上的系统,换成一个有更多可能性可以折腾的 Linux 系统。
OpenWrt 官方网站
pota
V2EX  ›  OpenWrt

怎么设置让内网 V6 可以正常被访问

  •  
  •   pota · 2023-02-20 17:03:27 +08:00 · 1307 次点击
    这是一个创建于 620 天前的主题,其中的信息可能已经有所发展或是发生改变。

    家里现在是公网 v4 v6 内网设备已经能拿到公网 v6 地址 v6 测试也能通过,但是没法直接在外网通过 v6 访问到内网设备,ddns 的 openwrt 可以正常访问,内网需要怎么设置才能公开?

    10 条回复    2023-02-21 12:08:54 +08:00
    kimking
        1
    kimking  
       2023-02-20 17:05:10 +08:00
    防火墙入站放行。tplink 的家用路由就不用试了,默认开启 v6 防火墙且不可调整。
    novolunt
        2
    novolunt  
       2023-02-20 17:15:21 +08:00
    @kimking 目前 ISP 企业宽带没开 ipV6 吧
    pota
        3
    pota  
    OP
       2023-02-20 17:28:18 +08:00
    @novolunt #2 家宽

    @kimking #1 需要怎么配置,我是裸机的软路由。按配置改了好多都不行。。
    mcluyu
        4
    mcluyu  
       2023-02-20 17:52:40 +08:00
    内网什么设备, 设备自己也有防火墙的,比如 Windows
    lovelylain
        5
    lovelylain  
       2023-02-20 18:26:31 +08:00 via Android
    默认情况下 wan 是拒绝转发的,你可以改为接受,或者 wan 分离为 wan wan6 然后只对 wan6 转发,也可以自己加 ip6tables 规则
    hertzry
        6
    hertzry  
       2023-02-20 19:41:23 +08:00
    ”ddns 的 openwrt 可以正常访问“?

    你先解决公网直接访问路由器的问题,然后才是访问路由器后面的设备。
    neroxps
        7
    neroxps  
       2023-02-21 05:27:26 +08:00 via iPhone
    ip6tables -S 发出来大家看看就知道了
    pota
        8
    pota  
    OP
       2023-02-21 09:16:19 +08:00
    @hertzry #6 就是 v4 v6 都能访问 openwrt 但是 v6 没法穿透 到设备
    @mcluyu #4 这个检查了没问题,威联通 nas 开了 v6 访问
    @jobmailcn #5 防火墙 wan wan6 是接受转发的,内网通过 v4 转发已经能访问了 现在是准备套 cf 直接访问内网 v6
    pota
        9
    pota  
    OP
       2023-02-21 09:16:28 +08:00
    @neroxps #7 -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    -N MINIUPNPD
    -N SOCAT
    -N forwarding_docker_rule
    -N forwarding_lan_rule
    -N forwarding_rule
    -N forwarding_vpn_rule
    -N forwarding_wan_rule
    -N input_docker_rule
    -N input_lan_rule
    -N input_rule
    -N input_vpn_rule
    -N input_wan_rule
    -N output_docker_rule
    -N output_lan_rule
    -N output_rule
    -N output_vpn_rule
    -N output_wan_rule
    -N reject
    -N syn_flood
    -N zone_docker_dest_ACCEPT
    -N zone_docker_forward
    -N zone_docker_input
    -N zone_docker_output
    -N zone_docker_src_ACCEPT
    -N zone_lan_dest_ACCEPT
    -N zone_lan_forward
    -N zone_lan_input
    -N zone_lan_output
    -N zone_lan_src_ACCEPT
    -N zone_vpn_dest_ACCEPT
    -N zone_vpn_forward
    -N zone_vpn_input
    -N zone_vpn_output
    -N zone_vpn_src_ACCEPT
    -N zone_wan_dest_ACCEPT
    -N zone_wan_forward
    -N zone_wan_input
    -N zone_wan_output
    -N zone_wan_src_ACCEPT
    -A INPUT -j SOCAT
    -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
    -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
    -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
    -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
    -A INPUT -i pppoe-Wan -m comment --comment "!fw3" -j zone_wan_input
    -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
    -A INPUT -i docker0 -m comment --comment "!fw3" -j zone_docker_input
    -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
    -A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD
    -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
    -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
    -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
    -A FORWARD -i pppoe-Wan -m comment --comment "!fw3" -j zone_wan_forward
    -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
    -A FORWARD -i docker0 -m comment --comment "!fw3" -j zone_docker_forward
    -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
    -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
    -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
    -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
    -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
    -A OUTPUT -o pppoe-Wan -m comment --comment "!fw3" -j zone_wan_output
    -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
    -A OUTPUT -o docker0 -m comment --comment "!fw3" -j zone_docker_output
    -A SOCAT -p tcp -m tcp --dport 8000 -m comment --comment Openwrt -j ACCEPT
    -A SOCAT -p tcp -m tcp --dport 8001 -m comment --comment QNAP -j ACCEPT
    -A SOCAT -p tcp -m tcp --dport 8389 -m comment --comment "远程桌面" -j ACCEPT
    -A SOCAT -p udp -m udp --dport 500 -m comment --comment IKE -j ACCEPT
    -A SOCAT -p udp -m udp --dport 4500 -m comment --comment IPsec -j ACCEPT
    -A SOCAT -p tcp -m tcp --dport 1701 -m comment --comment L2TP -j ACCEPT
    -A SOCAT -p udp -m udp --dport 1701 -m comment --comment L2TP -j ACCEPT
    -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
    -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
    -A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
    -A syn_flood -m comment --comment "!fw3" -j DROP
    -A zone_docker_dest_ACCEPT -o docker0 -m comment --comment "!fw3" -j ACCEPT
    -A zone_docker_forward -m comment --comment "!fw3: Custom docker forwarding rule chain" -j forwarding_docker_rule
    -A zone_docker_forward -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
    -A zone_docker_input -m comment --comment "!fw3: Custom docker input rule chain" -j input_docker_rule
    -A zone_docker_input -m comment --comment "!fw3" -j zone_docker_src_ACCEPT
    -A zone_docker_output -m comment --comment "!fw3: Custom docker output rule chain" -j output_docker_rule
    -A zone_docker_output -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
    -A zone_docker_src_ACCEPT -i docker0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
    -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
    -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
    -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
    -A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
    -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
    -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
    -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
    -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
    -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
    -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
    -A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
    -A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
    -A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
    -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT
    -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
    -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
    -A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
    -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
    -A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
    -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
    -A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
    -A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
    -A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
    -A zone_wan_dest_ACCEPT -o pppoe-Wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
    -A zone_wan_dest_ACCEPT -o pppoe-Wan -m comment --comment "!fw3" -j ACCEPT
    -A zone_wan_forward -j MINIUPNPD
    -A zone_wan_forward -j MINIUPNPD
    -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
    -A zone_wan_forward -p tcp -m comment --comment "!fw3: 开放 v6" -j ACCEPT
    -A zone_wan_forward -p udp -m comment --comment "!fw3: 开放 v6" -j ACCEPT
    -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
    -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
    -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
    -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
    -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
    -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
    -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
    -A zone_wan_input -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: pptp" -j ACCEPT
    -A zone_wan_input -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: kms" -j ACCEPT
    -A zone_wan_input -p tcp -m tcp --dport 40000:65535 -m comment --comment "!fw3: wxedge" -j ACCEPT
    -A zone_wan_input -p udp -m udp --dport 40000:65535 -m comment --comment "!fw3: wxedge" -j ACCEPT
    -A zone_wan_input -p tcp -m tcp --dport 18888 -m comment --comment "!fw3: wxedge-port" -j reject
    -A zone_wan_input -p udp -m udp --dport 18888 -m comment --comment "!fw3: wxedge-port" -j reject
    -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
    -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
    -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
    -A zone_wan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
    -A zone_wan_src_ACCEPT -i pppoe-Wan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
    zbinlin
        10
    zbinlin  
       2023-02-21 12:08:54 +08:00
    OpenWRT 的默认配置,我只需要添加一条 accept `wan` zone 到 `lan` zone 的 forward 就可以了
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2786 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 29ms · UTC 12:35 · PVG 20:35 · LAX 05:35 · JFK 08:35
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.