[求助] 360 V6的IPv6防火墙转发端口 Ip6tables可以这样写么？

once3***

背景：
手上三个360 V5M，三母套装，，和官方要了定制固件：1. 禁止母路由作为子路由Mesh时，依旧下发IPv6 网关（实测还是有问题）；IPv4的端口转发，对IPv6也生效（实测TCP可以，UDP不行）

网上看到360 V6已经流出了Telnet插件和账户密码了，有Telnet不等于SSH么，有SSH还刷什么固件，原厂的Mesh是最好的！且360 V6原厂固件也是基于Openwrt改的。随入手个二手360 V6调试，看如何转发NAS的端口。

目的：
开放1234端口，TCP，UDP协议的出站和入栈。

具体操作：
根据群晖的日志，网卡共获得过三种类型的地址其中X表示动态值，具体数字表示始终固定数值：
1. 2409:8a55:30XX:XXXX::114，针对这种类型，如下这样写，可以么：
ip6tables -I FORWARD -p tcp udp -d 2409:8a55:30FF:FFFF::114 --dport 1234 -j ACCEPT
ip6tables -I FORWARD -p tcp udp -s 2409:8a55:30FF:FFFF::114 --sport 1234 -j ACCEPT

2. 2409:8a55:30XX:XXXX::2，2022年2月前是2409:8a55:30XX:XXXX::114；之后就是2409:8a55:30XX:XXXX::2，原因不知道，机器没有换过。
ip6tables -I FORWARD -p tcp udp -d 2409:8a55:30FF:FFFF::2--dport 1234 -j ACCEPT
ip6tables -I FORWARD -p tcp udp -s 2409:8a55:30FF:FFFF::2--sport 1234 -j ACCEPT

3. 2409:8a55:30XX:XXXX:211:32ff:fe86:2aa6；其实第一种和第二种应该是一个类型，只是不知道为什么突然尾缀的最后一段变动了，有大神知道的帮忙科普下。谢谢！
ip6tables -I FORWARD -p tcp udp -d 2409:8a55:30FF:FFFF:211:32ff:fe86:2aa6 --dport 1234 -j ACCEPT
ip6tables -I FORWARD -p tcp udp -s 2409:8a55:30FF:FFFF:211:32ff:fe86:2aa6 --sport 1234 -j ACCEPT


另，大家应该应该看出来了，这是移动的网络，IPv4公网无望，但是还请大神帮写下iptables 开放1234端口，TCP，UDP协议的出站和入栈，假设群晖IPv4的地址是192.168.0.2

另2，360 v6 telnet进去了，cd /etc/config/，是显示的是/tmp/etc/config/， 那么这样写的IPv6防火墙规则，重启是否失效了？

谢谢，折腾好几天了。

av***

1. 2409:8a55:30XX:XXXX::114
2. 2409:8a55:30XX:XXXX::2
说明NAS用的DHCPV6方式分发的地址，对应V4的LANIP应该是XXX.XXX.XXX.114和XXX.XXX.XXX.2，一般默认不改设置，V6的地址最后面16位和V4局域网最后的IP对应
3. 2409:8a55:30XX:XXXX:211:32ff:fe86:2aa6
ff:fe的标志说明你把NASV6分配设置了EUI64/privacy off的选项，这样V6地址是根据NAS网卡生成的，后64位不会变动
如果有ttl，看看

1. cat /etc/config/firewall

复制代码

有没有结果，有的话说不定可以直接套用openwrt的防火墙规则

once3***

avin4 发表于 2022-8-23 14:29
1. 2409:8a55:30XX:XXXX::114
2. 2409:8a55:30XX:XXXX::2
说明NAS用的DHCPV6方式分发的地址，对应V4的LAN ...

1. cat /etc/config/firewall
   
2. 
   
3. config defaults
   
4. option syn_flood '1'
   
5. option input 'ACCEPT'
   
6. option output 'ACCEPT'
   
7. option forward 'REJECT'
   
8. option disabled '0'
   
9. 
   
10. config zone
    
11. option name 'lan'
    
12. list network 'lan'
    
13. option input 'ACCEPT'
    
14. option output 'ACCEPT'
    
15. option forward 'ACCEPT'
    
16. 
    
17. config zone
    
18. option name 'wan'
    
19. list network 'wan'
    
20. list network 'wan6'
    
21. option input 'REJECT'
    
22. option output 'ACCEPT'
    
23. option forward 'REJECT'
    
24. option masq '1'
    
25. option mtu_fix '1'
    
26. 
    
27. config forwarding
    
28. option src 'lan'
    
29. option dest 'wan'
    
30. 
    
31. config rule
    
32. option name 'Allow-DHCP-Renew'
    
33. option src 'wan'
    
34. option proto 'udp'
    
35. option dest_port '68'
    
36. option target 'ACCEPT'
    
37. option family 'ipv4'
    
38. 
    
39. config rule
    
40. option name 'Allow-Ping'
    
41. option src 'wan'
    
42. option proto 'icmp'
    
43. option icmp_type 'echo-request'
    
44. option family 'ipv4'
    
45. option target 'DROP'
    
46. 
    
47. config rule
    
48. option name 'Allow-IGMP'
    
49. option src 'wan'
    
50. option proto 'igmp'
    
51. option family 'ipv4'
    
52. option target 'ACCEPT'
    
53. 
    
54. config rule
    
55. option name 'Allow-DHCPv6'
    
56. option src 'wan'
    
57. option proto 'udp'
    
58. option src_ip 'fe80::/10'
    
59. option src_port '547'
    
60. option dest_ip 'fe80::/10'
    
61. option dest_port '546'
    
62. option family 'ipv6'
    
63. option target 'ACCEPT'
    
64. 
    
65. config rule
    
66. option name 'Allow-MLD'
    
67. option src 'wan'
    
68. option proto 'icmp'
    
69. option src_ip 'fe80::/10'
    
70. list icmp_type '130/0'
    
71. list icmp_type '131/0'
    
72. list icmp_type '132/0'
    
73. list icmp_type '143/0'
    
74. option family 'ipv6'
    
75. option target 'ACCEPT'
    
76. 
    
77. config rule
    
78. option name 'Allow-ICMPv6-Input'
    
79. option src 'wan'
    
80. option proto 'icmp'
    
81. list icmp_type 'echo-request'
    
82. list icmp_type 'echo-reply'
    
83. list icmp_type 'destination-unreachable'
    
84. list icmp_type 'packet-too-big'
    
85. list icmp_type 'time-exceeded'
    
86. list icmp_type 'bad-header'
    
87. list icmp_type 'unknown-header-type'
    
88. list icmp_type 'router-solicitation'
    
89. list icmp_type 'neighbour-solicitation'
    
90. list icmp_type 'router-advertisement'
    
91. list icmp_type 'neighbour-advertisement'
    
92. option limit '1000/sec'
    
93. option family 'ipv6'
    
94. option target 'ACCEPT'
    
95. 
    
96. config rule
    
97. option name 'Allow-ICMPv6-Forward'
    
98. option src 'wan'
    
99. option dest '*'
    
100. option proto 'icmp'
     
101. list icmp_type 'echo-request'
     
102. list icmp_type 'echo-reply'
     
103. list icmp_type 'destination-unreachable'
     
104. list icmp_type 'packet-too-big'
     
105. list icmp_type 'time-exceeded'
     
106. list icmp_type 'bad-header'
     
107. list icmp_type 'unknown-header-type'
     
108. option limit '1000/sec'
     
109. option family 'ipv6'
     
110. option target 'ACCEPT'
     
111. 
     
112. config include
     
113. option path '/etc/firewall.user'
     
114. 
     
115. config rule
     
116. option src 'wan'
     
117. option dest 'lan'
     
118. option proto 'esp'
     
119. option target 'ACCEPT'
     
120. 
     
121. config rule
     
122. option src 'wan'
     
123. option dest 'lan'
     
124. option dest_port '500'
     
125. option proto 'udp'
     
126. option target 'ACCEPT'
     
127. 
     
128. config include 'map'
     
129. option type 'script'
     
130. option path '/etc/firewall.d/map_firewall'
     
131. option family 'any'
     
132. option reload '1'
     
133. 
     
134. config include 'qiot_speedtest'
     
135. option type 'script'
     
136. option path '/etc/firewall.d/qiot_speedtest'
     
137. 
     
138. config include 'miniupnpd'
     
139. option type 'script'
     
140. option path '/usr/share/miniupnpd/firewall.include'
     
141. option family 'any'
     
142. option reload '1'
     
143. 
     
144. config include 'qcanssecm'
     
145. option type 'script'
     
146. option path '/etc/firewall.d/qca-nss-ecm'
     
147. option family 'any'
     
148. option reload '1'
     

复制代码

多谢提醒，我觉得这里可以做点工作：

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'

另，又发现个奇怪的问题，因为360 v6没有静态DHCP地址（反而360 V5M有，主要想固定IPv6地址，进而好固定IPv6掩码，如上述的2409:8a55:30XX:XXXX::2）。想通过命令行DHCP添加，但是添加static lease会导致下述两个客户端分不到IPv4地址（在169.254.x.x和192.168.0.x间反复跳，应该是哪里冲突了），添加代码如下：

1. vi /etc/config/dhcp
   
2. 
   
3. # Static Dhcp for DS218j
   
4. config host
   
5.         option name 'DS218j'
   
6.         option ip '192.168.0.2'
   
7.         option mac '00:11:32:86:XX:XX'
   
8.         
   
9. # Static Dhcp for HP Printer
   
10. config host
    
11.         option name 'HPLASERMFP136WM'
    
12.         option ip '192.168.0.3'
    
13.         option mac 'B0:22:7A:59:XX:XX'
    
14.         

复制代码

默认DHCP配置如下：

1. cat /etc/config/dhcp
   
2. config dnsmasq
   
3.         option domainneeded '1'
   
4.         option boguspriv '1'
   
5.         option filterwin2k '0'
   
6.         option localise_queries '1'
   
7.         option rebind_localhost '1'
   
8.         option local '/lan/'
   
9.         option domain 'lan'
   
10.         option expandhosts '1'
    
11.         option nonegcache '0'
    
12.         option authoritative '1'
    
13.         option readethers '1'
    
14.         option leasefile '/tmp/dhcp.leases'
    
15.         option resolvfile '/tmp/resolv.conf.auto'
    
16.         option localservice '1'
    
17.         option rebind_protection '0'
    
18. 
    
19. config dhcp 'lan'
    
20.         option interface 'lan'
    
21.         option leasetime '12h'
    
22.         option force '1'
    
23.         option dhcpv6 'server'
    
24.         option ra 'server'
    
25.         list dhcp_option '224,360MESH'
    
26.         option start '2'
    
27.         option limit '253'
    
28. 
    
29. config dhcp 'wan'
    
30.         option interface 'wan'
    
31.         option ignore '1'
    
32. 
    
33. config odhcpd 'odhcpd'
    
34.         option maindhcp '0'
    
35.         option leasefile '/tmp/hosts/odhcpd'
    
36.         option leasetrigger '/usr/sbin/odhcpd-update'

复制代码

once3***

avin4 发表于 2022-8-23 14:29
1. 2409:8a55:30XX:XXXX::114
2. 2409:8a55:30XX:XXXX::2
说明NAS用的DHCPV6方式分发的地址，对应V4的LAN ...

cat /etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
       option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        option rebind_protection '0'



option readethers '1' 这是不是暗示我可以通过/etc/ethers来指定ARP的同时，也指定静态DHCP？
还是，我要找到这个临时option leasefile '/tmp/dhcp.leases'，对应的DHCP文件？？

once3***

avin4 发表于 2022-8-23 14:29
1. 2409:8a55:30XX:XXXX::114
2. 2409:8a55:30XX:XXXX::2
说明NAS用的DHCPV6方式分发的地址，对应V4的LAN ...

编辑了下，要审核了

用这个吧：

1. cat /etc/config/firewall
   
2. 
   
3. config defaults
   
4.         option syn_flood '1'
   
5.         option input 'ACCEPT'
   
6.         option output 'ACCEPT'
   
7.         option forward 'REJECT'
   
8.         option disabled '0'
   
9. 
   
10. config zone
    
11.         option name 'lan'
    
12.         list network 'lan'
    
13.         option input 'ACCEPT'
    
14.         option output 'ACCEPT'
    
15.         option forward 'ACCEPT'
    
16. 
    
17. config zone
    
18.         option name 'wan'
    
19.         list network 'wan'
    
20.         list network 'wan6'
    
21.         option input 'REJECT'
    
22.         option output 'ACCEPT'
    
23.         option forward 'REJECT'
    
24.         option masq '1'
    
25.         option mtu_fix '1'
    
26. 
    
27. config forwarding
    
28.         option src 'lan'
    
29.         option dest 'wan'
    
30. 
    
31. config rule
    
32.         option name 'Allow-DHCP-Renew'
    
33.         option src 'wan'
    
34.         option proto 'udp'
    
35.         option dest_port '68'
    
36.         option target 'ACCEPT'
    
37.         option family 'ipv4'
    
38. 
    
39. config rule
    
40.         option name 'Allow-Ping'
    
41.         option src 'wan'
    
42.         option proto 'icmp'
    
43.         option icmp_type 'echo-request'
    
44.         option family 'ipv4'
    
45.         option target 'DROP'
    
46. 
    
47. config rule
    
48.         option name 'Allow-IGMP'
    
49.         option src 'wan'
    
50.         option proto 'igmp'
    
51.         option family 'ipv4'
    
52.         option target 'ACCEPT'
    
53. 
    
54. config rule
    
55.         option name 'Allow-DHCPv6'
    
56.         option src 'wan'
    
57.         option proto 'udp'
    
58.         option src_ip 'fe80::/10'
    
59.         option src_port '547'
    
60.         option dest_ip 'fe80::/10'
    
61.         option dest_port '546'
    
62.         option family 'ipv6'
    
63.         option target 'ACCEPT'
    
64. 
    
65. config rule
    
66.         option name 'Allow-MLD'
    
67.         option src 'wan'
    
68.         option proto 'icmp'
    
69.         option src_ip 'fe80::/10'
    
70.         list icmp_type '130/0'
    
71.         list icmp_type '131/0'
    
72.         list icmp_type '132/0'
    
73.         list icmp_type '143/0'
    
74.         option family 'ipv6'
    
75.         option target 'ACCEPT'
    
76. 
    
77. config rule
    
78.         option name 'Allow-ICMPv6-Input'
    
79.         option src 'wan'
    
80.         option proto 'icmp'
    
81.         list icmp_type 'echo-request'
    
82.         list icmp_type 'echo-reply'
    
83.         list icmp_type 'destination-unreachable'
    
84.         list icmp_type 'packet-too-big'
    
85.         list icmp_type 'time-exceeded'
    
86.         list icmp_type 'bad-header'
    
87.         list icmp_type 'unknown-header-type'
    
88.         list icmp_type 'router-solicitation'
    
89.         list icmp_type 'neighbour-solicitation'
    
90.         list icmp_type 'router-advertisement'
    
91.         list icmp_type 'neighbour-advertisement'
    
92.         option limit '1000/sec'
    
93.         option family 'ipv6'
    
94.         option target 'ACCEPT'
    
95. 
    
96. config rule
    
97.         option name 'Allow-ICMPv6-Forward'
    
98.         option src 'wan'
    
99.         option dest '*'
    
100.         option proto 'icmp'
     
101.         list icmp_type 'echo-request'
     
102.         list icmp_type 'echo-reply'
     
103.         list icmp_type 'destination-unreachable'
     
104.         list icmp_type 'packet-too-big'
     
105.         list icmp_type 'time-exceeded'
     
106.         list icmp_type 'bad-header'
     
107.         list icmp_type 'unknown-header-type'
     
108.         option limit '1000/sec'
     
109.         option family 'ipv6'
     
110.         option target 'ACCEPT'
     
111. 
     
112. config include
     
113.         option path '/etc/firewall.user'
     
114. 
     
115. config rule
     
116.         option src 'wan'
     
117.         option dest 'lan'
     
118.         option proto 'esp'
     
119.         option target 'ACCEPT'
     
120. 
     
121. config rule
     
122.         option src 'wan'
     
123.         option dest 'lan'
     
124.         option dest_port '500'
     
125.         option proto 'udp'
     
126.         option target 'ACCEPT'
     
127. 
     
128. config include 'map'
     
129.         option type 'script'
     
130.         option path '/etc/firewall.d/map_firewall'
     
131.         option family 'any'
     
132.         option reload '1'
     
133. 
     
134. config include 'qiot_speedtest'
     
135.         option type 'script'
     
136.         option path '/etc/firewall.d/qiot_speedtest'
     
137. 
     
138. config include 'miniupnpd'
     
139.         option type 'script'
     
140.         option path '/usr/share/miniupnpd/firewall.include'
     
141.         option family 'any'
     
142.         option reload '1'
     
143. 
     
144. config include 'qcanssecm'
     
145.         option type 'script'
     
146.         option path '/etc/firewall.d/qca-nss-ecm'
     
147.         option family 'any'
     
148.         option reload '1'

复制代码

once3***

avin4 发表于 2022-8-23 14:29
1. 2409:8a55:30XX:XXXX::114
2. 2409:8a55:30XX:XXXX::2
说明NAS用的DHCPV6方式分发的地址，对应V4的LAN ...

另，向/etc/config/dhcp添加：

1. # Static Dhcp for DS218j
   
2. config host
   
3.         option name 'DS218j'
   
4.         option ip '192.168.0.2'
   
5.         option mac '00:11:32:86:XX:XX'
   
6.         
   
7. # Static Dhcp for HP Printer
   
8. config host
   
9.         option name 'HPLASERMFP136WM'
   
10.         option ip '192.168.0.3'
    
11.         option mac 'B0:22:7A:59:XX:XX'
    
12.         

复制代码

会导致上述两个设备IP在192.168.0.x和169.254.x.x间跳，应该是哪里冲突了

1. cat /etc/config/dhcp
   
2. config dnsmasq
   
3.         option domainneeded '1'
   
4.         option boguspriv '1'
   
5.         option filterwin2k '0'
   
6.         option localise_queries '1'
   
7.         option rebind_localhost '1'
   
8.         option local '/lan/'
   
9.         option domain 'lan'
   
10.         option expandhosts '1'
    
11.         option nonegcache '0'
    
12.         option authoritative '1'
    
13.         option readethers '1'
    
14.         option leasefile '/tmp/dhcp.leases'
    
15.         option resolvfile '/tmp/resolv.conf.auto'
    
16.         option localservice '1'
    
17.         option rebind_protection '0'
    
18. 
    
19. config dhcp 'lan'
    
20.         option interface 'lan'
    
21.         option leasetime '12h'
    
22.         option force '1'
    
23.         option dhcpv6 'server'
    
24.         option ra 'server'
    
25.         list dhcp_option '224,360MESH'
    
26.         option start '2'
    
27.         option limit '253'
    
28. 
    
29. config dhcp 'wan'
    
30.         option interface 'wan'
    
31.         option ignore '1'
    
32. 
    
33. config odhcpd 'odhcpd'
    
34.         option maindhcp '0'
    
35.         option leasefile '/tmp/hosts/odhcpd'
    
36.         option leasetrigger '/usr/sbin/odhcpd-update'

复制代码

av***

问题一个一个来，先解决防火墙，固定IP分配后面再说，为排除问题先把你固定IP的段落删了重启dnsmasq

看起来基本的防火墙规则有的，V4的NAT转发好搞定但你是移动，也不用再理会NAT了，直接搞V6,把下面的加入你的防火墙，意思是开放V6 地址后64位为::211:32ff:fe86:2aa6设备的TCP 38000端口给外网，

1. config rule
   
2.         option target 'ACCEPT'
   
3.         option name 'NAS'
   
4.         option dest_port '38000'
   
5.         list proto 'tcp'
   
6.         option dest 'lan'
   
7.         option src 'wan'
   
8.         list dest_ip '::211:32ff:fe86:2aa6/::ffff:ffff:ffff:ffff'

复制代码

然后假设你在NAS上38000架设了HTTP服务器，你用ISP分配的前缀补齐前64位，用手机网络访问这个V6地址，格式是

1. http://[aaaa:bbbb:cccc:dddd:211:32ff:fe86:2aa6]:38000

复制代码

只要可以访问就开放成功了，这是动态掩码规则，只要保证你的NAS开了EUI64/privacy off，后64位地址不变，就算移动分配的V6前缀变了，防火墙规则依然有效。

具体端口和TCP/UDP你自己改，记得不要碰默认的80 443 8080，ISP肯定是封掉的

once3***

avin4 发表于 2022-8-24 10:19
问题一个一个来，先解决防火墙，固定IP分配后面再说，为排除问题先把你固定IP的段落删了重启dnsmasq

看 ...

感谢回复！

1. DHCP静态地址绑定昨晚发现问题后已经删除了，等防火墙搞定后，再慢慢研究

2. 语法上是“list proto 'tcp'”，还是“option proto 'tcp'”？
A. src_port：Match incoming traffic from the specified source port or port range, if relevant proto is specified. Multiple ports can be specified like ‘80 443 465’
对于port是可以一个规则，多个port，所以可以写成：

1. option dest_port '5000 5001 7000 7001 8000 8001 10002 10003'

复制代码

B. proto：Match incoming traffic using the given protocol. Can be one (or several when using list syntax) of tcp, udp, udplite, icmp, esp, ah, sctp, or all or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. The number 0 is equivalent to all.
对proto，对个协议只能用一个一个list，所以要写成：

1. list proto 'tcp'
   
2. list proto 'udp'

复制代码

而不可以写成：

1. option proto 'tcp udp'

复制代码

我的理解对么？


以下是我准备放进/etc/config/firewall

1. config rule
   
2.         option name 'Synology Http(s), FS Web, DS Web, Drive Web'
   
3.         option target 'ACCEPT'
   
4.         option dest_port '5000 5001 7000 7001 8000 8001 10002 10003'
   
5.         list proto 'tcp'
   
6.         option dest 'lan'
   
7.         option src 'wan'
   
8.         list dest_ip '::211:32ff:fe86:2aa6/::ffff:ffff:ffff:ffff'
   
9. 
   
10. config rule
    
11.         option name 'Synology Cloud Station'
    
12.         option target 'ACCEPT'
    
13.         option dest_port '6690'
    
14.         list proto 'tcp'
    
15.         option dest 'lan'
    
16.         option src 'wan'
    
17.         list dest_ip '::211:32ff:fe86:2aa6/::ffff:ffff:ffff:ffff'
    
18. 
    
19. 
    
20. config rule
    
21.         option name 'Synology Download Station'
    
22.         option target 'ACCEPT'
    
23.         option dest_port '13001 13002'
    
24.         list proto 'tcp'

复制代码

感谢指教！！！！

once3***

反馈，按8#语句写好了，telnet反馈如下：

1. * Rule 'Synology Http(s), FS Web, DS Web, Drive Web'
   
2.      ! Skipping due to different family of ip address
   
3.      ! Skipping due to different family of ip address
   
4.      ! Skipping due to different family of ip address
   
5.      ! Skipping due to different family of ip address
   
6.      ! Skipping due to different family of ip address
   
7.      ! Skipping due to different family of ip address
   
8.      ! Skipping due to different family of ip address
   
9.      ! Skipping due to different family of ip address
   
10.    * Rule 'Synology Cloud Station'
    
11.      ! Skipping due to different family of ip address
    
12.    * Rule 'Synology Download Station'
    
13.      ! Skipping due to different family of ip address
    
14.      ! Skipping due to different family of ip address
    
15.      ! Skipping due to different family of ip address
    
16.      ! Skipping due to different family of ip address
    

复制代码

once3***

avin4 发表于 2022-8-24 10:19
问题一个一个来，先解决防火墙，固定IP分配后面再说，为排除问题先把你固定IP的段落删了重启dnsmasq

看 ...

反馈，按8#语句写好了，telnet反馈如下：

1. * Rule 'Synology Http(s), FS Web, DS Web, Drive Web'
   
2.      ! Skipping due to different family of ip address
   
3.      ! Skipping due to different family of ip address
   
4.      ! Skipping due to different family of ip address
   
5.      ! Skipping due to different family of ip address
   
6.      ! Skipping due to different family of ip address
   
7.      ! Skipping due to different family of ip address
   
8.      ! Skipping due to different family of ip address
   
9.      ! Skipping due to different family of ip address
   
10.    * Rule 'Synology Cloud Station'
    
11.      ! Skipping due to different family of ip address
    
12.    * Rule 'Synology Download Station'
    
13.      ! Skipping due to different family of ip address
    
14.      ! Skipping due to different family of ip address
    
15.      ! Skipping due to different family of ip address
    
16.      ! Skipping due to different family of ip address
    

复制代码

每条规则都添加 option family 'ipv6' 后，/etc/init.d/firewall restart 反馈正常了。


用手机关掉wifi，用移动5G，访问http://[aaaa:bbbb:cccc:dddd:211:32ff:fe86:2aa6]:5000，群晖Http管理端口正常了，其他端口应该可以了。

非常感谢。还请指导A. IPv4 DHCP静态地址，B. 为“2409:8a55:30XX:XXXX::2”这样的地址配置掩码规则

once3***

avin4 发表于 2022-8-24 10:19
问题一个一个来，先解决防火墙，固定IP分配后面再说，为排除问题先把你固定IP的段落删了重启dnsmasq

看 ...

再反馈，IPv4的DNAT，IPv6的Forward都搞定了

目前还差IPv4地址静态绑定了，/etc/config/DHCP如下:

1. config dnsmasq
   
2.         option domainneeded '1'
   
3.         option boguspriv '1'
   
4.         option filterwin2k '0'
   
5.         option localise_queries '1'
   
6.         option rebind_localhost '1'
   
7.         option local '/lan/'
   
8.         option domain 'lan'
   
9.         option expandhosts '1'
   
10.         option nonegcache '0'
    
11.         option authoritative '1'
    
12.         option readethers '1'
    
13.         option leasefile '/tmp/dhcp.leases'
    
14.         option resolvfile '/tmp/resolv.conf.auto'
    
15.         option localservice '1'
    
16.         option rebind_protection '0'
    
17. 
    
18. config dhcp 'lan'
    
19.         option interface 'lan'
    
20.         option leasetime '12h'
    
21.         option force '1'
    
22.         option dhcpv6 'server'
    
23.         option ra 'server'
    
24.         list dhcp_option '224,360MESH'
    
25.         option start '2'
    
26.         option limit '253'
    
27. 
    
28. config dhcp 'wan'
    
29.         option interface 'wan'
    
30.         option ignore '1'
    
31. 
    
32. config odhcpd 'odhcpd'
    
33.         option maindhcp '0'
    
34.         option leasefile '/tmp/hosts/odhcpd'
    
35.         option leasetrigger '/usr/sbin/odhcpd-update'
    

复制代码

目前是只要贴上

config host
        option mac '00:11:XX:XX:XX:XX'
        option name 'DS218j'
        option ip '192.168.0.2'


再/etc/init.d/dnsmasq reload，路由的DHCP就崩溃了

av***

openwrt firewall3 options 语法规则可以自己查阅官方wiki
Firewall configuration /etc/config/firewall

端口不能并列枚举，只能单个或者端口段，例如18000-18050这种
2409:8a55:30XX:XXXX::2 地址动态掩码类似啊，

1. ::2/::ffff:ffff:ffff:ffff

复制代码

前提是"::2"部分不变动，这个分配要求不是在server端，是在client端设置的，就是你想NAS固定V6地址后64位，要在NAS的eth0或对应网口设置EUI64选项。同样详见官方wiki，其实很多东西都有的，只是是英文要自己琢磨：
IPv6 configuration-ip6ifaceid

once3***

avin4 发表于 2022-8-24 20:30
openwrt firewall3 options 语法规则可以自己查阅官方wiki
Firewall configuration /etc/config/firewall
...

非常感谢你的全程帮助。

IPv4静态分配也搞定了，/etc/ethers不行，/etc/config/dhcp加“host”字段不行，但是/etc/dnsmasq.conf下加dhcp-host可以。

1. # Always allocate the host with Ethernet address 11:22:33:44:55:66
   
2. # The IP address 192.168.0.60
   
3. #dhcp-host=11:22:33:44:55:66,192.168.0.60

复制代码

回头我把这个配置过程和要点编辑在第一页，方便其他人。

再次致谢！

av***

国内很多厂商都是拿古老的openwrt魔改做固件，但是自己加了私货，所以配置没法照搬也是正常的
op本身也引入了很多诸如dnsmaq这样的外部程序，/etc/config本身就不支持全部参数，所以保留了/etc/dnsmasq.conf
不过你这个静态分配应该不是op的锅，是360的问题

once3***

avin4 发表于 2022-8-24 21:33
国内很多厂商都是拿古老的openwrt魔改做固件，但是自己加了私货，所以配置没法照搬也是正常的
op本身也引 ...

也玩过OP好几年，第一反应就是在/etc/config/dhcp加“host”，结果不行…… 最终在Github的dnsmasq.conf.sample中找到了灵感



config rule
        option name 'Synology Web IPv6'
        option family 'ipv6'
        list proto 'tcp'
        option target 'ACCEPT'
        option src 'wan'
        option dest 'lan'        
        list dest_ip '::211:32ff:fe86:2aa6/::ffff:ffff:ffff:ffff'
        option dest_port '5000 5001 7000 7001 8000 8001 10002 10003'   


摘自官方手册：  
if relevant proto is specified. Multiple ports can be specified like '80 443 465'

所以 list proto 'tcp' 后 option dest_port '5000 5001 7000 7001 8000 8001 10002 10003'    这样行不行？