Salt box, how to open ports? (IPv6)

Hi

I have a Salt box that is configured in DS-lite apparently (static IPv6 but no routable IPv4, only a local v4 provided by Salt's carrier-grade NAT). All my devices thus have a routabe IPv6 address. I own a NAS and I can access it from the outside using its IPv6 address when the necessary ports are open in the IPv6 firewall of the Salt box.

In order to perform backups to my NAS from my laptop when I am not at home, I need to open port 6281. When I go into the webUI of the Salt box, there is an "IPv6" tab containing 2 sections: "Firewall" and "Access Control". Unfortunately, the firewall section is really odd since it doesn't allow the user to open specific ports. Using check-boxes, I can only chose among predefined sets of ports that I could open. Or the last check-box is "all other ports" in order to open all ports but the predefined ones. Again, this is very strange to me and the solution that the developers chose to implement doesn't make any sense to me... Anyways, when I turn off the firewall (or open "all other ports", then I can reach my NAS without any issue. The problem is that these ports are now open to the outside FOR ALL MY DEVICES and there is thus a big risk, security-wise.

I don't understand exactly what the second section ("Access Control") does. It looks like it gives the opportunity to open/block a given port (or a given range of ports) for a given IPv6 address by creating custom rules. However, if I create a rule to open port 6281 for the IPv6 of my NAS and then turn the firewall back on, it doesn't work (my NAS isn't reachable).

Does anyone understands what exactly the "Access Control" section is for?

I couldn't find online any documentation or detailed user manual for the Salt box. If there is one, please provide a link to it.

Thank you very much in advance for your help.

Best,

-a-

I also understand it as you do.

I don't have IPV6 running here, but it seems to me that's the way to go.

In the salt box:

expert>network>ipv6>firewall => on / user defined check/uncheck needed, then save settings

expert>network>ipv6>access control => "Add+" service as needed, save settings

Don't forget to "save settings" after each adjustment.

Thanks

But as I said, as soon as the ports are closed in the IPv6 firewall, it seems that whatever rule I may create in Access Control in order to open them for a given IPv6 address is ineffective. The target remains unreachable

There is a blog-entry that adresses IPV6 with the salt box and a NAS. In french however, but might give some indications.

https://sacha.horovitz.ch/ipv4-et-ipv6-avec-salt-fiber/

EDIT: Ups, i see you already were there ...

I have the same issue where I want to allow both TCP/UDP on a specific port.

I have tried adding a custom entry on "Access" but it does not appear on the list of services that appear on the "Firewall" section ...

I am now stuck on having a pre-configured port only on tcp, this can't be it I mean this box has been around for 2 years now?

Thanks I appreciate

Yeah, I know I'm looking all over the place for a way to open this port I need (and not ALL of them, to every downstream device).

About that blog you referred to. I wish I could somehow contact that "Cate" user that seem to know a whole lot more than me about how that Salt box router works.

Tx

-a-

I contacted Salt and their only answer is:

- "Pay an extra CHF10.- monthly for a static IPv4 and then you can run things as usual (NAT&Port forwarding)"

This is both lame and ridiculous.

The whole issue could be "easily" solved be a firmware update allowing custom port management in the IPv6 firewall.

Maybe if many f us keep asking for that firmware update they might implement it (I'm being VERY optimistic).

I'd be happy to be a beta tester if that could help...

So basically, we cannot select which port to open for IPv6 and we cannot use a third party router to manage our LAN : this also only work on IPv4 boxes but not on DS-lite (aka IPv6) boxes.

yeah got the same response, I know Salt is not Free but can't they share the love ? I remember the freebox had lots of cool features (bittorrent, nas ...)

Hey,

Found today how this panel works. I am writting on this very old post, as it may still help someone latter.

Let says you want to open all SSH traffic to a particular host, lets says XX:XX:XX:XX:11::11 from outside. For example, you have a (pretty secured) SSH server running on that host with a static IP address.

Then what you would do, is to add a new rule.

Leave the source IPv6 empty (any address can go through)

Set the destination address to XX:XX:XX:XX:11::11 (salt gives you a /64 fixed prefix, so the first 64 byte are found in your overview, the last 64 bit, you choose what you want)

Set the source port to empty any source port are allowed.

Set the destination port to 22 (you only want ssh traffic, or your NAS traffic...)

Select TCP/UDP

Select IN line and choose accept

Do not select OUT

Now saves the rules. This rules with stands for "Any traffic from any IPv6 address from any source port who wants to contact XX:XX:XX:XX:11::11 on port 22 is allowed."

Adapt to your need.

If you make the mistake to also set the source IPv6 also to XX:XX:XX:XX:11::11 and the source port to 22, the rule would translate to

"Any traffic from XX:XX:XX:XX:11::11 to XX:XX:XX:XX:11::11 from source port 22 to port destination port 22 is allowed." However such a rule is useless. for sure XX:XX:XX:XX:11::11 will not go to the router to contact itself, And won't use the port 22 as the source port to do so.

Hope it will help someone

Hello atuleu,

I am currently able to connect to my server from outside with the tutorial from https://sacha.horovitz.ch/ipv4-et-ipv6-avec-salt-fiber/

but to allow connection from outside with my domain, I have to create an additional rule in the DNS zone of the domain with the ip address of this site http://v4-frontend.netiter.com/

your discovery allows to bypass the use of http://v4-frontend.netiter.com/ ?

Thanks in advance