Add missing firewall rule when setting up the 6to4 WAN interface
When 6to4 WAN interface is configured, it works only in the LAN -> WAN direction but not in the opposite. The opposite direction starts working only when you initiate the traffic from LAN to WAN.
This is caused by the missing firewall rule on the router so the tunnel traffic initiated from the Internet is dropped on the router. If you initiate some IPv6 communication from the LAN side, as the IPv6 traffic gets encapsulated in the IPv4 packet it creates a record in the IPv4 conntrack table and the tunnel works in both ways until the conntrack record dies.
How to mitigate the problem
6to4 connectivity
There needs to be a firewall rule allowing the protocol IP/41 with the source address 192.88.99.1
to reach the router.
The IP address 192.88.99.1
is well known address reserved for 6to4 relays.
Example of 6to4 tunnel
network.wan6=interface
network.wan6.ifname='@wan'
network.wan6.proto='6to4'
Related firewall rule
firewall.turris_wan_6to4_rule=rule
firewall.turris_wan_6to4_rule.proto='ipv6'
firewall.turris_wan_6to4_rule.name='6to4 tunnel'
firewall.turris_wan_6to4_rule.src_ip='192.88.99.1'
firewall.turris_wan_6to4_rule.target='ACCEPT'
firewall.turris_wan_6to4_rule.src='wan'
When deconfiguring the tunnel, related firewall rule should be removed.