IPv6 traffic forwarding problem: connection hangs if external and internal port are different

[i0ntempest]

Router Model Affected
Models: TUF-AX3000

Firmware Version Affected
3004.388.8_4-gnuton1_tuf

Is this bug present in upstream Merlin releases too?
Not tested

Describe the bug
I'm not sure if this is a configuration error, but I'll ask anyways.
When IPv6 firewall is disabled (or specified port opened) and a forwarding is setup with ip6tables -t nat -A PREROUTING -i ppp0 -p tcp --dport 38443 -j DNAT --to-destination [fd00:d:e:f::e123]:38443, everything works. but if I attempt to forward a port to a different external port, then the connection would only work for 2 seconds before hanging.
And yes I know I could connect directly using the node's public v6 address, but I choose to do forwarding for reasons.

To Reproduce
Steps to reproduce the behavior:

1. Disable IPv6 firewall
2. Have a node with SSH running
3. Setup forwarding like this: `ip6tables -t nat -A PREROUTING -i ppp0 -p tcp --dport 2222 -j DNAT --to-destination [fd00:d:e:f::e123]:22", that is forwarding external 2222 to internal 22
4. Try to connect from the outside. It will initially connect, but no command can be typed until eventually the connection times out.

Expected behavior
The connection works

Screenshots
N/A

[MNLierman]

IP6Tables isn't meant to redirect ports like this. The capabilities are there, but what you're not understanding is that when the NAT occurs, it changes the IP address of the source port to that of your firewall/router. The client sees a different port and a different IP – it can't communicate if both change. The connection stays established if the port doesn't change.

This is a really complicated setup you're trying to create. I would suggest something simpler, such as enabling the IPv6 firewall, and opening a random port like 58392. You could even do port knocking where you have to first open up the firewall by pinging a port which ConnTrack catches, drops, allows the source IP, and then the second port is opened. You could also use something like tailscale or wireguard – both of which are free. Wire guard is included with AsusWrt.

If you have secure systems in place and a completely random port, you're not going to have any trouble. All of my systems have fully routable IPv6 addresses, publicly accessable, with memorable names like 2006:19d:7d:87:c0de::77. I have strong passwords and several of the systems where I have ssh enabled public facing, I required username, private key, and then additional authentication, which is just set as a text password. It's not very difficult to setup good security, and the private keys are automatically handed to my ssh terminals using paegent – I just have drop them in after a reboot. Changing ports is not going to provide you with great security.

Additionally, port 2222 is probably the # 3 guessed port after 22, I would avoid using ports like that and pick a system of numbers you like. It will prevent your network from being hammered. Once they see there is a ssh server on 2222, the forwarding part doesn't matter, they will start hammering that port with random guesses all day and night.