@@ -46,6 +46,13 @@ config rule
option family ipv4
option target ACCEPT
+config rule
+ option name Allow-IGMP
+ option src wan
+ option proto igmp
+ option family ipv4
+ option target ACCEPT
+
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
@@ -59,6 +66,18 @@ config rule
option family ipv6
option target ACCEPT
+config rule
+ option name Allow-MLD
+ option src wan
+ option proto icmp
+ option src_ip fe80::/10
+ list icmp_type '130/0'
+ list icmp_type '131/0'
+ list icmp_type '132/0'
+ list icmp_type '143/0'
+ option family ipv6
+ option target ACCEPT
+
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
The WAN port should at least respond to IGMP and MLD queries as otherwise a snooping bridge/switch might drop traffic. RFC4890 recommends to leave IGMP and MLD unfiltered as they are always link-scoped anyways. Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue> --- v2 of "[PATCH] firewall: Allow MLD input on WAN": * Allow IGMP too * Added note about RFC4890 .../network/config/firewall/files/firewall.config | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+)