Updates

services/firewall/rules.nft

@@ -7,6 +7,9 @@ define vpn_net = 10.0.0.0/24
 define lan_net = 192.168.2.0/24
 define self = 192.168.2.22
 
+# delegated prefix is 2a02:a45e:ce93::/48
+define lan_net6 = 2a02:a45e:ce93:0::/64
+
 define icmpv4_basic = {
   echo-reply, # type 0 / ping
   echo-request, # type 8 / ping
@@ -50,7 +53,7 @@ table inet firewall {
     type filter hook input priority 0; policy drop;
 
     ct state invalid drop                                 # early drop of invalid packets
-    ct state {established, related} accept                # allow established/related connections
+    ct state { established, related } accept                # allow established/related connections
 
     iif lo accept                                         # allow traffic from loopback interface
 
@@ -67,10 +70,13 @@ table inet firewall {
 
     # AdGuard admin access (8888) only from LAN and VPN
     ip saddr { $lan_net, $vpn_net } tcp dport 8888 accept
+    ip6 saddr $lan_net6 tcp dport 8888 accept
 
-    # AdGuard DNS, DHCP, DoT, DoQ ports only from LAN and VPN
-    ip saddr { $lan_net, $vpn_net}  udp dport { 53, 67, 68, 784 } accept
+    # Adguard DNS, DHCP, DoT, DoQ ports only from LAN and VPN
+    ip saddr { $lan_net, $vpn_net} udp dport { 53, 67, 68, 784 } accept
     ip saddr { $lan_net, $vpn_net} tcp dport { 53, 853 } accept
+    ip6 saddr $lan_net6 udp dport { 53, 67, 68, 784 } accept
+    ip6 saddr $lan_net6 tcp dport { 53, 853 } accept
 
     # Rules for WAN interface only
     iifname $wan udp dport 51820 accept                   # Allow Wireguard incoming from WAN

services/firewall/update.sh

@@ -1,5 +1,5 @@
 #!/bin/sh
-ln -sf ./rules.nft /etc/nftables.d/firewall.nft
+ln -sf $(pwd)/rules.nft /etc/nftables.d/firewall.nft
 
 echo "Reloading firewall rules..."
 nft -f /etc/nftables.nft