RT ， 看到此贴， https://v2ex.com/t/875489

赶紧去 vps 上 telnet 下软路由的端口，果然是通的。目前软路由上跑的 kms homeassistant nodered 等

[root@ss-us ~]# telnet 2408:823c:815: 1688
Trying 2408:823c:815:...
Connected to 2408:823c:815.
Escape character is '^]'.

检查了下 光猫 防火墙设置是 中等，改成高，也是一样。

环境如下：

光猫型号 ma5671 ，光猫拨号，slaac 方式获取 ipv6 ，旁路 n1 以 lan 方式接入 光猫 lan 。

ip6tables-save 如下。

WAP(Dopra Linux) # ip6tables-save
# Generated by ip6tables-save v1.4.21 on Fri Aug 26 13:07:38 2022
*mangle
:PREROUTING ACCEPT [496484:52300948]
:INPUT ACCEPT [438743:40610139]
:FORWARD ACCEPT [37366:5523943]
:OUTPUT ACCEPT [446646:39067918]
:POSTROUTING ACCEPT [484012:44591861]
:POST_MODECONTROL - [0:0]
:PRE_MODECONTROL - [0:0]
-A PREROUTING -j PRE_MODECONTROL
-A PREROUTING -i br+ -m mark --mark 0x102001 -j DROP
-A POSTROUTING -j POST_MODECONTROL
COMMIT
# Completed on Fri Aug 26 13:07:38 2022
# Generated by ip6tables-save v1.4.21 on Fri Aug 26 13:07:38 2022
*filter
:INPUT ACCEPT [2009:345878]
:FORWARD ACCEPT [37366:5523943]
:OUTPUT ACCEPT [446618:39065502]
:FWD_FIREWALL - [0:0]
:FWD_FIREWALL_CUST - [0:0]
:FWD_IPFLT - [0:0]
:FWD_IPFLT_DEFAULT - [0:0]
:FWD_PORTMAP - [0:0]
:FWD_PROTOCOL_FLT - [0:0]
:FWD_REJECT - [0:0]
:FWD_SERVICE - [0:0]
:FWD_WANUPDOWN - [0:0]
:INPUT_ACL - [0:0]
:INPUT_ACL_WAN - [0:0]
:INPUT_ACL_WAN_WHITELIST - [0:0]
:INPUT_ACL_WHITELIST - [0:0]
:INPUT_ACL_WIFI - [0:0]
:INPUT_DOS - [0:0]
:INPUT_FIREWALL - [0:0]
:INPUT_PCP_WAN - [0:0]
:INPUT_PROTOCOL_FLT - [0:0]
:INPUT_SERVICE - [0:0]
-A INPUT -j INPUT_PROTOCOL_FLT
-A INPUT -j INPUT_ACL_WAN_WHITELIST
-A INPUT -j INPUT_ACL_WHITELIST
-A INPUT -j INPUT_ACL_WIFI
-A INPUT -j INPUT_ACL_WAN
-A INPUT -j INPUT_ACL
-A INPUT -j INPUT_DOS
-A INPUT -j INPUT_SERVICE
-A INPUT -j INPUT_PCP_WAN
-A INPUT -j INPUT_FIREWALL
-A FORWARD -s fc00::/7 -i br+ -o ppp+ -j DROP
-A FORWARD -s fc00::/7 -i br+ -o wan+ -j DROP
-A FORWARD -j FWD_PROTOCOL_FLT
-A FORWARD -j FWD_WANUPDOWN
-A FORWARD -j FWD_REJECT
-A FORWARD -j FWD_IPFLT
-A FORWARD -j FWD_IPFLT_DEFAULT
-A FORWARD -j FWD_SERVICE
-A FORWARD -j FWD_PORTMAP
-A FORWARD -j FWD_FIREWALL_CUST
-A FORWARD -j FWD_FIREWALL
-A OUTPUT -o ra+ -j DROP
-A OUTPUT -o wl+ -j DROP
-A FWD_WANUPDOWN -m rt --rt-type 0 -j DROP
-A FWD_WANUPDOWN -o wan+ -m mark --mark 0x102001 -j DROP
-A FWD_WANUPDOWN -o ppp+ -m mark --mark 0x102001 -j DROP
-A INPUT_DOS -i wan+ -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
-A INPUT_DOS -i wan+ -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j DROP
-A INPUT_DOS -i ppp+ -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
-A INPUT_DOS -i ppp+ -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j DROP
-A INPUT_DOS -i wan+ -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j DROP
-A INPUT_DOS -i ppp+ -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j DROP
-A INPUT_FIREWALL -i wan+ -j DROP
-A INPUT_FIREWALL -i ppp+ -j DROP
-A INPUT_SERVICE -i ppp257 -p udp -m udp --dport 546 -j ACCEPT
-A INPUT_SERVICE -i wan+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT_SERVICE -i ppp+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT_SERVICE -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
-A INPUT_SERVICE -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A INPUT_SERVICE -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A INPUT_SERVICE -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A INPUT_SERVICE -p ipv6-icmp -m icmp6 --icmpv6-type 141 -j ACCEPT
-A INPUT_SERVICE -p ipv6-icmp -m icmp6 --icmpv6-type 142 -j ACCEPT
COMMIT

请问，最有可能问题出在哪里

实测，修改光猫 forward 链 无效。

必须要在 slaac host 上，即 旁路路由 n1 上添加策略。

如 禁止访问 1688 端口。用 -I 插入，放在最前面，根据需要添加 -s 指定地址。

ip6tables -I INPUT -p tcp --dport 1688 -j ACCEPT