Fix IPv6... again

nftables.conf

@@ -1,5 +1,6 @@
 define WAN = wan0
 define LAN = lan0
+define VPN = wg-vpn
 
 table inet filter {
 	chain input {
@@ -7,11 +8,13 @@ table inet filter {
 		iifname "lo" accept
 		ct state invalid drop
 		ct state { established, related } accept
+		icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query,destination-unreachable,packet-too-big,time-exceeded,parameter-problem} accept
 		ip protocol icmpv6 accept
 		ip protocol icmp accept
 		meta l4proto ipv6-icmp accept
-		tcp dport { 22 } accept comment "allow ssh to router"
+		# do these need ipv6-specific entries, too?
-		udp dport { 546, 53, 67 } accept comment "allow dhcpv6-client, dns, and dhcp"
+		tcp dport { 51821, 22, 2200, 2221, 2222, 25565 } accept comment "globally allowed ipv6 ports"
+		udp dport { 51821, 51820, 546, 53, 67 } accept comment "allow dhcpv6-client, dns, dhcp, and wireguard"
 		udp dport { 60000-60009 } accept comment "allow mosh common ports"
 		drop
 	}
@@ -88,11 +91,11 @@ table ip6 io.systemd.nat {
 		iifname "lo" accept
 		ct state invalid drop
 		ct state { established, related } accept
-		# ip6 protocol icmpv6 accept
+		# icmpv6 accept
-		# ip6 protocol icmp accept
+		# icmp accept
 		meta l4proto ipv6-icmp accept
-		tcp dport { 22, 2200, 2221, 2200, 25565 } accept
+		tcp dport { 51821, 2200, 2221, 2222, 25565 } accept comment "globally allowed ipv6 ports"
-		udp dport { 546, 53, 67 } accept comment "allow dhcpv6-client, dns, and dhcp"
+		udp dport { 51821, 51820, 546, 53, 67 } accept comment "allow dhcpv6-client, dns, dhcp, and wireguard"
 		udp dport { 60000-60009 } accept comment "allow mosh common ports"
 		drop
 	}