Forward all IPv6 inbound traffic through TPLink AX3000 router

As of December 2025, TPLink AX3000's router admin panel UI doesn't have any way to configure firewall for IPv6 traffic. In order for IPv6 inbound requests to pass through, we need to decrypt, modify and reapply the router's configuration file.

Warning

After following this guide, your router will forward all IPv6 inbound requests to devices within your network, which will make them publicly accessible without additional security mechanisms like firewalls, so proceed with care. I take no responsibility for any issues, security risks, or damages resulting from the use of this guide.

Prerequisites

You need to have access to one of the following environments:

WSL2 (Windows)
Linux (Ubuntu, Debian, ...)
MacOS. In this case, you need to install GNU Tar by running brew install gnu-tar and replaces all tar command below with gtar.

Steps

Install openssl and pigz using your package manager.
In the router's admin panel, navigate to Advanced > System > Backup & Restore. Press Backup to download the encrypted configuration file. Rename this file to config.bin and put it inside an empty folder.

Decrypt and unpack this file using the command below. After which, you should find 4 new files: ori.xml, header.bin, config.tar, ori-backup-user-config.bin.

# Replace `tar` with `gtar` if you are running the command on MacOS.
openssl aes-256-cbc -d -K 2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836 -iv 360028C9064242F81074F4C127D299F6 -in config.bin | pigz -d -z | (dd bs=16 count=1 of=header.bin; cat) > config.tar; tar -xvf config.tar ./ori-backup-user-config.bin; openssl aes-256-cbc -d -K 2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836 -iv 360028C9064242F81074F4C127D299F6 -in ori-backup-user-config.bin | pigz -d -z > ori.xml; rm ori-backup-user-config.bin;

Open ori.xml in a text editor. Search for all rule tags within the file using <rule query, then append the following rule after the last rule found.
```
<rule>
<name>Forward-IPv6</name>
<src>wan</src>
<dest>lan</dest>
<proto>all</proto>
<family>ipv6</family>
<target>ACCEPT</target>
</rule>
```
Repack and encrypt the configuration file using the command below. The modified configuration file, config2.bin, will be created.

# Replace `tar` with `gtar` if you are running the command on MacOS.
pigz -c -z ori.xml | openssl aes-256-cbc -e -K 2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836 -iv 360028C9064242F81074F4C127D299F6 -out ori-backup-user-config.bin; tar --delete -f config.tar ./ori-backup-user-config.bin; tar -uf config.tar ./ori-backup-user-config.bin; cat header.bin config.tar | pigz -c -z | openssl aes-256-cbc -e -K 2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836 -iv 360028C9064242F81074F4C127D299F6 -out config2.bin

In the router's admin panel, navigate to Advanced > System > Backup & Restore. Press Upload and select the config2.bin file. After which, the router will apply the new configuration and reboot.

Troubleshooting

If you have any issue with internet connections after applying the new configuration file, you may try rebooting the router again either through the admin panel UI or unplugging and replugging it.

If the issue still persists, redo step 5 with the original config.bin file or factory reset your router to revert the changes.

tuananhlai/forward-ipv6-inbound-ax3000.md

Select an option

No results found