This is going to be a bit long, because I want to include all of the relevant information. TL;DR, IPv6 was working great, until I screwed it up by adding a new zone.
My setup is somewhat complex, but not strange. I have an Archer C7 v2 running OpenWRT 19.07.5. It is the router for my home network behind a bridging cable modem connecting to Comcast Business. The OpenWRT is (mostly) just a router, and I use a Ubiquiti AC-PRO for wireless. (The OpenWRT router does do 802.11b class wifi for some very old devices, so I don't slow down my main wifi).
Everything, including IPv6 worked perfectly with a a single LAN zone. I got a /56 from Comcast, and the router made a /64 for the LAN. Using DHCPv6 and slaac internal devices got an IPv6 address, their name went into the routers DNS, and IPv6 worked great on the internal network, and talking to the rest of the world.
Then I decided it was time to create an IOT zone, because it's called the internet of shitty things for a reason. I created a new IOT zone which can reach the internet, but not the LAN zone. The LAN zone can connect to IOT, though. The 802.11b on OpenWRT is now connected to the IOT zone, and I use a VLAN to the AC-PRO with multiple SSIDs connecting to the appropriate zone.
That all works perfectly for IPv4. DHCP hands out addresses on the right subnet depending on which SSID a device connects to. Devices can reach, or not reach, what they're supposed to etc. No problems.
Now the problem
IPv6 almost works. The router gives a different /64 to the LAN and IOT zones, as expected. Devices joining the network get an IPv6 address, but then things are weird. IPv6 routing does not work right away. Pinging the router's IPv6 address associated with the zones /64 will get things going. My Android phone, which famously only does slaac, gets an address, but then after awhile loses it.
Just to be even more weird, IPv6 on the IOT network works fine. If I connect a device to that network, it can immediately start using IPv6, without having to ping the router first.
Obviously I've messed something up, but I can't figure out what it is. Having to ping the router before IPv6 works is mentioned on other problem reports, but none of the solutions worked for me.
Below are my /etc/config/firewall
and /etc/config/network
. I hope somebody else can see where I've made a mistake, or suggest things to try. If any other information will be useful in sorting this out, please let me know.
network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda1:d876:0d93::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.169.6'
option netmask '255.255.255.0'
option ip6assign '64'
option stp '1'
option ip6hint '01'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
list dns '1.1.1.1'
list dns '1.0.0.1'
option peerdns '0'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
list dns '2606:4700:4700::1111'
list dns '2606:4700:4700::1001'
option reqaddress 'try'
option peerdns '0'
option reqprefix '56'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2 3 4 5'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
option vid '2'
config interface 'modem'
option ifname 'eth0.2'
option proto 'static'
option ipaddr '192.168.100.10'
option netmask '255.255.255.0'
config interface 'iot'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.170.1'
option netmask '255.255.255.0'
option ifname 'eth1.3'
option stp '1'
option ip6assign '64'
option ip6hint '02'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '0t 4t'
Some of these entries may be redundant, as I'm trying to make sure that all ICMP messages can pass.
firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '80'
option dest_ip '192.168.169.3'
option dest_port '80'
option name 'http'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '443'
option dest_ip '192.168.169.3'
option dest_port '443'
option name 'https'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '22'
option dest_ip '192.168.169.7'
option dest_port '22'
option name 'ssh'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '23'
option dest_ip '192.168.169.3'
option dest_port '23'
option name 'ssh shiner'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '32400'
option dest_ip '192.168.169.3'
option dest_port '32400'
option name 'plex'
config rule
option dest_port '22-23'
option src 'wan'
option name 'IPv6 SSH'
option dest 'lan'
option target 'ACCEPT'
option proto 'tcp'
option family 'ipv6'
config rule
option dest_port '80 443'
option src 'wan'
option name 'IPv6 Web'
option dest 'lan'
option target 'ACCEPT'
option proto 'tcp'
option family 'ipv6'
config rule
option dest_port '667'
option src 'lan'
option name 'darkstat'
option target 'ACCEPT'
list proto 'tcp'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config zone 'iot'
option name 'iot'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'iot'
config forwarding 'iot_wan'
option src 'iot'
option dest 'wan'
config rule 'iot_dns'
option name 'Allow-DNS-IOT'
option src 'iot'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'iot_dhcp'
option name 'Allow-DHCP-IOT'
option src 'iot'
option dest_port '67'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6-IOT'
option family 'ipv6'
list proto 'udp'
option src 'iot'
option dest_port '547'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6-LAN'
option family 'ipv6'
list proto 'udp'
option src 'lan'
option dest_port '547'
option target 'ACCEPT'
config rule
option name 'Allow-ICMP-IOT'
option src 'iot'
option proto 'icmp'
option target 'ACCEPT'
option family 'ipv6'
config forwarding
option src 'lan'
option dest 'iot'
config rule
option family 'ipv6'
list proto 'icmp'
option target 'ACCEPT'
option src 'lan'
option name 'Allow-ICMP-LAN'
config rule
option name 'WAN Block'
option src 'lan'
list src_ip '192.168.169.8'
list src_ip '192.168.169.22'
option dest 'wan'
option target 'DROP'
config rule
option name 'ICMP Allow'
list proto 'icmp'
option target 'ACCEPT'
option dest '*'
option limit '1000/second'
config rule
option name 'ICMP Try'
option family 'ipv6'
list proto 'icmp'
option src 'lan'
option dest 'lan'
option target 'ACCEPT'
I've left out config host
sections.
dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option local '/lan/'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option rebind_protection '1'
option rebind_localhost '1'
option domain 'example.com'
option nonwildcard '0'
option tftp_root '/storage/tftpboot'
option enable_tftp '1'
option cachesize '500'
option dhcp_boot 'grubx64.efi'
option proxydnssec '1'
list server '/ntp.org/1.1.1.1'
list server '/ntp.org/2606:4700:4700::1111'
list server '0::1#5453'
list server '127.0.0.1#5453'
option noresolv '1'
option nonegcache '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '1h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'iot'
option interface 'iot'
option start '100'
option limit '150'
option leasetime '12h'
option ra 'server'
option dhcpv6 'server'
option ra_management '1'