Cannot be visited from outer network use relay mode get ipv6 address

my openwrt allocate ipv6 address to clients use relay mode, openwrt router ipv6 can visit outer network and be visited by outer network well, but clients only can visit outer ipv6 network, visited cannot, was firewall problem or route problem?
btw: clients get public ipv6 address, not private

ip -6 route list

ip -6 route list
default from xxx:xxx:xxx:3200:3471:46c2:828f:2 via fe80::1 dev eth0 proto static metric 384 pref medium
default from xxx:xxx:xxx:3259::/64 via fe80::1 dev eth0 proto static metric 384 pref medium
xxx:xxx:xxx:9183:d4c2:d24e:b434:c52 dev br-lan proto static metric 1024 pref medium
xxx:xxx:xxx:3259:d4ae:48ae:24ee:c075 dev br-lan proto static metric 1024 pref medium
xxx:xxx:xxx:3259:d4c2:d24e:b434:c52 dev br-lan proto static metric 1024 pref medium
xxx:xxx:xxx:3259::/64 dev eth0 proto static metric 256 pref medium
unreachable 240e:381:385d:3259::/64 dev lo proto static metric 2147483647 pref medium
fd68:10b5:e461::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd68:10b5:e461::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium

/etc/config/firewall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'shadowsocks'
        option type 'script'
        option path '/var/etc/shadowsocks.include'
        option reload '1'

config include 'mia'
        option type 'script'
        option path '/etc/mia.include'
        option reload '1'

config include 'autorepeater'
        option type 'script'
        option path '/var/etc/autorepeater.include'
        option reload '0'


add clients route fixed this problem. but how to automatic add such route by openwrt itself?
I made a new post for automatic problem

route add xxx:xxx:xxx:xxx:d4ae:48ae:24ee:c075 dev br-lan

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.