Basically it all appears to work, at least on the clients. Their IPV6 functions properly and they can reach external IPV6 hosts but on the router itself i cant reach any. I have dual stack internet and my ISP is correctly providing a /59 PD from which I forward /60 to my lan. Hopefully someone has an idea about what could be wrong.
Here is my config:
network
root@router:/etc/config# cat network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'REDACTED'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
option macaddr '9e:3e:88:0b:d8:9c'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0'
option macaddr '9e:3e:REDACTED:d8:9c'
config interface 'wan'
option proto 'dhcp'
option device 'eth1'
option broadcast '1'
option hostname 'router'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth1'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '2606:4700:4700::1111'
list dns '2606:4700:4700::1001'
option norelease '1'
config device
option name 'eth1'
option macaddr 'ea:8d:REDACTED:63'
dhcp
root@router:/etc/config# cat dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '0'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '4000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option port '54'
list server '192.168.1.1'
option boguspriv '0'
option nonegcache '1'
option sequential_ip '1'
config dhcp 'lan'
option interface 'lan'
option start '3'
option limit '50'
option leasetime '24h'
list dhcp_option '6,192.168.1.1'
list dhcp_option '3,192.168.1.1'
option ra 'server'
option dhcpv6 'server'
option preferred_lifetime '24h'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dns '2a02:8071:REDACTED:e620::1'
list dns 'fd14:346c:3fff::1'
option ndp 'relay'
option ra_default '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '3'
config dhcp 'wan6'
option interface 'wan6'
option ra 'relay'
option dhcpv6 'relay'
option preferred_lifetime '24h'
option master '1'
option ignore '1'
option ndp 'relay'
firewall
root@router:/etc/config# cat firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option drop_invalid '1'
option forward 'DROP'
option flow_offloading '1'
option log_level '3'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option log '1'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
option log '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option enabled '1'
option type 'script'
option path '/etc/firewall.user'
option fw4_compatible '1'
config redirect 'adguardhome_dns_53'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option target 'DNAT'
option name 'Adguard Home'
option dest 'lan'
option dest_port '53'
adguardhome.yaml
root@router:/etc/config# cat ../adguardhome.yaml
http:
address: 192.168.1.1:8080
session_ttl: 720h
users:
- name: REDACTED
password: REDACTED
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: en
theme: dark
debug_pprof: false
dns:
bind_hosts:
- 127.0.0.1
- 192.168.1.1
- ::1
- fd14:REDACTED:3fff::1
- 2a02:8071:REDACTED:e620::1
port: 53
anonymize_client_ip: false
protection_enabled: true
blocking_mode: default
blocking_ipv4: ""
blocking_ipv6: ""
blocked_response_ttl: 5
protection_disabled_until: null
parental_block_host: family-block.dns.adguard.com
safebrowsing_block_host: standard-block.dns.adguard.com
ratelimit: 0
ratelimit_whitelist: []
refuse_any: true
upstream_dns:
- https://dns.cloudflare.com/dns-query
- https://dns.google/dns-query
- '[/lan/]127.0.0.1:54'
- '[//]127.0.0.1:54'
- '[/time.cloudflare.com/]1.1.1.1'
- '[/time.cloudflare.com/]1.0.0.1'
- '[/pool.ntp.org/]1.1.1.1'
- '[/pool.ntp.org/]1.0.0.1'
upstream_dns_file: ""
bootstrap_dns:
- 1.1.1.1
- 1.0.0.1
- 8.8.8.8
- 8.8.4.4
- 2606:4700:4700::1111
- 2606:4700:4700::1001
- 2001:4860:4860::8888
- 2001:4860:4860::8844
all_servers: true
fastest_addr: false
fastest_timeout: 1s
allowed_clients: []
disallowed_clients: []
blocked_hosts:
- version.bind
- id.server
- hostname.bind
trusted_proxies:
- 127.0.0.0/8
- ::1/128
cache_size: 4194304
cache_ttl_min: 0
cache_ttl_max: 0
cache_optimistic: true
bogus_nxdomain: []
aaaa_disabled: false
enable_dnssec: true
edns_client_subnet:
custom_ip: ""
enabled: true
use_custom: false
max_goroutines: 300
handle_ddr: true
ipset: []
ipset_file: ""
bootstrap_prefer_ipv6: false
filtering_enabled: true
filters_update_interval: 12
parental_enabled: false
safebrowsing_enabled: false
safebrowsing_cache_size: 1048576
safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
safe_search:
enabled: false
bing: true
duckduckgo: true
google: true
pixabay: true
yandex: true
youtube: true
rewrites: []
blocked_services:
schedule:
time_zone: UTC
ids: []
upstream_timeout: 10s
private_networks: []
use_private_ptr_resolvers: true
local_ptr_upstreams:
- 192.168.1.1:54
use_dns64: false
dns64_prefixes: []
serve_http3: false
use_http3_upstreams: false
tls:
enabled: false
server_name: ""
force_https: false
port_https: 443
port_dns_over_tls: 853
port_dns_over_quic: 853
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
certificate_chain: ""
private_key: ""
certificate_path: ""
private_key_path: ""
strict_sni_check: false
querylog:
ignored: []
interval: 720h
size_memory: 1000
enabled: true
file_enabled: true
statistics:
ignored: []
interval: 720h
enabled: true
filters:
- enabled: true
url: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.txt
name: HaGeZi's Pro DNS Blocklist
id: 1705775640
- enabled: true
url: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/hosts/tif.txt
name: HaGeZi's Trheat Intelligence Feeds DNS Blocklist
id: 1705775641
- enabled: true
url: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/dyndns.txt
name: HaGeZi's DynDNS Blocklist
id: 1705775642
- enabled: true
url: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/hoster.txt
name: HaGeZi's Badware Hoster DNS Blocklist
id: 1705775643
- enabled: false
url: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/spam-tlds.txt
name: HaGeZi's The World's Most Abused TLDs
id: 1705775644
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
name: AdGuard DNS filter
id: 1705793437
whitelist_filters:
- enabled: true
url: https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt
name: anudeepND whitelist
id: 1705793438
dhcp:
enabled: false
interface_name: ""
local_domain_name: lan
dhcpv4:
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
options: []
dhcpv6:
range_start: ""
lease_duration: 86400
ra_slaac_only: false
ra_allow_slaac: false
clients:
runtime_sources:
whois: true
arp: true
rdns: true
dhcp: true
hosts: true
persistent: []
log:
file: ""
max_backups: 0
max_size: 100
max_age: 3
compress: false
local_time: false
verbose: false
os:
group: ""
user: ""
rlimit_nofile: 0
schema_version: 24