Cannot reach external IPV6 host from OpenWrt, clients can

Basically it all appears to work, at least on the clients. Their IPV6 functions properly and they can reach external IPV6 hosts but on the router itself i cant reach any. I have dual stack internet and my ISP is correctly providing a /59 PD from which I forward /60 to my lan. Hopefully someone has an idea about what could be wrong.

Here is my config:

network

root@router:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'REDACTED'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option macaddr '9e:3e:88:0b:d8:9c'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0'
        option macaddr '9e:3e:REDACTED:d8:9c'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth1'
        option broadcast '1'
        option hostname 'router'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth1'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'
        option norelease '1'

config device
        option name 'eth1'
        option macaddr 'ea:8d:REDACTED:63'

dhcp

root@router:/etc/config# cat dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '0'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '4000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option port '54'
        list server '192.168.1.1'
        option boguspriv '0'
        option nonegcache '1'
        option sequential_ip '1'

config dhcp 'lan'
        option interface 'lan'
        option start '3'
        option limit '50'
        option leasetime '24h'
        list dhcp_option '6,192.168.1.1'
        list dhcp_option '3,192.168.1.1'
        option ra 'server'
        option dhcpv6 'server'
        option preferred_lifetime '24h'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dns '2a02:8071:REDACTED:e620::1'
        list dns 'fd14:346c:3fff::1'
        option ndp 'relay'
        option ra_default '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '3'

config dhcp 'wan6'
        option interface 'wan6'
        option ra 'relay'
        option dhcpv6 'relay'
        option preferred_lifetime '24h'
        option master '1'
        option ignore '1'
        option ndp 'relay'

firewall

root@router:/etc/config# cat firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option drop_invalid '1'
        option forward 'DROP'
        option flow_offloading '1'
        option log_level '3'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option log '1'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'DROP'
        option forward 'DROP'
        option log '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option enabled '1'
        option type 'script'
        option path '/etc/firewall.user'
        option fw4_compatible '1'

config redirect 'adguardhome_dns_53'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option target 'DNAT'
        option name 'Adguard Home'
        option dest 'lan'
        option dest_port '53'

adguardhome.yaml

root@router:/etc/config# cat ../adguardhome.yaml 
http:
  address: 192.168.1.1:8080
  session_ttl: 720h
users:
  - name: REDACTED
    password: REDACTED
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: en
theme: dark
debug_pprof: false
dns:
  bind_hosts:
    - 127.0.0.1
    - 192.168.1.1
    - ::1
    - fd14:REDACTED:3fff::1
    - 2a02:8071:REDACTED:e620::1
  port: 53
  anonymize_client_ip: false
  protection_enabled: true
  blocking_mode: default
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_response_ttl: 5
  protection_disabled_until: null
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  ratelimit: 0
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - https://dns.cloudflare.com/dns-query
    - https://dns.google/dns-query
    - '[/lan/]127.0.0.1:54'
    - '[//]127.0.0.1:54'
    - '[/time.cloudflare.com/]1.1.1.1'
    - '[/time.cloudflare.com/]1.0.0.1'
    - '[/pool.ntp.org/]1.1.1.1'
    - '[/pool.ntp.org/]1.0.0.1'
  upstream_dns_file: ""
  bootstrap_dns:
    - 1.1.1.1
    - 1.0.0.1
    - 8.8.8.8
    - 8.8.4.4
    - 2606:4700:4700::1111
    - 2606:4700:4700::1001
    - 2001:4860:4860::8888
    - 2001:4860:4860::8844
  all_servers: true
  fastest_addr: false
  fastest_timeout: 1s
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  cache_optimistic: true
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: true
  edns_client_subnet:
    custom_ip: ""
    enabled: true
    use_custom: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  bootstrap_prefer_ipv6: false
  filtering_enabled: true
  filters_update_interval: 12
  parental_enabled: false
  safebrowsing_enabled: false
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  safe_search:
    enabled: false
    bing: true
    duckduckgo: true
    google: true
    pixabay: true
    yandex: true
    youtube: true
  rewrites: []
  blocked_services:
    schedule:
      time_zone: UTC
    ids: []
  upstream_timeout: 10s
  private_networks: []
  use_private_ptr_resolvers: true
  local_ptr_upstreams:
    - 192.168.1.1:54
  use_dns64: false
  dns64_prefixes: []
  serve_http3: false
  use_http3_upstreams: false
tls:
  enabled: false
  server_name: ""
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
  strict_sni_check: false
querylog:
  ignored: []
  interval: 720h
  size_memory: 1000
  enabled: true
  file_enabled: true
statistics:
  ignored: []
  interval: 720h
  enabled: true
filters:
  - enabled: true
    url: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.txt
    name: HaGeZi's Pro DNS Blocklist
    id: 1705775640
  - enabled: true
    url: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/hosts/tif.txt
    name: HaGeZi's Trheat Intelligence Feeds DNS Blocklist
    id: 1705775641
  - enabled: true
    url: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/dyndns.txt
    name: HaGeZi's DynDNS Blocklist
    id: 1705775642
  - enabled: true
    url: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/hoster.txt
    name: HaGeZi's Badware Hoster DNS Blocklist
    id: 1705775643
  - enabled: false
    url: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/spam-tlds.txt
    name: HaGeZi's The World's Most Abused TLDs
    id: 1705775644
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
    name: AdGuard DNS filter
    id: 1705793437
whitelist_filters:
  - enabled: true
    url: https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt
    name: anudeepND whitelist
    id: 1705793438
dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: true
    dhcp: true
    hosts: true
  persistent: []
log:
  file: ""
  max_backups: 0
  max_size: 100
  max_age: 3
  compress: false
  local_time: false
  verbose: false
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: 24

Nobody as any idea?

Disclaimer not the greatest IPv6 expert but I got it working on my routers

It looks like you setup IPv6 as relay.
As you have a PD that is not necessary.

Try removing it and replace with:

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

Furthermore list server '192.168.1.1' is present if that is the DNS server itself you should remove it, but it could be related to your Adguard home in that case forget this

Thanks for replying, appreciate it.
With the matter-protocol for iot devices, ipv6 gets quite relevant as that doesn't seem to work without it.

Alright, I changed the wan6 interface to

config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'

and it does not seem to have broken anything.

The list server '192.168.1.1' is indeed pointing to adguardhome, which is installed on the OpenWrt device via opkg (https://openwrt.org/docs/guide-user/services/dns/adguard-home). dnsmasq is set to port 54, so adguardhome can use it for reverse dns lookups (See adguardhome.yml under the local_ptr_upstreams part).

Do the other parts of my dhcp config under config dhcp 'lan' look correct to you? Im specifically referring to option ra, dhcpv6, flags, ndp, ra_default.

What I am also unsure about is the bind_hosts part of adguardhome.yml and the list dns part of /etc/config/dhcp. To my understanding in list dns I have put the delegated ipv6 address along with the link-local ipv6 (and im not sure why but there is a script in the installation docs that suggests to do so). Then under the bind_hosts part I have also added these two along with ::1, 192.168.1.1 and 127.0.0.1, hoping, that this is correct. I believe these are the addresses adguardhome should listen on?

Still can't reach external IPV6 hosts on OpenWrt itself, so I guess either any of the above is incorrect or there is something inside the firewall, that blocks it but I cant seem to find anything (and turning of is not an option as then dns redirection to adguardhome will also stop functioning, denying the possibility to test anything).

In the DHCP config there is actually no need for a wan6 at all so you should be able to delete that, wan6 uses odhcp and that sections looks like mine.

Reboot after removing the config dhcp 'wan6'

The LAN interface is responsible for the clients, this is mine:

config dhcp 'lan'
	option interface 'lan'
	option start '64'
	option limit '64'
	option leasetime '24h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

So probably remove:

Reboot afterwards

You can check your wan status with: ifstatus wan6
You can post it for us to check but be sure to partially blur the ipv6 address!

If it is a DNS problem you should be able to ping -6 2a00:1450:400e:801::200e but not ping -6 ipv6.google.com

Alright, removed config dhcp 'wan6', option ndp 'relay', option ra_default '1' and added option dhcpv4 'server' to /etc/config/dhcp. this is the current version:

etc/config/dhcp

root@router:~# cat /etc/config/dhcp 

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '0'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '4000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option port '54'
        list server '192.168.1.1'
        option boguspriv '0'
        option nonegcache '1'
        option sequential_ip '1'

config dhcp 'lan'
        option interface 'lan'
        option start '3'
        option limit '50'
        option leasetime '24h'
        list dhcp_option '6,192.168.1.1'
        list dhcp_option '3,192.168.1.1'
        option ra 'server'
        option dhcpv6 'server'
        option dhcpv4 'server'
        option preferred_lifetime '24h'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dns '2a02:8071:REDACTED
        list dns 'fd14:346c:3fff::1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '3'

both ping -6 2a00:1450:400e:801::200e and ping -6 ipv6.google.com fail (100% packet loss)

here is the output of ifstatus wan6

{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 337,
        "l3_device": "eth1",
        "proto": "dhcpv6",
        "device": "eth1",
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "2a02:908:REDACTED::1835",
                        "mask": 128,
                        "preferred": 42863,
                        "valid": 86063
                },
                {
                        "address": "2a02:908:REDACTED:8aff:fe7b:3763",
                        "mask": 64,
                        "preferred": 604795,
                        "valid": 2591995
                }
        ],
        "ipv6-prefix": [
                {
                        "address": "2a02:8071:REDACTED:e620::",
                        "mask": 59,
                        "preferred": 42863,
                        "valid": 86063,
                        "class": "wan6",
                        "assigned": {
                                "lan": {
                                        "address": "2a02:8071:REDACTED:e620::",
                                        "mask": 60
                                }
                        }
                }
        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "2a02:908:REDACTED:10c::",
                        "mask": 64,
                        "nexthop": "::",
                        "metric": 256,
                        "valid": 2591995,
                        "source": "::/0"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::1212:ff:REDACTED:6598",
                        "metric": 384,
                        "valid": 117,
                        "source": "2a02:8071:REDACTED:e620::/59"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::1212:ff:REDACTED:6598",
                        "metric": 384,
                        "valid": 117,
                        "source": "2a02:908:f000:10c:REDACTED:8aff:fe7b:3763/64"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::1212:ff:REDACTED:6598",
                        "metric": 384,
                        "valid": 117,
                        "source": "2a02:908:REDACTED:10c::1835/128"
                }
        ],
        "dns-server": [
                "2606:4700:4700::1111",
                "2606:4700:4700::1001"
        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [
                        "2a02:908:2:b::1",
                        "2a02:908:2:a::1"
                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {
                "passthru": "001700202a0209080002000REDACTED080002000a0000000000000001"
        }
}

I will carefully go over your settings later but on first glance it looks OK, you got a /59 prefix and have the routes and prefixes to LAN.

You do have a /64 prefix assigned to the wan6 which should not be necessary , wan6 gets its own /128 address but I do not think this is a problem.

I have checked your settings with mine (which are working) and I cannot find any obvious differences/mistakes so at this moment I am also in the dark :frowning:

me neither and i cant find anything in the firewall as well anyone else maybe has an idea?

Bump, does anyone have an idea?