Can't connect to router IPV6 address from local network

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi, it's the first time i am using IPV6 so i don't know exactly how to explain the issue. My ISP does give me IPV6, the router receive a global IPV6 address. I configured a DDNS and I can use the address to access the router externally from another network (i've tried ping and ssh). The problem is that i can't access the router using the address when i am inside the local network (connected to the router). Why is this happening? Is there something i have to change in the firewall?

2

Assuming your router is the main router (and running openwrt of course), do you have 2 wan interfaces, one wan (ipv4) & one wan6 (ipv6) interface?

3

Screenshot 2024-02-26 alle 13.12.59
Screenshot 2024-02-26 alle 13.12.591780×460 76.1 KB

Openwrt is the main router (LTE) and these are the interfaces

4

Looks good to me. Sorry for the dumb question but I don't see the lan interface, is it there with the regular firewall rules? If this is in place then it's probably something specific to cell internet connections which I haven´t tried yet (someone jump in please :slight_smile:)

5

Yes, i have the lan interface. I think the issue might come from openwrt firewall

6

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
7 
{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "ZTE MF289F",
	"board_name": "zte,mf289f",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd55:2a2c:3bff::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'LTE'
	option proto 'qmi'
	option device '/dev/cdc-wdm0'
	option apn 'internet.it'
	option auth 'none'
	option pdptype 'ipv4v6'

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'LTE'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone 'vpn'
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'zt+'

config forwarding 'lan_vpn'
	option src 'lan'
	option dest 'vpn'

config rule 'ssh'
	option name 'Allow-SSH'
	option src 'vpn'
	option dest_port '22'
	option proto 'tcp'
	option target 'ACCEPT'

config rule
	option name 'Lele ssh'
	option src 'wan'
	option dest_port '22'
	option target 'ACCEPT'
8

Do your local LAN clients have valid IPv6 addresses starting with 2a02: ?

Do your local LAN clients have IPv6 internet access? you can test with:
ipv6.google.com
http://test-ipv6.com/

9

yes, devices in my LAN has access IPV6, they can ping google in ipv6 and use the browser in ipv6. But i can't ping or ssh in the router using the global IPV6 when I am inside the local network. I can connect to the router using the local link ipv6 fe80.

10

Can you ssh into the device and post the output of this command?

ip addr show dev br-lan

(Please redact any IPv6 addresses that start with 2. The ones starting with f do not need to be redacted.)

11

I know it works with real Prefix Delegation (and different subnets on LAN & WAN) without any additional configuration.
In this particular case I suggest using lan interface IPv6 address both internally and externally. It is highly recommended to configure firewall rules for external access.

12 
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether c8:ea:f8:a5:a5:d7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 2a02:b027:redacted/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 2a02:b027:redacted/64 scope global deprecated dynamic 
       valid_lft 6612sec preferred_lft 0sec
    inet6 fd55:2a2c:3bff::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::caea:f8ff:fea5:a5d7/64 scope link 
       valid_lft forever preferred_lft forever
13

With LTE, the ISP assigns one /64 to a customer's line, so every GUA in the customer's network must be in that same /64. A router to share this connection is usually set up with RA Relay and NDP Relay. The lan interface does not actually hold a GUA, but NDP relay makes the wan's /128 GUA a "neighbor" on the lan network.

14

What do you mean use lan interface IPV6 Address? I am using the IPV6 i get from my ISP and this works externally, but on inside the local network

15

Literally - if you need one address that is accessible both internally and externally, use it instead of your WAN IP. If you use DDNS - configure it to report the LAN IPv6 address, not WAN.

16

Which is the lan ipv6 address? In the br-lan i only see a /64 that gets assigned to the device in the local network. In wwan0 i see a /128 address which is the one i use to connect remotely, but it doesn’t work internally.

17

I guess this is the only candidate:

18

But this is not an ipv6 address. It’s a /64 prefix for the lan device clients.

19

Whatever you say, guru :wink:

20

Sorry, i have to say I was wrong. I didn't expect this to work, but it is working. So with this IPV6 i can connect it both internally and externally? What is the difference between the IPV6 i was using before in the wwan0 inet6?