Can't ping/connect to router from connected device

saraelsa · March 7, 2026, 6:44pm

This may be related to an earlier issue that I posted. Same device; I'm now on 25-12.0 stable. The original issue still exists.

I have a firewall zone called lan6 which includes the interfaces eth0 and wglan6.

eth0 has the IP address 2XXX:XXXX:XXXX:XXXf::1/64.
wglan6 has the IP address 2XXX:XXXX:XXXX:YYY0::1/64.

When connected to wglan6 (over Wireguard), I can ping both IP addresses.

When connected to eth0 (over Ethernet), I cannot ping 2XXX:XXXX:XXXX:XXXf::1/64 (the address for eth0). I can ping wglan6's address and Internet destinations.

I created a firewall rule and put it at the top which accepts and logs all ICMP packets sent from the device to the router. The firewall rule was first set to capture packets with destination any zone (forward), and I could ping Internet destinations and see corresponding logs. It was then changed to capture packets with destination this device (input), and when I tried pinging the router using eth0's address, it didn't work and no logs were generated.

netstat -rn on the connected device includes the following:

Internet6:
Destination                             Gateway                                 Flags               Netif Expire
default                                 fe80::5054:ff:fXXX:XXXX%en0             UGcg                  en0
2XXX:XXXX:XXXX:XXXf::/64                link#11                                 UC                    en0
2XXX:XXXX:XXXX:XXXf:ZZZZ:ZZZZ:ZZZZ:ZZZZ ZZ:ZZ:ZZ:ZZ:ZZ:ZZ                       UHLWI                 en0

where ZZZZ represents another device connected to the same port which I can ping.

I suspect the differing gateways are the culprit here, but I don't know anything beyond that.

With my extremely limited knowledge on how networking works below the IP level, could it perhaps be the case that unless a packet is addressed specifically to the device's link-local or MAC address (which maybe it isn't if netstat's gateway is the link itself) it just never gets accepted for processing? To test this I tried enabling promiscuous mode on the device, but after doing that I wasn't able to get an IP address assigned in the first place.

Any other ideas?

lleachii · March 8, 2026, 3:17am

Please show your firewall configuration.

saraelsa · March 8, 2026, 2:58pm

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option family 'ipv4'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan6'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-MLD'
	option src 'wan6'
	option proto 'icmp'
	option family 'ipv6'
	option target 'ACCEPT'
	list src_ip 'fe80::/10'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan6'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'neighbour-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'packet-too-big'
	list icmp_type 'router-advertisement'
	list icmp_type 'router-solicitation'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan6'
	option dest '*'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wan6'

config zone
	option name 'lan6'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option family 'ipv6'
	list network 'lan6'
	list network 'wglan6'

config forwarding
	option src 'lan6'
	option dest 'wan6'

config forwarding
	option src 'lan6'
	option dest 'vnet6'

config forwarding
	option src 'wan6'
	option dest 'lan6'

config forwarding
	option src 'wan6'
	option dest 'vnet6'

config zone
	option name 'vnet6'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option family 'ipv6'
	list network 'eth1vl1'
	list network 'eth1vl3'
	list network 'eth1vl4'
	list network 'eth1vl2'

config forwarding
	option src 'vnet6'
	option dest 'wan6'

config forwarding
	option src 'vnet6'
	option dest 'lan6'

config zone
	option name 'wan4rel'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'
	option family 'ipv4'
	list network 'wan4_2'

config zone
	option name 'lan4rel'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'
	list network 'ps46'

config forwarding
	option src 'lan4rel'
	option dest 'wan4rel'

config forwarding
	option src 'wan4rel'
	option dest 'lan4rel'

config rule
	option name 'Reject-Forward-Iot'
	option family 'ipv6'
	option src '*'
	option dest 'lan6'
	list dest_ip '2XXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX’
	option target 'REJECT'
	list proto 'all'

config rule
	option src 'wan'
	option name 'Allow-WireGuard'
	list proto 'udp'
	option dest_port '51820'
	option target 'ACCEPT'

config rule
	option src 'lan6'
	option name 'Allow-lan6-any'
	option family 'ipv6'
	option target 'ACCEPT'
	list proto 'all'
	option dest '*'
	option enabled '0'

config rule
	option dest 'lan6'
	option name 'Allow-IPv6-From-Device'
	option family 'ipv6'
	option target 'ACCEPT'
	list proto 'all'
	option enabled '0'

config rule
	option src 'lan6'
	option name 'Allow-ICMPv6-Lan-Input'
	list proto 'icmp'
	option target 'ACCEPT'
	option family 'ipv6'
	option enabled '0'