Clients can't ping IPv6 addresses, but router can

I wanted to test IPv6 on clients - but there is one problem, there is no IPv6 address, but IPv4 is there. Also, clients can ping IPv6 each other on the LAN itself, but pinging any IPv6 website on the Internet is not possible.
ISP (connected via IPoE) supports IPv6, saying:

To get an IPv6 address and a /64 prefix (a whole block of 264 addresses that a subscriber's router can distribute to all clients on the local network) in the network, you need to enable DHCPv6 + PD on the router.

Router can ping IPv6 addresses:

root@RT-AX1800U:~# ping6 openwrt.org
PING openwrt.org (2a03:b0c0:3:d0::1af1:1): 56 data bytes
64 bytes from 2a03:b0c0:3:d0::1af1:1: seq=0 ttl=57 time=36.650 ms
64 bytes from 2a03:b0c0:3:d0::1af1:1: seq=1 ttl=57 time=35.703 ms
64 bytes from 2a03:b0c0:3:d0::1af1:1: seq=2 ttl=57 time=36.193 ms
^C
--- openwrt.org ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 35.703/36.182/36.650 ms

But clients (for example, Android with Termux) - no

~ $ ping6 openwrt.org
connect: Network is unreachable

They can ping IPv4:

~ $ ping openwrt.org
PING openwrt.org (139.59.209.225) 56(84) bytes of data.
64 bytes from wiki-01.infra.openwrt.org (139.59.209.225): icmp_seq=1 ttl=55 time=54.9 ms
64 bytes from wiki-01.infra.openwrt.org (139.59.209.225): icmp_seq=2 ttl=55 time=49.7 ms
^C
--- openwrt.org ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 49.786/52.352/54.918/2.566 ms

ubus call system board output:

{
        "kernel": "5.15.134",
        "hostname": "RT-AX1800U",
        "system": "MediaTek MT7621 ver:1 eco:4",
        "model": "ASUS RT-AX53U",
        "board_name": "asus,rt-ax53u",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}

Configs (Network/DHCP/Firewall):

root@RT-AX1800U:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc1:300c:e493::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option norelease '1'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option name 'wan'
        option macaddr '[REMOVED]'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        list ipaddr '192.168.2.1/24'
        option ip6assign '60'

config device
        option type 'bridge'
        option name 'br-guest'

config interface 'vpn'
        option proto 'wireguard'
        option private_key '[REMOVED]'
        option listen_port '[REMOVED]'
        list addresses '192.168.9.1/24'
        list addresses 'fd00:9::1/64'

config wireguard_vpn 'wgclient'
        option description 'wgclient'
        option private_key '[REMOVED]'
        option public_key '[REMOVED]'
        option preshared_key '[REMOVED]'
        list allowed_ips '[REMOVED].2/32'
        list allowed_ips 'fd00:9::2/128'

config wireguard_vpn 'wglaptop'
        option description 'wglaptop'
        option private_key '[REMOVED]'
        option public_key '[REMOVED]'
        option preshared_key '[REMOVED]'
        list allowed_ips '192.168.9.3/32'
        list allowed_ips 'fd00:9::3/128'

config wireguard_vpn 'wgmobile'
        option description 'wgmobile'
        option private_key '[REMOVED]'
        option public_key '[REMOVED]'
        option preshared_key '[REMOVED]'
        list allowed_ips '192.168.9.4/32'
        list allowed_ips 'fd00:9::4/128'

root@RT-AX1800U:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '1h'
        option ra 'server'
        option dhcpv6 'server'

root@RT-AX1800U:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '[REMOVED]'
        option src 'wan'
        option src_dport '[REMOVED]'
        option dest_port '[REMOVED]'
        option dest_ip '[REMOVED]'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Allow-Guest-DHCP'
        list proto 'udp'
        option src 'guest'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Guest-DNS'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'qBittorrent ([REMOVED])'
        option src 'wan'
        option src_dport '[REMOVED]'
        option dest_port '[REMOVED]'
        option dest_ip '[REMOVED]'

config rule
        option name 'Allow-DHCPv6-Guest'
        option family 'ipv6'
        list proto 'udp'
        option src 'guest'
        option target 'ACCEPT'
        option dest_port '547'

config redirect
        option target 'DNAT'
        option name '[REMOVED]'
        option src 'guest'
        option src_dport '[REMOVED]'
        option dest_ip '[REMOVED]'
        option dest_port '[REMOVED]'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '[REMOVED]'
        option proto 'udp'
        option target 'ACCEPT'

ifstatus wan6 output:

{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 8453,
        "l3_device": "wan",
        "proto": "dhcpv6",
        "device": "wan",
        "updated": [
                "prefixes"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "[REMOVED]",
                        "mask": 128,
                        "preferred": 7748,
                        "valid": 7748
                }
        ],
        "ipv6-prefix": [
                {
                        "address": "[REMOVED]",
                        "mask": 64,
                        "preferred": 7748,
                        "valid": 7748,
                        "class": "wan6",
                        "assigned": {
                                "guest": {
                                        "address": "[REMOVED]",
                                        "mask": 64
                                }
                        }
                }
        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "[REMOVED]",
                        "metric": 512,
                        "valid": 1289,
                        "source": "[REMOVED]::/64"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "[REMOVED]",
                        "metric": 512,
                        "valid": 1289,
                        "source": "[REMOVED]/128"
                }
        ],
        "dns-server": [
                "[REMOVED]",
                "[REMOVED]"
        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {
                "passthru": "[REMOVED]"
        }
}

Was the device you were testing with connected via the lan interface or the guest interface?

1 Like

Device, where I demonstrated try to ping an IPv6 address is connected via the LAN interface.

Thanks, that's what I assumed. As you can see from the output of ifstatus wan6

your ISP is only giving you a single /64 subnet to use. This has then been assigned to the guest network, rather than the lan network. The quickest fix would be to remove option ip6assign '60' from

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        list ipaddr '192.168.2.1/24'
        option ip6assign '60'

and then restart the network (/etc/init.d/network reload). Check ifstatus wan6 afterwards to check the prefix has been assigned to lan. If it hasn't then restart the router.

3 Likes

So, I removed "ip6assign" and restarted the network, then I saw it changed from "guest" to "lan", however still no result. But by rebooting the router everything worked.
How do I get IPv6 for "guest" interface without breaking IPv6 of the main network (LAN)?

Get an IPv6 prefix from a tunnel broker for the guest network, or configure IPv6 selective NAT:

Uhm, this looks suspiciously like my problem

no success :smiling_face_with_tear:

If the only IP6 a client holds is a ULA, a lot of clients will not try to use it for Internet access. (Do check that your ULA and route was accepted by the client though).

Instead of ULA, you could try a fake GUA range such as 2001:db8:: inside your house for guests. That range is set aside for "documentation" to never be used on the Internet. It will NAT to the real GUA /128 that exists on the router wan.

1 Like

Check ipleak.net from the guest client and the following from the router:

uci show firewall.nat6; uci show dhcp.guest; \
uci show network.wan6; uci show network.globals
1 Like


(IP Address removed on the screenshot)

root@RT-AX1800U:~# uci show firewall.nat6; uci s
how dhcp.guest; \
> uci show network.wan6; uci show network.global
s
firewall.nat6=nat
firewall.nat6.family='ipv6'
firewall.nat6.src='wan'
firewall.nat6.src_ip='fdc1:300c:e493::/48'
firewall.nat6.target='MASQUERADE'
firewall.nat6.name='Guest'
firewall.nat6.proto='all'
dhcp.guest=dhcp
dhcp.guest.interface='guest'
dhcp.guest.start='100'
dhcp.guest.limit='150'
dhcp.guest.leasetime='1h'
dhcp.guest.ra='server'
dhcp.guest.dhcpv6='server'
dhcp.guest.ra_default='1'
network.wan6=interface
network.wan6.device='wan'
network.wan6.proto='dhcpv6'
network.globals=globals
network.globals.ula_prefix='fdc1:300c:e493::/48'
network.globals.packet_steering='1'
1 Like

Still the same. I rebooted router and no IPv6 for Guest.

root@RT-AX1800U:~# uci show firewall.nat6; uci show dhcp.guest; \
> uci show network.wan6; uci show network.globals
firewall.nat6=nat
firewall.nat6.family='ipv6'
firewall.nat6.src='wan'
firewall.nat6.src_ip='fdc1:300c:e493::/48'
firewall.nat6.target='MASQUERADE'
firewall.nat6.name='Guest'
firewall.nat6.proto='all'
dhcp.guest=dhcp
dhcp.guest.interface='guest'
dhcp.guest.start='100'
dhcp.guest.limit='150'
dhcp.guest.leasetime='1h'
dhcp.guest.ra='server'
dhcp.guest.dhcpv6='server'
dhcp.guest.ra_default='1'
network.wan6=interface
network.wan6.device='wan'
network.wan6.proto='dhcpv6'
network.wan6.sourcefilter='0'
network.globals=globals
network.globals.ula_prefix='fdc1:300c:e493::/48'
network.globals.packet_steering='1'
1 Like

You need to do some specific troubleshooting. Connect a laptop to guest. Check the network status of that client connected to guest. Does it have an IPv6 address from the ULA? Does it have a default v6 route to the router? Does the client's DNS resolve dual stack sites (such as openwrt.org) with their v6 address? Does a ping -6 from the laptop to the Internet work? Does it work to ping -6 the router's guest interface ULA? Also I think you should be able to ping the router's GUA.

1 Like

no, in GUI (LuCI) I don't see it. But in the phone (Released in 2021) - IPv6 written in the network settings automatically

I kind of understand that question, the rest of the questions I don't understand. :melting_face:

This testing is all to be done at the client. Why I suggested using a laptop as a test client it is easier to examine its network addresses and routes and run utilities like nslookup and ping than a phone.

1 Like

OK, second attempt (Connected Linux machine by WIFI).

Yes. In LuCI I see (IPv4, IPv6)

I don't know if I wrote right command, but:

[fedora@fedora ~]$ nslookup localhost6
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   localhost6
Address: ::1
[fedora@fedora ~]$ ping openwrt.org
PING openwrt.org (139.59.209.225) 56(84) bytes of data.
64 bytes from wiki-01.infra.openwrt.org (139.59.209.225): icmp_seq=1 ttl=55 time=44.4 ms
^C
--- openwrt.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 44.368/44.368/44.368/0.000 ms
[fedora@fedora ~]$ ping6 2a03:b0c0:3:d0::1af1:1
ping6: connect: Network unavailable
[fedora@fedora ~]$ ping6 ipv6.google.com
ping6: connect: Network unavailable

Where I can find ULA (from Guest interface) and router's GUA? :thinking:

Correct me if I'm wrong somewhere :melting_face:

On a Linux machine, first run ip -6 addr show to see interfaces that have an IPv6 address.

  • Link-local IPs start with 'fe80'
  • ULA IPs start with 'fc' or 'fd'
  • GUA IPs start with 2 or 3

The interface that is connected to the router (Ethernet or wireless) must have both a link-local and a GUA or ULA.

The command ip -6 route show shows the V6 routing table. A default route looks like this:
default from <MY GUA OR ULA> via <ROUTER'S LINK-LOCAL> dev <device>

1 Like

Are you sure you can't get a bigger allocation from your ISP? Mine (Cox southern California) will just give me a /64 if I use defaults, but if I ask I can get a /60 or a /56 (maybe /48???) for my PD. It's worth a try, maybe their documents are not aligned with their router's actual configuration...

uci set network.wan6.reqprefix='56'
uci commit
/etc/init.d/network restart

If that works (check ifstatus wan6 as above), then you can use the ipassign '60' as you were before.

[fedora@fedora ~]$ ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
3: wlp0s18f2u5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::eaef:bf8a:73f8:b30e/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
[fedora@fedora ~]$ ip -6 route show
fe80::/64 dev wlp0s18f2u5 proto kernel metric 1024 pref medium

No v6 was assigned from the router. The next thing to check would be that the router's guest interface has a /64 v6 GUA or ULA IP. This should be being passed to clients.