Clients no not have IPv6

bomberb17 · September 4, 2023, 1:17pm

I just realized that my router clients do not have IPv6 connectivity (an app from my phone could not send photos unless I VPN'ed out of my home network, and all test-ipv6.com tests fail)
However in luci, I still see IPv6 WAN addresses:

Here is my /etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd3:bb37:bd2a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xyz'
	option listen_port '1234'
	list addresses '10.14.0.1/24'

Any suggestions on how to troubleshoot the issue without breaking my current configuration?

AndrewZ · September 4, 2023, 1:23pm

Please show your /etc/config/dhcp
ip6assign '64' is usually enough.

bomberb17 · September 4, 2023, 1:27pm

Here it is

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'box'
	option dns '1'
	option mac 'DC:A6:32:DB:D8:2A'
	option ip '192.168.1.203'

config host
	option name 'hp-pavilion-15'
	option dns '1'
	option mac 'C0:B8:83:FA:E2:F4'
	option ip '192.168.1.3'

config host
	option name 'office'
	option dns '1'
	option mac '44:03:2C:96:44:43'
	option ip '192.168.1.2'

config host
	option name 'WM-QQP9NTYW4L'
	option dns '1'
	option mac 'BC:D0:74:43:40:D0'
	option ip '192.168.1.150'

and /etc/config/firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option name 'ext_ssh'
	option src 'wan'
	option src_dport '2222'
	option dest 'lan'
	option dest_ip '192.168.1.1'
	option dest_port '2222'

config redirect
	option target 'DNAT'
	option name 'geth'
	option src 'wan'
	option src_dport '5678'
	option dest 'lan'
	option dest_ip '192.168.1.203'
	option dest_port '5678'

config redirect
	option target 'DNAT'
	option name 'lighthouse'
	option src 'wan'
	option src_dport '3456'
	option dest 'lan'
	option dest_ip '192.168.1.203'
	option dest_port '3456'

config redirect
	option target 'DNAT'
	option name 'Wireguard'
	option src 'wan'
	option src_dport '1234'
	option dest 'lan'
	option dest_ip '192.168.1.1'
	option dest_port '1234'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config redirect
	option target 'DNAT'
	list proto 'tcp'
	option src 'wan'
	option src_dport '2345'
	option dest 'lan'
	option dest_ip '192.168.1.2'
	option dest_port '2345'
	option name 'office'

krazeh · September 4, 2023, 1:29pm

What prefix size has your ISP given you? Is it bigger than /64?

bomberb17 · September 4, 2023, 1:31pm

It is /56..

bomberb17 · September 4, 2023, 1:39pm

Here is also the output of ip addr on my ubuntu computer. It seems that it gets assigned some IPv6 addresses but still no access to internet using IPv6..

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether ec:08:6b:6a:34:25 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ee08:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether ec:08:6b:6a:34:24 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ee08:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether ec:08:6b:6a:34:24 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 2600:4040:xxxx/60 scope global dynamic noprefixroute 
       valid_lft 3669sec preferred_lft 3669sec
    inet6 fdd3:bb37:xxxx/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::ee08:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
8: eth1.1@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether ec:08:6b:6a:34:24 brd ff:ff:ff:ff:ff:ff
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether ec:08:6b:6a:34:25 brd ff:ff:ff:ff:ff:ff
    inet xx.xx.xx.xx/24 brd xx.xx.xx.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 fe80::ee08:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
10: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    link/[65534] 
    inet 10.14.0.1/24 brd 10.14.0.255 scope global wg0
       valid_lft forever preferred_lft forever
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether ec:08:6b:6a:34:23 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ee08:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
12: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether ec:08:6b:6a:34:24 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ee08:xxxx/64 scope link 
       valid_lft forever preferred_lft forever

AndrewZ · September 4, 2023, 1:41pm

Please check ip -6 r

krazeh · September 4, 2023, 1:41pm

Change option ip6assign '60' to option ip6assign '64' and restart the interface.

bomberb17 · September 4, 2023, 1:46pm

default from 2600:4040:xxxx/56 via fe80::cee1:xxxx dev eth0.2  metric 512 
2600:4040:xxxx/64 dev br-lan  metric 1024 
unreachable 2600:4040:xxxx/56 dev lo  metric 2147483647 
fdd3:bb37:xxxx/64 dev br-lan  metric 1024 
unreachable fdd3:bb37:xxxx::/48 dev lo  metric 2147483647 
fe80::/64 dev eth1  metric 256 
fe80::/64 dev eth0.2  metric 256 
fe80::/64 dev eth0  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan1  metric 256 
fe80::/64 dev wlan0  metric 256 
anycast 2600:4040:xxxx:: dev br-lan  metric 0 
anycast fdd3:bb37:bd2a:: dev br-lan  metric 0 
anycast fe80:: dev eth1  metric 0 
anycast fe80:: dev eth0  metric 0 
anycast fe80:: dev eth0.2  metric 0 
anycast fe80:: dev br-lan  metric 0 
anycast fe80:: dev wlan1  metric 0 
anycast fe80:: dev wlan0  metric 0 
multicast ff00::/8 dev eth1  metric 256 
multicast ff00::/8 dev br-lan  metric 256 
multicast ff00::/8 dev eth0.2  metric 256 
multicast ff00::/8 dev eth0  metric 256 
multicast ff00::/8 dev wg0  metric 256 
multicast ff00::/8 dev wlan1  metric 256 
multicast ff00::/8 dev wlan0  metric 256

bomberb17 · September 4, 2023, 1:47pm

If I attempt to make the change through LuCI, the interface wants to delete
uci del dhcp.lan.ra_slaac
and add
uci set network.lan.ip6assign='64'
Should I do it with LuCI?

krazeh · September 4, 2023, 1:49pm

Yeah, should be fine.

bomberb17 · September 4, 2023, 2:15pm

Ok changed and restarted the interface, but that didn't seem to help, ipv6 test still fails

AndrewZ · September 4, 2023, 2:37pm

Do you have any upstream device like a modem, ONT, etc? Try restarting it.
I think we have seen a similar issue in the past when IPv6 connectivity was available from the router only and not from the LAN clients [using PD addresses]. As I recall this had nothing to do with OpenWrt and was fixed by either restarting the ISP-provided device or calling the ISP.

bomberb17 · September 4, 2023, 2:59pm

I restarted the ONT and also restarted both wan interfaces, that didn't help..

One thing that might be responsible would be my firewall configuration? I think I remember I tampered with ipv6 settings at some point because I didn't want to have any ipv6 leak with my wireguard server (which is running on the same router). Here are the firewall traffic rules:

Also I am able to ping both LAN ipv6 addresses from my network clients, i.e. the 2600:4040:xx and the dd3:bb37:xx one.
Also from the router and clients I can ping the IPv6-PD address 2600:4040:xx.
However I cannot ping an external ipv6 address even from the openwrt router, e.g:

$ ping media-share-2.s3.dualstack.us-west-1.amazonaws.com
PING media-share-2.s3.dualstack.us-west-1.amazonaws.com (2600:1fa0:c0cf:83c9:34db:c00a::): 56 data bytes
^C
--- media-share-2.s3.dualstack.us-west-1.amazonaws.com ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss

AndrewZ · September 4, 2023, 3:45pm

Your rules are pretty standard. The only difference I see that in the default configuration there are no IP addresses used in Allow-DHCPv6 rule, at least this is what I see on my router.

bomberb17 · September 4, 2023, 5:18pm

So what can I do now? Call my ISP (verizon) and ask them if there is anything wrong from their end?
(hope they don't find excuses like "we don't support your router" blah blah)

krazeh · September 4, 2023, 5:21pm

That would seem to suggest an issue somewhere between the router and the internet. Which does unfortunately mean getting in contact with your ISP to see what they can do to assist.

AndrewZ · September 4, 2023, 5:30pm

Yes, I would try talking to the ISP support.

bomberb17 · September 4, 2023, 6:43pm

Ok so I spent ~2 hours chatting and speaking with Verizon support. Here is the chat:

Verizon Assistant
Let me get you connected with a live agent.
Agent

By chatting with us, you grant us permission to review your services during the chat to offer you the best value. Refusing to chat will not affect your current services. It is your right and our duty to protect your account information.
Agent

We received your message and we'll connect you with the next available agent.
Agent

To protect your privacy, please do not send sensitive information (passwords, credit card numbers, etc.) through this chat. If we need it, we will use a secure process.
Agent

The estimated wait time is a minute or less. Please keep in mind, in order to hold your place in the agent queue, you will need to keep this chat window active, otherwise your session could be ended.
Agent

Welcome to Verizon FIOS Repair Support Team. My name is Gloria. 😊
May I have your full name, billing telephone number, and billing address, please? 🙏
User
Hello, I have an issue with my internet connection. My connection in general works fine, but I do not have ipv6 connection. E.g. the tests from http://test-ipv6.com/ all fail.
User
My name is xxx, address is xxx
Agent

I understand, than you so much for explaining this to me
Agent

It's a pleasure to meet you  ❤️
Thank you very much for the information provided.
Agent

Let me check on it from my end, no worries I'm here to help you
User
ok
Agent

allow me a second please 🙏
Agent

And just to confirm, do you have a Verizon router, ?
User
no I have my own router.
Agent

Noted that, thank you so much ❤️
User
In my router the IPv6-PD is 2600:4040:xxx::/56
Agent

I appreciate that information ❤️
Agent

Give me another second please 🙏
User
ok
Agent

Thank you so much
Agent

I've checked from here, and since you have your own router, I'm not able to fully assist you
User
what do you mean
Agent

May I know the model of your router?
User
It's a TP-Link Archer C2600 running Openwrt firmware.
Agent

Thank you so much
User
Look - my ipv6 was working fine before I moved to my new house here just a couple of weeks ago. I also had fios and had the exact same router, no problems whatsoever. The ipv6 issue started when I transferred my service to my new home a couple of weeks ago.
Agent

I understand what you mean, but since it's not a Verizon router, I can't provide full assistance here
I'm checking on what can be done
User
Can I speak with a technician? This is not a router issue.
Agent

since it's not a Verizon router we can't provide full assistance.
That's why I'm checking what can be done here
Agent

you can check on that with your router's provider.
Agent

You can also check on your router's configuration
Agent

Type in your browser: 192.168.1.1
You login with your wi-fi credentials
And you should be able to see it from there
Agent

I'm very limited here, so I can't provide much assistance, since it's not our router, Panagiotis, I apologize
Agent

You can enable it from there, from your router's configuration
Agent

Are you still with me?
User
i got disconnected
User
did you do something?
Agent

No, I'm right here with you
User
no i mean if you did something to the ONT because my internet connection was lost for 5 minutes
Agent

No I didn't do anything
User
Ok, as I wrote before, when I log in to my router I see IPv6-PD: 2600:4040:xxx::/56
User
which is probably the IPv6 domain assigned by you
Agent

I'm seeing here that you can also have a router from us with no additional cost, this way we could assist you better.
User
No I don't want to change router.
Agent

Then I can't do anymore from here, I'm very limited here.
You can enter your router's configuration to enable it from there
User
is there a phone number to speak with a technician directly for this?
Agent

Yes you can reach us using this link:

click here

whether you prefer to schedule a callback
Agent

Or to call directly

I then called directly and spent one hour over the phone, first spoke with an agent who didn't even know what ipv6 is, and then refusing to help further "because this is not a Verizon router". After insisting a lot the agent connected me to another tech support department, and they again said "it's not us, call the router manufacturer".

I think I am at a dead end? Maybe the only thing I can do is to disable ipv6 entirely so at least I can get connectivity with those services trying to connect to an ipv6 address?

AndrewZ · September 4, 2023, 6:46pm

Can you connect your PC to the ONT directly and re-test?