Configuring local ipv6 delegation

pattagghiu · February 8, 2026, 9:40pm

Hello, i’m looking for some help (could be also links to something to study to understand how this should work..)

Context: my ISP is full ipv6 based. It delegates me a /60, but as of today i’ve always just used ipv6 for external connection, keeping full ipv4 in home.

All is working (with all my 6 vlans)

Now i need a specific vlan to have ipv6. So i tried delegating a /64 on the specific interface, and strangely it worked, the problem is that i can’t have ipv6 traffic from the vlan, where i can freely have ipv6 traffic from the router itself. Basically, it seems traffic is going to the router, but not exiting. It resolves ip, but cant reach them (the router reaches them)

root@Services:~# ping -6 google.com
PING google.com (2a00:1450:4002:402::200e) 56 data bytes
From 2a01:e11:1407:ba52:be24:11ff:fe22:a977 icmp_seq=1 Destination unreachable: Address unreachable
From 2a01:e11:1407:ba52:be24:11ff:fe22:a977 icmp_seq=2 Destination unreachable: Address unreachable

Useless to say that ipv4 traffic is working perfectly

root@Services:~# ping -4 google.com
PING google.com (142.250.181.174) 56(84) bytes of data.
64 bytes from mct01s20-in-f14.1e100.net (142.250.181.174): icmp_seq=1 ttl=120 time=2.76 ms
64 bytes from mct01s20-in-f14.1e100.net (142.250.181.174): icmp_seq=2 ttl=120 time=3.09 ms

So, basically, is there a magic option to enable to allow outblund ipv6 traffic differently from ipv4?

As far as i have understood, the routing table is based on link local (and the local device has a default route via the link local of the router, seems correct), but the ip address going to internet is the one delegated (so no masquerading and no routing). But nothing of these is happening

I have the bad sensation i’m missing something, but probably is something also conceptual..

Thanks

RuralRoots · February 8, 2026, 9:50pm

Dual-Stack maybe?

_bernd · February 8, 2026, 11:13pm

Each vlan gets an ip6hint configured the rest should work out of the box. Hoping you have not messed around...

Have a look at https://openwrt.org/docs/guide-user/network/ipv6/configuration#downstream_configuration_for_lan_interfaces

pattagghiu · February 9, 2026, 8:06am

this was my home but it seems not to be the case..

thanks for the link, there is also a part that seems to talk to me

If the router can ping6 the internet, but lan machines get “Destination unreachable: Unknown code 5” or “Source address failed ingress/egress policy” then the ip6assign option is missing on your lan interface.

however, in my case i had properly set up bot the lenght of the pd and the hint.

I fear it’s more something about the Router Advertisement & DHCPv6. I’m not sure i’ve understood what it is about the “master router” or the relay mode..

this evening i’ll try also with other subnets, but i don’t think it’s about the subnet, i think it’s about router configuration..

thanks!

mk24 · February 9, 2026, 6:31pm

If you left the first lan with the default ip6assign 60 that will take your entire /60 from the ISP and you won't have any prefix space to go to other lans. Use ip6assign 64 instead.

ip6hint is optional in order to get consistent numbering on the lans. If you don't have any ip6hints it will still work, but with random assignment of sub-prefixes. I suggest doing that first until you have it working. Consistent numbering is useful should you want to write firewall rules.

With a sufficiently large prefix (not a /64) from the ISP, use conventional delegation not relay mode.

pattagghiu · February 9, 2026, 8:51pm

no i just used some /64 with very simple hint.

I strongly doubt this can be my issue:
And i assume i have to check the prefix delegation also on the vlan interface (otherwise i don't get any ip in the vlan devices)

        option ip6assign '64'
        option ip6hint '2'
        list ip6class 'wan_dhcp6'

my biggest issue is the other part of the config, the DHCP.

I tried to reproduce the “slaac only” section of the above quoted page, but i could only get this (even if dhcpv6 is disabled in luci.. i also tried modifying the config file via cli, no success)

config dhcp 'Services'
        option interface 'Services'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ra 'server'
        list ra_flags 'none'

and nothing, still address unreachable..
Delegation seems correct:
this is what i get from my isp:

**IPv6-PD:** xxxx:xxxx:xxxx:ba50::/60

This is what i delegate with a ip6hint of 2

**IPv6:** xxxx:xxxx:xxxx:ba52::1/64

Seems right, isn’t it?
and this is an address given to a device in the vlan

inet6 xxxx:xxxx:xxxx:ba52:be24:11ff:fe22:a977/64 scope global dynamic mngtmpaddr proto kernel_ra

any hint?

_bernd · February 9, 2026, 9:16pm

Where does this come from? Remove it and restart. And check your DHCPv6 and ra config in case you have modified it... The default just works. Please trust us.

_bernd · February 9, 2026, 9:17pm

Also remove this.

_bernd · February 9, 2026, 9:18pm

On what?

Sry for triple post. I'm on a mobile phone again.

pattagghiu · February 9, 2026, 9:23pm

Ok, something new well beyond my understanding
My vlan i'm trying to give an ipv6 address has VLAN->WAN full access. Has no access to the router itself.
I tried to give ipv6 addresses to another vlan (with full access also to the router). Everything is working.
So i'm now wondering if is there any traffic rule i missed from the vlan to the router itself to allow the traffic. I tried enabling ipv6 ports for dhcp, icmp and that sort of things with no success. but i'm happy the trusted network worked at first try

pattagghiu · February 9, 2026, 9:25pm

this is to delegate only the address coming from that interface, no other ipv6..

I trust you! i just have wrong traffic rules and dunno why

_bernd · February 9, 2026, 9:33pm

Ok, lets go!

/etc/config/network and /etc/config/dhcp, please. Redact whats necessary, but please do not redact private addresses and such trivial but essential details!
/etc/config/firewall also helps to ensure stuff isn't broken by design

And the current ip -6 route show. Please do not over redact GUA (Global Unique Addresses).

Edit PS:

K, cool. (Since when is this option argument named wan_dhcp6?) Nice.

pattagghiu · February 10, 2026, 5:58am

#redacted other interfaces

config globals 'globals'
	option ula_prefix 'xxx::/48'
	option packet_steering '1'

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'Services'
	option proto 'static'
	option device 'br-services'
	option ipaddr '192.168.222.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '2'
	list ip6class 'wan_dhcp6'

config device
	option type 'bridge'
	option name 'br-services'
	list ports 'eth0.555'
	option bridge_empty '1'

config interface 'wan_dhcp6'
	option proto 'dhcpv6'
	option device 'eth1.836'
	option reqaddress 'force'
	option reqprefix 'auto'
	option force_link '1'
	option peerdns '0'
	list dns '2001:4860:4860::8888'
	list dns '2001:4860:4860::8844'
	option sourcefilter '0'
	option norelease '1'
	list reqopts 'opt_141'

config device
	option name 'eth1'
	option macaddr 'xx'


config interface 'wan_map'
	option proto 'map'
	option maptype 'map-e'
	option peeraddr 'xx'
	option ipaddr 'xx'
	option ip4prefixlen '32'
	option ip6prefix 'xx'
	option tunlink 'wan_dhcp6'
	option ip6prefixlen '60'
	option ealen '10'
	option offset '0'
	option delegate '0'
	option psidlen '1'

config route6
	option interface 'wan_dhcp6'
	option target '::/0'
	option gateway 'xx'
	option metric '1024'

#redacted static leases and other interfaces

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/adblock-blocklist'
	option quietdhcp '1'
	option domain 'lan'
	option local '/lan/'
	option cachesize '1000'
	option domainneeded '1'
	option rebind_localhost '1'
	option expandhosts '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '3'

config dhcp 'Services'
	option interface 'Services'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra 'server'
	list ra_flags 'none'

#redacted other zones

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan_dhcp6'
	list network 'wan_map'

config zone
	option name 'services'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Services'

config forwarding
	option src 'services'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546 547'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'SERVICES - DNS DHCP'
	list proto 'udp'
	option src 'services'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'SERVICES - Forward DNS'
	list proto 'udp'
	option src 'services'
	option src_dport '53'
	option dest_port '53'

config redirect
	option target 'DNAT'
	option name 'SERVICES - Forward NTP'
	list proto 'udp'
	option src 'services'
	option src_dport '123'
	option dest_port '123'

from the not working client

xxx:ba52::/64 dev eth0 proto kernel metric 256 expires 5258sec pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::xx dev eth0 proto ra metric 1024 expires 2558sec hoplimit 64 pref medium

For reference, these are the addresses of the router on the specific interface

19: br-services: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 xxx:ba52::1/64 scope global dynamic noprefixroute 
       valid_lft 54247sec preferred_lft 54247sec
    inet6 fe80:: scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

thanks!!

_bernd · February 10, 2026, 12:58pm

Again, remove list ra_flags 'none' if you have no reason to set it to 'none'.

I can not comment on config interface 'wan_map', but the config route6 raises some questions.... why?!

Your firewall is not in a default state. And zone Services misses rules for INPUT.

Sry but: for fukks sake why do you redact fe80:: Link Local Addresses?!?!?

Regarding ip -6 route show. Please show me/us the routing table ON THE ROUTER. When everything on the router is fine, we can take care of the client, ok...

pattagghiu · February 10, 2026, 1:33pm

Not my idea it's coming from here:

my isp uses MAP-E for offering the services (here is the map interface) where the second (route6) is just a static route since my lovely isp stopped sending RA packets.
To me nothing relevant here (if the route can't access internet on ipv6 nothing would be working, even ipv4 traffic since it's incapsulated in ipv6 with map..)

Not sure what you refer to with "not in a default state", just let me know what info i did not provide.. Second part: i can't understand the point:

config zone
	option name 'services'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Services'

isn't this the input rule?

for the default rule, only to avoid you to check if it is the same of the router, it's the same
as soon as i'll get home i'll post the ipv6 route of the router, but again: if in the LAN zone all works, seems strange to be a router problem, no?

thanks again!

mk24 · February 10, 2026, 4:25pm

Since it works with the Services lan in the default lan firewall zone, this confirms the problem is the firewall. I think you need the wan->lan forward ICMPv6 rules effective on each lan in order for v6 to work properly. You also need Input of RS and NDP packets on the LAN's zone for SLAAC to work.

ICMP in general is essential for v6 to function, unlike v4 where it is more of a troubleshooting aid. In v4, ARP and DHCP are done at layer 2, while in v6 these are layer 3 as part of ICMP.

pattagghiu · February 10, 2026, 5:36pm

you are definitely right. Allowing icpmv6 from Services to the router itself made everithing work. However, I didn't have to allow also ICMPv6 forward wan2lan
Thanks!