Connected devices cannot use IPv6

Hi,

I’ve been trying to figure out why none of my devices connected to my OpenWRT router are unable to use IPv6, while the router itself has IPv6 connectivity.

First of all, I use a mix of devices on my network, running iOS, Android, various Linux distros, and macOS.

My ISP is Verizon’s 5G Home Internet offering. My OpenWRT router’s WAN port is connected directly to the wireless receiver antenna which connects to Verizon’s network.

If I SSH into my router, and run try ping a domain over IPv6, everything seems to work fine:

root@router:~# ping example.com
PING example.com (2600:1406:5e00:6::17ce:bc12): 56 data bytes
64 bytes from 2600:1406:5e00:6::17ce:bc12: seq=0 ttl=50 time=56.505 ms
64 bytes from 2600:1406:5e00:6::17ce:bc12: seq=1 ttl=50 time=56.609 ms
64 bytes from 2600:1406:5e00:6::17ce:bc12: seq=2 ttl=50 time=57.291 ms
^C
--- example.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 56.505/56.801/57.291 ms

But if I try and use any of the client devices connected to my router, none of them can reach anything over IPv6:

opnent@box ~> ping -6 example.com
ping: connect: Network is unreachable

I tried to look through the IPv6 wiki page, but I found the article much too technical for me.

Any advice is greatly appreciated.

My configs:

root@router:~# ubus call system board
{
        "kernel": "6.6.104",
        "hostname": "router",
        "system": "ARMv8 Processor rev 4",
        "model": "ASUS TUF-AX6000",
        "board_name": "asus,tuf-ax6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.3",
                "revision": "r28872-daca7c049b",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.3 r28872-daca7c049b",
                "builddate": "1758316778"
        }
}

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdbf:9907:7140::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option peerdns '0'

config interface 'HomeVPN'
        option proto 'wireguard'
        option private_key ''
        option listen_port '54280'
        list addresses '10.10.10.1/24'

config wireguard_HomeVPN
        option description 'Phone'
        option public_key ''
        option private_key ''
        option preshared_key ''
        list allowed_ips '10.10.10.2/32'
        option route_allowed_ips '1'

config wireguard_HomeVPN
        option public_key ''
        option private_key ''
        option preshared_key ''
        option description 'MacBook'
        list allowed_ips '10.10.10.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '5'

config wireguard_HomeVPN
        option description 'Archbox'
        option public_key ''
        option private_key ''
        option preshared_key ''
        list allowed_ips '10.10.10.4/32'
        option route_allowed_ips '1'

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'HomeVPN'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Divert-DNS, port 53'
        option src 'wan'
        option src_dport '53'
        option dest_port '53'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HomeVPN'
        list proto 'udp'
        option src 'wan'
        option src_dport '54280'
        option dest_ip '192.168.1.1'
        option dest_port '54280'

config rule
        option name 'Reject-DoT,port 853'
        list proto 'tcp'
        option src 'lan'
        option dest 'wan'
        option dest_port '853'
        option target 'ACCEPT'

/etc/config/uhttpd

config uhttpd 'main'
        list listen_http '0.0.0.0:80'
        list listen_http '[::]:80'
        list listen_https '0.0.0.0:443'
        list listen_https '[::]:443'
        option redirect_https '1'
        option home '/www'
        option rfc1918_filter '1'
        option max_requests '3'
        option max_connections '100'
        option cert '/etc/uhttpd.crt'
        option key '/etc/uhttpd.key'
        option cgi_prefix '/cgi-bin'
        list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
        option script_timeout '60'
        option network_timeout '30'
        option http_keepalive '20'
        option tcp_keepalive '1'
        option ubus_prefix '/ubus'
        list ucode_prefix '/cgi-bin/luci=/usr/share/ucode/luci/uhttpd.uc'

config cert 'defaults'
        option days '397'
        option key_type 'ec'
        option bits '2048'
        option ec_curve 'P-256'
        option country 'ZZ'
        option state 'Somewhere'
        option location 'Unknown'
        option commonname 'OpenWrt'

On lan change it to 64

Then on wan6 add

option extendprefix '1'

Reboot then show ifstatus wan6 output.

The way IPv6 for home users usually work is that your router might get an IPv6 address from some prefix (not strictly necessary), and you'll also get a separate routed prefix that your router can advertise to your LAN segments. If the latter part isn't being done, none of your LAN devices will have IPv6 connectivity.

Note that this night work slightly different on 4G/5G connections, so I would try the suggestion in the post above mine first.

Before the recommended config changes:

root@router:~# ifstatus wan6
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 29672,
        "l3_device": "eth1",
        "proto": "dhcpv6",
        "device": "eth1",
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "2600:1007:a012:78c7:ca7f:54ff:fe24:a56a",
                        "mask": 64,
                        "preferred": 20,
                        "valid": 30
                }
        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "2600:1007:a012:78c7::",
                        "mask": 64,
                        "nexthop": "::",
                        "metric": 256,
                        "valid": 30,
                        "source": "::/0"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::12e8:a7ff:fef3:aa01",
                        "metric": 512,
                        "valid": 35,
                        "source": "2600:1007:a012:78c7:ca7f:54ff:fe24:a56a/64"
                }
        ],
        "dns-server": [

        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [
                        "2001:4888:35:ff00:383:d::",
                        "2001:4888:34:ff00:386:d::"
                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {

        }
}

After the recommended config changes:

root@router:~# ifstatus wan6
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 46,
        "l3_device": "eth1",
        "proto": "dhcpv6",
        "device": "eth1",
        "updated": [
                "prefixes"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "2600:1007:a012:78c7:ca7f:54ff:fe24:a56a",
                        "mask": 64,
                        "preferred": 26,
                        "valid": 36
                }
        ],
        "ipv6-prefix": [
                {
                        "address": "2600:1007:a012:78c7::",
                        "mask": 64,
                        "preferred": 26,
                        "valid": 36,
                        "class": "wan6",
                        "assigned": {
                                "lan": {
                                        "address": "2600:1007:a012:78c7::",
                                        "mask": 64
                                }
                        }
                }
        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::12e8:a7ff:fef3:aa01",
                        "metric": 512,
                        "valid": 41,
                        "source": "2600:1007:a012:78c7:ca7f:54ff:fe24:a56a/64"
                }
        ],
        "dns-server": [

        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [
                        "2001:4888:35:ff00:383:d::",
                        "2001:4888:34:ff00:386:d::"
                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {

        }
}

On connected devices, running ping -6 ``example.com no longer ends up in a “Network unreachable” error, but instead results in all IPv6 connections seemingly never finishing.

opnent@box ~ [2]> ping -6 example.com
PING example.com (2600:1406:5e00:6::17ce:bc12) 56 data bytes
^C
--- example.com ping statistics ---
55 packets transmitted, 0 received, 100% packet loss, time 55338ms

IPv6 still works as expected on the router itself.

Well, at least you now have IPv6 assigned to LAN.

Your “wireless receiver antenna“ is probably a router and it has just a single /64 IPv6 subnet on its LAN and there is no Prefix Delegation in place. In this scenario you will probably need to configure NDP proxy as discussed in this thread:

Alternatively check if your 5G device could be configured in passthrough mode.

The router set I got from my ISP is actually two boxes. The first one is the “antenna” which they call “LV65”, and the router box is what they call the “CR1000A“.

I used to have the LV65 connected to the CR1000A, which was in passthrough (bridge) mode, and then connected it to my OpenWRT router, but the CR1000A kept overheating and causing connectivity issues, so I plugged the LV65 directly into my OpenWRT router’s WAN port, and things worked much better since. I don’t see any way to configure the LV65 directly.

I will try and set up the NDP proxy, and report back with updates.

I’ve gone and followed the wiki page on setting up NDP:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdbf:9907:7140::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option dhcpv6 relay
        option ra relay
        option ndp relay

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option peerdns '0'
        option extendprefix '1'
        option dhcpv6 relay
        option ra relay
        option ndp relay
        option master 1
        option interface wan6

config interface 'HomeVPN'
        option proto 'wireguard'
        option private_key ''
        option listen_port '54280'
        list addresses '10.10.10.1/24'

config wireguard_HomeVPN
        option description 'Phone'
        option public_key ''
        option private_key ''
        option preshared_key ''
        list allowed_ips '10.10.10.2/32'
        option route_allowed_ips '1'

config wireguard_HomeVPN
        option public_key ''
        option private_key ''
        option preshared_key ''
        option description 'MacBook'
        list allowed_ips '10.10.10.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '5'

config wireguard_HomeVPN
        option description 'Archbox'
        option public_key ''
        option private_key ''
        option preshared_key ''
        list allowed_ips '10.10.10.4/32'
        option route_allowed_ips '1'

But my devices still cannot get IPv6 connectivity:

root@router:~# ifstatus wan6
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 347,
        "l3_device": "eth1",
        "proto": "dhcpv6",
        "device": "eth1",
        "updated": [
                "prefixes"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "2600:1007:a012:78c7:ca7f:54ff:fe24:a56a",
                        "mask": 64,
                        "preferred": 26,
                        "valid": 36
                }
        ],
        "ipv6-prefix": [
                {
                        "address": "2600:1007:a012:78c7::",
                        "mask": 64,
                        "preferred": 26,
                        "valid": 36,
                        "class": "wan6",
                        "assigned": {
                                "lan": {
                                        "address": "2600:1007:a012:78c7::",
                                        "mask": 64
                                }
                        }
                }
        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::12e8:a7ff:fef3:aa01",
                        "metric": 512,
                        "valid": 41,
                        "source": "2600:1007:a012:78c7:ca7f:54ff:fe24:a56a/64"
                }
        ],
        "dns-server": [

        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [
                        "2001:4888:35:ff00:383:d::",
                        "2001:4888:34:ff00:386:d::"
                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {

        }
}

Your configuration is wrong. You need to set some parameters in DHCP configuration and not on interface level.

See the example at the bottom of the thread I linked.

Thanks, so I should go and remove the following entries under /etc/config/network?

config dhcp lan
    option dhcpv6 relay
    option ra relay
    option ndp relay

config dhcp wan6
    option dhcpv6 relay
    option ra relay
    option ndp relay
    option master 1
    option interface wan6

Should I just try and copy the DHCP section from this post?

Success, all my devices (except for my Android phone) to get IPv6 connectivity on my home internet.

The last piece of the puzzle was to edit my /etc/config/dhcp:

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/local/'
        option domain 'local'
        option expandhosts '1'
        option cachesize '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option noresolv '1'
        option localuse '1'
        list server '127.0.0.53'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ndp 'relay'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'
        option master '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'RaspberryPi'
        option dns '1'
        list mac ''
        option ip '192.168.1.3'
        option leasetime 'infinite'

config host
        option name 'Arch'
        option dns '1'
        list mac ''
        option ip '192.168.1.30'
        option leasetime 'infinite'

config host
        option name 'Box'
        option dns '1'
        list mac ''
        option ip '192.168.1.10'
        option leasetime 'infinite'

config host
        option name 'Pixel'
        option dns '1'
        list mac ''
        option ip '192.168.1.40'
        option leasetime 'infinite'

config host
        option name 'iPad'
        option dns '1'
        list mac ''
        option ip '192.168.1.50'
        option leasetime 'infinite'

config host
        option name 'MacBook'
        option dns '1'
        list mac ''
        option ip '192.168.1.20'
        option leasetime 'infinite'

config host
        option name 'Asahi'
        option dns '1'
        list mac ''
        option ip '192.168.1.21'
        option leasetime 'infinite'

In my case, I had to remove option ra_slaac '1' from under ‘lan’, and add the entire ‘wan6’ section.

I should note that most of my devices required a reboot before they actually started preferring IPv6 connections.

One exception is my phone (Pixel 8 Pro) running the Android 16 version of GrapheneOS, which, even after a cold reboot, forgetting my WiFi and reconnecting to it. How should I go about diagnosing the cause of this seemingly device-specific issue (it’s my only Android device)?

Thank you @AndrewZ for guiding me through the NDP setup, and @blunden for explaining NDP to me, I really appreciate your help.

Android doesn't support address assignments via DHCPv6 (IA_NA). It's on purpose. You need to use SLAAC.

So, do I need to go and put option ra_slaac '1' back under the “lan” section of my DHCP config?

Yes, I would assume so.

I don't have much experience with IPv6 configuration on OpenWrt. I've only recently started testing IPv6 again on OpenWrt while testing out the BananaPi BPI-R4.

No, ra_slaac '1' is a default, see https://openwrt.org/docs/guide-user/base-system/dhcp

How would I got about enabling SLAAC for my LAN? Can SLAAC and DHCPv6 (which is what I presume I just set up) coexist?

Yes, they can happily coexist. I don’t know exactly how to configure that in OpenWrt though, but it is the default. There is rarely a need for DHCPv6 address assignments, especially in a home network.

I personally disabled the DHCPv6 server as I prefer to stick to SLAAC. I also disabled ULAs.

Note however that you are using a quite different IPv6 setup as it sounds like you are only getting a single /64. I’m not exactly sure how the relay configuration works. Hopefully it allows you to use the full /64 because SLAAC can’t work with any smaller network segments than /64.

Thank you, I’ve followed the instructions for enabling SLAAC found on this wiki page.

From my understanding of the article, I have to disable DHCPv6, because I can’t have DHCPv6 + SLAAC, while also using ndp.

This time, I tried to configure SLAAC from LuCI, because I was starting to get lost in the options.

Even with all these config changes, my Android phone still seemingly can’t get an IPv6 address (all other devices can). I probably misconfigured something, so I attached screenshots of LuCI on what seem to be the sections relevant to my issue.

Thank you for your advice and patience with me.

Screenshot 2025-09-28 at 22.39.321800×1930 336 KB

Screenshot 2025-09-28 at 22.39.421796×1650 289 KB

Screenshot 2025-09-28 at 22.40.271796×1936 346 KB

Screenshot 2025-09-28 at 22.43.142282×1716 193 KB

Every IPv6 should need slaac. Only some exceptions where it gets disabled. But for dhcpv6 you need slaac, to inform clients about the fact they should try to get dhcpv6 config options.

Thank you everyone who helped me. I’m now able to get IPv6 on all my devices, other than those running Android. I will open a separate thread for the Android issue, because I feel that thins thread has fulfilled it’s purpose.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.