Daisy chaining 2 OpenWrt routers: IPv6 not working on one end

I'm daisy chaining 2 openwrt routers with IPv6 ULA addresses, router A (connects to ISP).

ISP

• A (192.168.100.1 - meow - nanopi R4S)
• B (192.168.1.1 - openwrt - R7800) this is my WIFI router

Router B itself and downstream clients on LAN are unable to ping IPv6 on the open internet.

PING google.com (2607:f8b0:4008:80d::200e): 56 data bytes
ping6: sendto: Permission denied
# ip -6 r 
default from fd87:bfc9:eb96::/64 via fe80::6827:19ff:feac:a5fa dev eth0.2 proto static metric 512 pref medium
default from fd87:bfc9:eb96:10::a71 via fe80::6827:19ff:feac:a5fa dev eth0.2 proto static metric 512 pref medium
default from fd87:bfc9:eb96:10::/64 via fe80::6827:19ff:feac:a5fa dev eth0.2 proto static metric 512 pref medium
fd87:bfc9:eb96::/64 dev eth0.2 proto static metric 256 pref medium
unreachable fd87:bfc9:eb96::/64 dev lo proto static metric 2147483647 pref medium
fd87:bfc9:eb96:10::/64 dev eth0.2 proto static metric 256 pref medium
unreachable fd87:bfc9:eb96:10::/64 dev lo proto static metric 2147483647 pref medium
fdc1:2cec:66a7::/64 dev br-lan proto static metric 1024 pref medium
fdc1:2cec:66a7::/60 dev br-lan proto kernel metric 256 expires 1101sec pref medium
unreachable fdc1:2cec:66a7::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium

Router B configs

root@OpenWrt:~# uci export network; uci export dhcp
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix '56'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Now upstream, Router A IPv6 works fine for itself and LAN clients.

root@meow:~# uci export network; uci export dhcp
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd87:bfc9:eb96::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config device
	option name 'eth1'
	option macaddr '6a:x:fa'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.100.1'

config device
	option name 'eth0'
	option macaddr '68:x:fa'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option reqaddress 'force'
	option reqprefix 'no'
	option defaultroute '1'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

config device
	option type 'bridge'
	option name 'docker0'

config interface 'vpn_privacy'
	option device 'eth1.666'
	option netmask '255.255.255.0'
	option ipaddr '172.66.6.1'
	option proto 'static'

config interface 'untrusted'
	option device 'eth1.100'
	option netmask '255.255.255.0'
	option ipaddr '172.100.0.1'
	option ip6assign '64'
	option proto 'static'

config interface 'vms'
	option device 'eth1.200'
	option netmask '255.255.255.0'
	option ipaddr '172.200.0.1'
	option ip6assign '64'
	option proto 'static'

config rule 'vpn_privacy_routing4'
	option priority '30000'
	option lookup '30'
	option in 'vpn_privacy'

config rule 'untrusted_routing4'
	option priority '30000'
	option lookup '20'
	option in 'untrusted'

config rule6 'untrusted_routing6'
	option priority '30000'
	option lookup '20'
	option in 'untrusted'

config interface 'sharktun'
	option device 'tun0'
	option ip4table '30'
	option ip6table '30'
	option proto 'none'

config interface 'vpsgw'

	list addresses '10.100.100.10/24'
	list addresses 'x:x:x:100::10/64'
	option proto 'wireguard'
	option peerdns '0'
	option mtu '1350'
	option ip4table '20'
	option ip6table '20'

config wireguard_vpsgw 'wgserver'

	option route_allowed_ips '1'

	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option endpoint_host '45.61.184.24'
	option persistent_keepalive '19'
	option endpoint_port '88'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	option domain 'gfm'
	option local '/gfm/'
	option noresolv '1'
	list server '127.0.0.1#5453'
	list server '0::1#5453'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_default '1'
	option start '20'
	option limit '50'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'vpn_privacy'
	option interface 'vpn_privacy'
	option start '200'
	option limit '220'
	option leasetime '12h'

config dhcp 'untrusted'
	option leasetime '12h'
	option ra_default '1'
	option start '20'
	option dhcpv6 'server'
	option limit '50'
	option ra 'server'
	option interface 'untrusted'
	option ra_management '1'

config dhcp 'vms'
	option leasetime '12h'
	option ra_default '1'
	option start '20'
	option dhcpv6 'server'
	option limit '50'
	option ra 'server'
	option interface 'vms'
	option ra_management '1'


root@meow:~# 

connecting directly to router A on eth0.100 (which is what router B uses) on a windows client ipv6 works and test-ipv6.com passes. Also of note eth0.100 is routed via wireguard tunnel for privacy.

Not sure what I may be missing, perhaps a configuration on router A dhcpv6 to offer routing and be the central server? should router B be a relay / NDP proxy? thanks!

Your router B tries to requests a prefix larger than it gets from A. Eg. try replacing 56 with 62.
you need to test, if this is the only issue.

Beware of using unstable releases:
http://lists.openwrt.org/pipermail/openwrt-devel/2021-July/035840.html