DHCPv6 seems not working properly with 19.07

Hi. I have been using openwrt for years and recently upgraded from 18.06 to 19.07 and realized that DHCPv6 seems not working properly.
So decided to investigate and need your help.

Hardware: wzr-hp-ag300h.
Configuration:

/etc/config/network

config interface 'loopback'
        option ifname 'lo'   
        option proto 'static'    
        option ipaddr '127.0.0.1' 
        option netmask '255.0.0.0'
                        
config globals 'globals'                       
        option ula_prefix 'fda2:e36f:d923::/48'
                      
config interface 'lan'      
        option type 'bridge'  
        option ifname 'eth0.1'
        option proto 'static'         
        option netmask '255.255.255.0'
        option ip6assign '60'        
        option ipaddr '192.168.2.254'
                      
config interface 'wan'      
        option ifname 'eth1'
        option proto 'dhcp'
                       
config interface 'wan6'     
        option ifname 'eth1' 
        option proto 'dhcpv6'

/etc/config/dhcp

config dnsmasq                      
        option domainneeded '1'     
        option localise_queries '1'        
        option rebind_protection '1'             
        option rebind_localhost '1'              
        option local '/lan/'                     
        option domain 'lan'                      
        option expandhosts '1'                   
        option authoritative '1'                 
        option readethers '1'                    
        option leasefile '/tmp/dhcp.leases'      
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1' 
        option localservice '1'
                                
config dhcp 'lan'               
        option interface 'lan'  
        option leasetime '12h'  
        option dhcpv6 'server'  
        option ra 'server'      
        option start '1'        
        option limit '64'       
        option ra_management '1'            
                                                     
config dhcp 'wan'                                    
        option interface 'wan'                       
        option ignore '1'                            
                                                     
config odhcpd 'odhcpd'                               
        option maindhcp '0'                          
        option leasefile '/tmp/hosts/odhcpd'         
        option leasetrigger '/usr/sbin/odhcpd-update'     
        option loglevel '7'

With this same configuration and hardware, I have checked the logread result for both 18.06.7 and 19.07.2.

Here is the results (I have filtered only odhcpd related lines)

From 18.06.7

Sat Feb 29 12:15:09 2020 user.notice ucitrack: Setting up /etc/config/dhcp reload dependency on /etc/config/odhcpd
Sat Feb 29 12:15:12 2020 daemon.info odhcpd[945]: Using a RA lifetime of 0 seconds on br-lan
Sat Feb 29 12:15:12 2020 daemon.notice odhcpd[945]: Failed to send to ff02::1%br-lan (Address not available)
Sat Feb 29 12:15:13 2020 daemon.debug odhcpd[945]: Netlink newaddr fda2:e36f:d923::1%br-lan
Sat Feb 29 12:15:17 2020 daemon.info odhcpd[945]: Using a RA lifetime of 0 seconds on br-lan
Sat Feb 29 12:15:17 2020 daemon.debug odhcpd[945]: Sent 120 bytes to ff02::1%br-lan
Sat Feb 29 12:15:17 2020 daemon.debug odhcpd[945]: Received 127 Bytes from fe80::b196:dccf:ba12:c837%br-lan
Sat Feb 29 12:15:17 2020 daemon.notice odhcpd[945]: Got DHCPv6 request
Sat Feb 29 12:15:17 2020 daemon.warn odhcpd[945]: DHCPV6 CONFIRM IA_NA from 00046f6d78530d9497fef9b5e0e6726f8521 on br-lan: not on-link fda2:e36f:d923::2/128
Sat Feb 29 12:15:17 2020 daemon.debug odhcpd[945]: Sent 96 bytes to fe80::b196:dccf:ba12:c837%br-lan
Sat Feb 29 12:15:17 2020 daemon.info dnsmasq[1396]: read /tmp/hosts/odhcpd - 0 addresses
Sat Feb 29 12:15:17 2020 daemon.debug odhcpd[945]: Received 71 Bytes from fe80::b196:dccf:ba12:c837%br-lan
Sat Feb 29 12:15:17 2020 daemon.notice odhcpd[945]: Got DHCPv6 request
Sat Feb 29 12:15:17 2020 daemon.warn odhcpd[945]: DHCPV6 SOLICIT IA_NA from 00046f6d78530d9497fef9b5e0e6726f8521 on br-lan: ok fda2:e36f:d923::2/128
Sat Feb 29 12:15:17 2020 daemon.debug odhcpd[945]: Sent 112 bytes to fe80::b196:dccf:ba12:c837%br-lan
Sat Feb 29 12:15:18 2020 daemon.debug odhcpd[945]: Received 113 Bytes from fe80::b196:dccf:ba12:c837%br-lan
Sat Feb 29 12:15:18 2020 daemon.notice odhcpd[945]: Got DHCPv6 request
Sat Feb 29 12:15:18 2020 daemon.warn odhcpd[945]: DHCPV6 REQUEST IA_NA from 00046f6d78530d9497fef9b5e0e6726f8521 on br-lan: ok fda2:e36f:d923::2/128
Sat Feb 29 12:15:18 2020 daemon.debug odhcpd[945]: Sent 112 bytes to fe80::b196:dccf:ba12:c837%br-lan
Sat Feb 29 12:15:19 2020 daemon.info dnsmasq[1396]: read /tmp/hosts/odhcpd - 1 addresses
Sat Feb 29 12:15:19 2020 daemon.debug odhcpd[945]: Received 8 Bytes from fe80::224:a5ff:feef:e8a8%eth1
Sat Feb 29 12:15:19 2020 daemon.debug odhcpd[945]: Received 56 Bytes from fe80::225:dcff:fe41:5b8f%eth1
Sat Feb 29 12:15:20 2020 daemon.warn odhcpd[945]: A default route is present but there is no public prefix on br-lan thus we don't announce a default route!
Sat Feb 29 12:15:20 2020 daemon.info odhcpd[945]: Using a RA lifetime of 0 seconds on br-lan
Sat Feb 29 12:15:20 2020 daemon.debug odhcpd[945]: Sent 120 bytes to ff02::1%br-lan
Sun Mar  1 02:44:29 2020 daemon.debug odhcpd[945]: Netlink newaddr 240b:13:2340:1800:224:a5ff:feef:e8a8%eth1
Sun Mar  1 02:44:29 2020 daemon.debug odhcpd[945]: Netlink newneigh 240b:13:2340:1800:225:dcff:fe41:5b8f%eth1
Sun Mar  1 02:44:29 2020 daemon.debug odhcpd[945]: Netlink newaddr 240b:13:2340:1810::1%br-lan
Sun Mar  1 02:44:30 2020 daemon.info dnsmasq[1396]: read /tmp/hosts/odhcpd - 2 addresses
Sun Mar  1 02:44:30 2020 daemon.info odhcpd[945]: Using a RA lifetime of 1800 seconds on br-lan
Sun Mar  1 02:44:30 2020 daemon.debug odhcpd[945]: Sent 176 bytes to ff02::1%br-lan
Sun Mar  1 02:44:31 2020 daemon.debug odhcpd[945]: Netlink newneigh fda2:e36f:d923::78c1:6660:65e2:c4b4%br-lan
Sun Mar  1 02:44:33 2020 daemon.debug odhcpd[945]: Netlink newneigh 240b:13:2340:1810:78c1:6660:65e2:c4b4%br-lan
Sun Mar  1 02:44:37 2020 daemon.debug odhcpd[945]: Netlink newneigh fda2:e36f:d923::78c1:6660:65e2:c4b4%br-lan
Sun Mar  1 02:44:37 2020 daemon.debug odhcpd[945]: Netlink newneigh fda2:e36f:d923::78c1:6660:65e2:c4b4%br-lan

From 19.07.2

Sat Feb 29 12:15:00 2020 user.notice ucitrack: Setting up /etc/config/dhcp reload dependency on /etc/config/odhcpd
Sat Feb 29 12:15:04 2020 daemon.debug odhcpd[1113]: Using a RA lifetime of 0 seconds on lan
Sat Feb 29 12:15:04 2020 daemon.notice odhcpd[1113]: Sending a RA on lan
Sat Feb 29 12:15:04 2020 daemon.err odhcpd[1113]: Failed to send to ff02::1%lan@br-lan (Address not available)
Sat Feb 29 12:15:05 2020 daemon.debug odhcpd[1113]: Netlink newaddr fda2:e36f:d923::1 on lan
Sat Feb 29 12:15:08 2020 daemon.debug odhcpd[1113]: Using a RA lifetime of 0 seconds on lan
Sat Feb 29 12:15:08 2020 daemon.notice odhcpd[1113]: Sending a RA on lan
Sat Feb 29 12:15:08 2020 daemon.debug odhcpd[1113]: Sent 120 bytes to ff02::1%lan@br-lan
Sun Mar  1 02:51:49 2020 daemon.warn odhcpd[1113]: A default route is present but there is no public prefix on lan thus we don't announce a default route!
Sun Mar  1 02:51:49 2020 daemon.debug odhcpd[1113]: Using a RA lifetime of 0 seconds on lan
Sun Mar  1 02:51:49 2020 daemon.notice odhcpd[1113]: Sending a RA on lan
Sun Mar  1 02:51:49 2020 daemon.debug odhcpd[1113]: Sent 120 bytes to ff02::1%lan@br-lan
Sun Mar  1 02:51:49 2020 daemon.debug odhcpd[1113]: Netlink newaddr 240b:13:2340:1810::1 on lan
Sun Mar  1 02:51:49 2020 daemon.info dnsmasq[1601]: read /tmp/hosts/odhcpd - 0 addresses
Sun Mar  1 02:51:49 2020 daemon.debug odhcpd[1113]: Netlink newaddr 240b:13:2340:1800:224:a5ff:feef:e8a8 on wan
Sun Mar  1 02:51:49 2020 daemon.debug odhcpd[1113]: Netlink newaddr 240b:13:2340:1800:224:a5ff:feef:e8a8 on wan6
Sun Mar  1 02:51:50 2020 daemon.debug odhcpd[1113]: Using a RA lifetime of 1800 seconds on lan
Sun Mar  1 02:51:50 2020 daemon.notice odhcpd[1113]: Sending a RA on lan
Sun Mar  1 02:51:50 2020 daemon.debug odhcpd[1113]: Sent 176 bytes to ff02::1%lan@br-lan
Sun Mar  1 02:52:41 2020 daemon.debug odhcpd[1113]: Netlink newneigh 240b:13:2340:1800:225:dcff:fe41:5b8f on wan
Sun Mar  1 02:52:41 2020 daemon.debug odhcpd[1113]: Netlink newneigh 240b:13:2340:1800:225:dcff:fe41:5b8f on wan6
Sun Mar  1 02:52:42 2020 daemon.debug odhcpd[1113]: Received 8 Bytes from fe80::b196:dccf:ba12:c837%lan@br-lan
Sun Mar  1 02:52:42 2020 daemon.debug odhcpd[1113]: Using a RA lifetime of 1800 seconds on lan
Sun Mar  1 02:52:42 2020 daemon.notice odhcpd[1113]: Sending a RA on lan
Sun Mar  1 02:52:42 2020 daemon.debug odhcpd[1113]: Sent 176 bytes to fe80::b196:dccf:ba12:c837%lan@br-lan
Sun Mar  1 02:52:42 2020 daemon.debug odhcpd[1113]: Received 99 Bytes from fe80::b196:dccf:ba12:c837%lan@br-lan
Sun Mar  1 02:52:42 2020 daemon.debug odhcpd[1113]: Got a DHCPv6-request on lan
Sun Mar  1 02:52:43 2020 daemon.debug odhcpd[1113]: Netlink newneigh fda2:e36f:d923:0:78c1:6660:65e2:c4b4 on lan
Sun Mar  1 02:52:43 2020 daemon.debug odhcpd[1113]: Received 99 Bytes from fe80::b196:dccf:ba12:c837%lan@br-lan
Sun Mar  1 02:52:43 2020 daemon.debug odhcpd[1113]: Got a DHCPv6-request on lan
Sun Mar  1 02:52:45 2020 daemon.debug odhcpd[1113]: Received 99 Bytes from fe80::b196:dccf:ba12:c837%lan@br-lan
Sun Mar  1 02:52:45 2020 daemon.debug odhcpd[1113]: Got a DHCPv6-request on lan
Sun Mar  1 02:52:46 2020 daemon.debug odhcpd[1113]: Netlink newneigh 240b:13:2340:1810:78c1:6660:65e2:c4b4 on lan
Sun Mar  1 02:52:49 2020 daemon.debug odhcpd[1113]: Received 99 Bytes from fe80::b196:dccf:ba12:c837%lan@br-lan
Sun Mar  1 02:52:49 2020 daemon.debug odhcpd[1113]: Got a DHCPv6-request on lan

There seems some difference between both log, but here I couldn't figure it out what was wrong.

I have tested this by vanilla images with minimum settings, so I believe I didn't do anything wrong.

I'm willing to do any further test if you could give me any advice.
Many thanks in advance.

--
eiji

Have a look at this thread, perhaps this will help you:

1 Like

@lede_dude

Thanks, I will have a look and will try to follow the solution.

--
eiji

@lede_dude

Sorry for late reply. I have read your thread and checked odhcp6c is running or not. For both 18.06 and 19.07, odhcp6c is running.

So I think, my problem is not the same as yours, unfortunately.

What has to be checked next, I wonder ...

--
eiji

I have tried to find out what are the differences between two logread, and not 100% sure, but there seems strange differences

From 18.06

Sat Feb 29 12:15:17 2020 daemon.debug odhcpd[945]: Received 127 Bytes from fe80::b196:dccf:ba12:c837%br-lan
Sat Feb 29 12:15:17 2020 daemon.notice odhcpd[945]: Got DHCPv6 request
Sat Feb 29 12:15:17 2020 daemon.warn odhcpd[945]: DHCPV6 CONFIRM IA_NA from 00046f6d78530d9497fef9b5e0e6726f8521 on br-lan: not on-link fda2:e36f:d923::2/128
Sat Feb 29 12:15:17 2020 daemon.debug odhcpd[945]: Sent 96 bytes to fe80::b196:dccf:ba12:c837%br-lan

Sat Feb 29 12:15:17 2020 daemon.debug odhcpd[945]: Received 71 Bytes from fe80::b196:dccf:ba12:c837%br-lan
Sat Feb 29 12:15:17 2020 daemon.notice odhcpd[945]: Got DHCPv6 request
Sat Feb 29 12:15:17 2020 daemon.warn odhcpd[945]: DHCPV6 SOLICIT IA_NA from 00046f6d78530d9497fef9b5e0e6726f8521 on br-lan: ok fda2:e36f:d923::2/128
Sat Feb 29 12:15:17 2020 daemon.debug odhcpd[945]: Sent 112 bytes to fe80::b196:dccf:ba12:c837%br-lan

Sat Feb 29 12:15:18 2020 daemon.debug odhcpd[945]: Received 113 Bytes from fe80::b196:dccf:ba12:c837%br-lan
Sat Feb 29 12:15:18 2020 daemon.notice odhcpd[945]: Got DHCPv6 request
Sat Feb 29 12:15:18 2020 daemon.warn odhcpd[945]: DHCPV6 REQUEST IA_NA from 00046f6d78530d9497fef9b5e0e6726f8521 on br-lan: ok fda2:e36f:d923::2/128
Sat Feb 29 12:15:18 2020 daemon.debug odhcpd[945]: Sent 112 bytes to fe80::b196:dccf:ba12:c837%br-lan

odhcpd received DHCPv6 request three times, and size of three requests are 127 bytes, 71 bytes and 113 bytes.
For each time, odhcpd wrote log

DHCPV6 {CONFIRM|SOLICIT|REQUEST} IA_NA from "DUID" on br-lan , brabrabra...

but, From 19.07

Sun Mar  1 02:52:42 2020 daemon.debug odhcpd[1113]: Received 99 Bytes from fe80::b196:dccf:ba12:c837%lan@br-lan
Sun Mar  1 02:52:42 2020 daemon.debug odhcpd[1113]: Got a DHCPv6-request on lan
Sun Mar  1 02:52:43 2020 daemon.debug odhcpd[1113]: Netlink newneigh fda2:e36f:d923:0:78c1:6660:65e2:c4b4 on lan
Sun Mar  1 02:52:43 2020 daemon.debug odhcpd[1113]: Received 99 Bytes from fe80::b196:dccf:ba12:c837%lan@br-lan
Sun Mar  1 02:52:43 2020 daemon.debug odhcpd[1113]: Got a DHCPv6-request on lan
Sun Mar  1 02:52:45 2020 daemon.debug odhcpd[1113]: Received 99 Bytes from fe80::b196:dccf:ba12:c837%lan@br-lan
Sun Mar  1 02:52:45 2020 daemon.debug odhcpd[1113]: Got a DHCPv6-request on lan

odhcpd received the request three times, this is same, but the size of the request is different. 99 bytes for each.
And there is no additional message logged.

I have tested with the same client pc with same settings. No difference at client side at all. but the logged message is not the same.

I have googled and tried to find anything similar but with no success.

Can anybody help me out to find the root cause ?

--
eiji

  1. Check again with ISP, whether ipv6 is issued to you.

  2. Try a different router.

  3. Try to ping any ipv6 address .... for example

ping -6 google.com

@lede_dude

Thanks for your advice.

  1. ISP is fine. Because when I install 18.06 to the same router. It works perfectly.
  2. I think this problem is not hardware problem because of the same reason.
  3. The problem is only DHCPv6. My client PC has link local v6 address and could ping6 to Google.

I may have to build odhcpd by myself and debug it on the router ...

--
eiji

Here is another thread ...

1 Like

What is output of:
ifstatus wan6; ifstatus lan
for a start

@lede_dude

Thanks for your info. I have read through this thread and check "wan_6" interface, but in my router I don't have this "wan_6" interface.
Only, I have wan (for IPv4) , wan6 (for IPv6) and lan.

@trendy

Please have a look at the result. Sorry, I have masked actual IPv6 address and network, with the letters such as 'X', 'Y', or 'Z', but this shouldn't be a problem I hope.

root@OpenWrt:~# ifstatus wan6
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 253588,
        "l3_device": "eth1",
        "proto": "dhcpv6",
        "device": "eth1",
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "24XX:XXXX:XXXX:XXXX:ZZZZ:ZZZZ:ZZZZ:ZZZZ",
                        "mask": 64,
                        "preferred": 12543,
                        "valid": 14343
                }
        ],
        "ipv6-prefix": [
                {
                        "address": "24XX:XXXX:XXXX:YYYY::",
                        "mask": 60,
                        "preferred": 12901,
                        "valid": 12901,
                        "class": "wan6",
                        "assigned": {
                                "lan": {
                                        "address": "24XX:XXXX:XXXX:YYYY::",
                                       "mask": 60
                                }
                        }
                }
        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "24XX:XXXX:XXXX:XXXX::",
                        "mask": 64,
                        "nexthop": "::",
                        "metric": 256,
                        "valid": 14343,
                        "source": "::/0"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::ZZZZ:ZZZZ:ZZZZ:ZZZZ",
                        "metric": 512,
                        "valid": 8943,
                        "source": "24XX:XXXX:XXXX:YYYY::/60"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::ZZZZ:ZZZZ:ZZZZ:ZZZZ",
                        "metric": 512,
                        "valid": 8943,
                        "source": "24XX:XXXX:XXXX:XXXX:ZZZZ:ZZZZ:ZZZZ:ZZZZ/64"
                }
        ],
        "dns-server": [
                "24XX:XXXX:XXXX:XXXX:ZZZZ:ZZZZ:ZZZZ:ZZZZ"
        ],
        "dns-search": [
                "flets-east.jp",
                "iptvf.jp"
        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {
                "passthru": "00160010240b0013234018000225dcfffe415b8f00170010240b0013234018000225dcfffe415b8f001800190a666c6574732d65617374026a7000056970747666026a7000001f0020240401a811020000000000000000000b240401a811020000000000000000000a"
        }
}
root@OpenWrt:~# ifstatus lan
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 253597,
        "l3_device": "br-lan",
        "proto": "static",
        "device": "br-lan",
        "updated": [
                "addresses"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "192.168.2.254",
                        "mask": 24
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [
                {
                        "address": "24XX:XXXX:XXXX:YYYY::",
                        "mask": 60,
                        "preferred": 12901,
                       "valid": 12901,
                        "local-address": {
                                "address": "24XX:XXXX:XXXX:YYYY::1",
                                "mask": 60
                        }
                },
                {
                        "address": "fddb:5435:878f::",
                        "mask": 60,
                        "local-address": {
                                "address": "fddb:5435:878f::1",
                                "mask": 60
                        }
                }
        ],
        "route": [

        ],
        "dns-server": [

        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {

        }
}
root@OpenWrt:~# 

Theye are fine.
When you upgraded to 19.07 did you keep the settings or did you start from scratch (or did you do a reset)?

@trendy

I did both. But the results are the same.

--
eiji

Only DHCPv6 is not working or SLAAC as well?

@trendy

SLAAC is working I think. Because I can ping6 to Google.
Only DHCPv6 seems not working.

--
eiji

And what exactly is not working with DHCP6? The client is not getting an address or some other settings?
What is the content of cat /tmp/hosts/odhcpd ?

@trendy

/tmp/hosts/odhcpd is empty.

My client PC is not getting ipv6 address with prefix 2XXX.XXXX.XXXX.YYYY which I could get with 18.06.

What should I do to check next ?

--
eiji

If the host is not getting at all a Global address then SLAAC is not working either.
Post here the output of:

uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip6tables-save -c; \
ip -6 addr ; ip -6 ro ls tab all ; ip -6 ru; \

Also capture some packets to see if the transaction is correct.
tcpdump -i eth0.1 -vn icmp6 or udp port 546
Let it run for 5-10 minutes to capture router advertisements and dhcp solicitation.

1 Like

@trendy

I have followed your instruction for both 18.06 and 19.07.
Here are the results.

18.06

root@OpenWrt:~# uci export network
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fddb:5435:878f::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.2.254'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth1'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option gateway '192.168.1.254'
	option broadcast '192.168.1.255'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0t'

root@OpenWrt:~# uci export firewall
package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

root@OpenWrt:~# head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
root@OpenWrt:~# ip6tables-save -c
# Generated by ip6tables-save v1.6.2 on Thu Mar 12 02:18:17 2020
*mangle
:PREROUTING ACCEPT [870:200725]
:INPUT ACCEPT [171:12196]
:FORWARD ACCEPT [598:174371]
:OUTPUT ACCEPT [190:15726]
:POSTROUTING ACCEPT [780:189418]
[9:720] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Mar 12 02:18:17 2020
# Generated by ip6tables-save v1.6.2 on Thu Mar 12 02:18:17 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[171:12196] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[6:681] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[66:4647] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[99:6868] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[598:174371] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[573:158056] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[20:15816] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[5:499] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[5:499] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[190:15726] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[8:1089] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[73:6304] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[109:8333] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[5:499] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[73:6304] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[20:15816] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[20:15816] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[66:4647] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[66:4647] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[73:6304] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[73:6304] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[66:4647] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[3:180] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[126:23969] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[5:499] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[5:499] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[99:6868] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[11:836] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[45:3240] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[1:96] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[42:2696] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[109:8333] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[109:8333] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Mar 12 02:18:17 2020
root@OpenWrt:~# ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2XXX:XXXX:XXXX:XX00:XXXX:XXXX:XXXX:XXXX/64 scope global dynamic 
       valid_lft 14377sec preferred_lft 12577sec
    inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2XXX:XXXX:XXXX:XX10::1/60 scope global dynamic 
       valid_lft 12990sec preferred_lft 12990sec
    inet6 fddb:5435:878f::1/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
       valid_lft forever preferred_lft forever
root@OpenWrt:~# ip -6 ro
default from 2XXX:XXXX:XXXX:XX00::/64 via fe80::XXXX:XXXX:XXXX:XXXX dev eth1  metric 512 
default from 2XXX:XXXX:XXXX:XX10::/60 via fe80::XXXX:XXXX:XXXX:XXXX dev eth1  metric 512 
2XXX:XXXX:XXXX:XX00::/64 dev eth1  metric 256 
2XXX:XXXX:XXXX:XX10::/64 dev br-lan  metric 1024 
unreachable 2XXX:XXXX:XXXX:XX10::/60 dev lo  metric 2147483647  error -148
fddb:5435:878f::/64 dev br-lan  metric 1024 
unreachable fddb:5435:878f::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev eth0  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev eth1  metric 256 
unreachable default dev lo  metric -1  error -128
ff00::/8 dev br-lan  metric 256 
ff00::/8 dev eth0  metric 256 
ff00::/8 dev eth1  metric 256 
unreachable default dev lo  metric -1  error -128
root@OpenWrt:~# ip -6 ru
0:	from all lookup local 
32766:	from all lookup main 
4200000000:	from 2XXX:XXXX:XXXX:XX10::1/60 iif br-lan lookup unspec unreachable
4200000001:	from all iif lo lookup unspec 12
4200000003:	from all iif eth1 lookup unspec 12
4200000003:	from all iif eth1 lookup unspec 12
4200000006:	from all iif br-lan lookup unspec 12
root@OpenWrt:~# cat /tmp/hosts/odhcpd
2XXX:XXXX:XXXX:XX10::2	io
fddb:5435:878f::2	io
# br-lan 00046f6d78530d9497fef9b5e0e6726f8521 5a8076d9 io -1 2 128 2XXX:XXXX:XXXX:XX10::2/128 fddb:5435:878f::2/128
root@OpenWrt:~# tcpdump -i eth0.1 -vn icmp6
tcpdump: listening on eth0.1, link-type EN10MB (Ethernet), capture size 262144 bytes
02:26:56.146954 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
          source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
02:26:56.148639 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
02:27:41.986969 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
          source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
02:27:41.987556 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
02:28:15.666964 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
          source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
02:28:15.668138 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
02:28:49.107004 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
          source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
02:28:49.110416 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
02:29:12.134460 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::XXXX:XXXX:XXXX:XXXX
          source link-address option (1), length 8 (1): 00:23:5a:80:76:d9
02:29:12.134642 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::XXXX:XXXX:XXXX:XXXX, Flags [router, solicited]
02:29:17.186974 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::b196:dccf:ba12:c837
          source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
02:29:17.187260 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::b196:dccf:ba12:c837, Flags [solicited]
02:29:18.547025 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
          source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
02:29:18.547706 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
02:29:57.106969 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
          source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
02:29:57.107557 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
02:30:42.146969 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
          source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
02:30:42.147566 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
^C
18 packets captured
20 packets received by filter
0 packets dropped by kernel
root@OpenWrt:~# 

I wanted to attach 19.07 also, but seems too big. so I will post 19.07 result on next post.

--
eiji

@trendy

Here is the result from 19.07.

root@OpenWrt:~# uci export network
package network

config interface 'loopback'
   option ifname 'lo'
   option proto 'static'
   option ipaddr '127.0.0.1'
   option netmask '255.0.0.0'

config globals 'globals'
   option ula_prefix 'fddb:5435:878f::/48'

config interface 'lan'
   option type 'bridge'
   option ifname 'eth0.1'
   option proto 'static'
   option ipaddr '192.168.2.254'
   option netmask '255.255.255.0'
   option ip6assign '60'

config interface 'wan'
   option ifname 'eth1'
   option proto 'static'
   option ipaddr '192.168.1.2'
   option netmask '255.255.255.0'
   option gateway '192.168.1.254'
   option broadcast '192.168.1.255'
   list dns '1.1.1.1'
   list dns '1.0.0.1'

config interface 'wan6'
   option ifname 'eth1'
   option proto 'dhcpv6'

config switch
   option name 'switch0'
   option reset '1'
   option enable_vlan '1'

config switch_vlan
   option device 'switch0'
   option vlan '1'
   option ports '1 2 3 4 0t'

root@OpenWrt:~# uci export firewall
package firewall

config defaults
   option syn_flood '1'
   option input 'ACCEPT'
   option output 'ACCEPT'
   option forward 'REJECT'

config zone
   option name 'lan'
   list network 'lan'
   option input 'ACCEPT'
   option output 'ACCEPT'
   option forward 'ACCEPT'

config zone
   option name 'wan'
   list network 'wan'
   list network 'wan6'
   option input 'REJECT'
   option output 'ACCEPT'
   option forward 'REJECT'
   option masq '1'
   option mtu_fix '1'

config forwarding
   option src 'lan'
   option dest 'wan'

config rule
   option name 'Allow-DHCP-Renew'
   option src 'wan'
   option proto 'udp'
   option dest_port '68'
   option target 'ACCEPT'
   option family 'ipv4'

config rule
   option name 'Allow-Ping'
   option src 'wan'
   option proto 'icmp'
   option icmp_type 'echo-request'
   option family 'ipv4'
   option target 'ACCEPT'

config rule
   option name 'Allow-IGMP'
   option src 'wan'
   option proto 'igmp'
   option family 'ipv4'
   option target 'ACCEPT'

config rule
   option name 'Allow-DHCPv6'
   option src 'wan'
   option proto 'udp'
   option src_ip 'fc00::/6'
   option dest_ip 'fc00::/6'
   option dest_port '546'
   option family 'ipv6'
   option target 'ACCEPT'

config rule
   option name 'Allow-MLD'
   option src 'wan'
   option proto 'icmp'
   option src_ip 'fe80::/10'
   list icmp_type '130/0'
   list icmp_type '131/0'
   list icmp_type '132/0'
   list icmp_type '143/0'
   option family 'ipv6'
   option target 'ACCEPT'

config rule
   option name 'Allow-ICMPv6-Input'
   option src 'wan'
   option proto 'icmp'
   list icmp_type 'echo-request'
   list icmp_type 'echo-reply'
   list icmp_type 'destination-unreachable'
   list icmp_type 'packet-too-big'
   list icmp_type 'time-exceeded'
   list icmp_type 'bad-header'
   list icmp_type 'unknown-header-type'
   list icmp_type 'router-solicitation'
   list icmp_type 'neighbour-solicitation'
   list icmp_type 'router-advertisement'
   list icmp_type 'neighbour-advertisement'
   option limit '1000/sec'
   option family 'ipv6'
   option target 'ACCEPT'

config rule
   option name 'Allow-ICMPv6-Forward'
   option src 'wan'
   option dest '*'
   option proto 'icmp'
   list icmp_type 'echo-request'
   list icmp_type 'echo-reply'
   list icmp_type 'destination-unreachable'
   list icmp_type 'packet-too-big'
   list icmp_type 'time-exceeded'
   list icmp_type 'bad-header'
   list icmp_type 'unknown-header-type'
   option limit '1000/sec'
   option family 'ipv6'
   option target 'ACCEPT'

config rule
   option name 'Allow-IPSec-ESP'
   option src 'wan'
   option dest 'lan'
   option proto 'esp'
   option target 'ACCEPT'

config rule
   option name 'Allow-ISAKMP'
   option src 'wan'
   option dest 'lan'
   option dest_port '500'
   option proto 'udp'
   option target 'ACCEPT'

config include
   option path '/etc/firewall.user'

root@OpenWrt:~# head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
root@OpenWrt:~# ip6tables-save -c
# Generated by ip6tables-save v1.8.3 on Thu Mar 12 00:28:58 2020
*mangle
:PREROUTING ACCEPT [56885:27069601]
:INPUT ACCEPT [5086:386944]
:FORWARD ACCEPT [46101:25798657]
:OUTPUT ACCEPT [5750:713810]
:POSTROUTING ACCEPT [51839:26511471]
[327:26088] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Mar 12 00:28:58 2020
# Generated by ip6tables-save v1.8.3 on Thu Mar 12 00:28:58 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[5086:386944] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[131:14646] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[763:51356] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[4192:320942] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[46101:25798657] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[45747:25770025] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[351:28248] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[3:384] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[3:384] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[5750:713810] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[183:27321] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1521:226224] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[4046:460265] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[3:384] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1521:226224] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[351:28248] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[351:28248] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[763:51356] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[763:51356] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1521:226224] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1521:226224] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[763:51356] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[9:612] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[4388:487901] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[3:384] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[3:384] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[4192:320942] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[45:10350] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[2610:198360] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[608:43776] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[281:26976] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[648:41480] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[4046:460265] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[4046:460265] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Mar 12 00:28:58 2020
root@OpenWrt:~# ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
   inet6 ::1/128 scope host 
      valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
   inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
      valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
   inet6 2XXX:XXXX:XXXX:XX00:XXXX:XXXX:XXXX:XXXX/64 scope global dynamic 
      valid_lft 13419sec preferred_lft 11619sec
   inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
      valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
   inet6 2XXX:XXXX:XXXX:XX10::1/60 scope global dynamic 
      valid_lft 12157sec preferred_lft 12157sec
   inet6 fddb:5435:878f::1/60 scope global 
      valid_lft forever preferred_lft forever
   inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
      valid_lft forever preferred_lft forever
root@OpenWrt:~# ip -6 ro
default from 2XXX:XXXX:XXXX:XX00::/64 via fe80::XXXX:XXXX:XXXX:XXXX dev eth1  metric 512 
default from 2XXX:XXXX:XXXX:XX10::/60 via fe80::XXXX:XXXX:XXXX:XXXX dev eth1  metric 512 
2XXX:XXXX:XXXX:XX00::/64 dev eth1  metric 256 
2XXX:XXXX:XXXX:XX10::/64 dev br-lan  metric 1024 
unreachable 2XXX:XXXX:XXXX:XX10::/60 dev lo  metric 2147483647  error -148
fddb:5435:878f::/64 dev br-lan  metric 1024 
unreachable fddb:5435:878f::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev eth0  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev eth1  metric 256 
anycast 2XXX:XXXX:XXXX:XX00:: dev eth1  metric 0 
anycast 2XXX:XXXX:XXXX:XX10:: dev br-lan  metric 0 
anycast fddb:5435:878f:: dev br-lan  metric 0 
anycast fe80:: dev eth0  metric 0 
anycast fe80:: dev br-lan  metric 0 
anycast fe80:: dev eth1  metric 0 
ff00::/8 dev br-lan  metric 256 
ff00::/8 dev eth0  metric 256 
ff00::/8 dev eth1  metric 256 
root@OpenWrt:~# ip -6 ru
0:	from all lookup local 
32766:	from all lookup main 
4200000000:	from 2XXX:XXXX:XXXX:XX10::1/60 iif br-lan lookup unspec unreachable
4200000001:	from all iif lo lookup unspec 12 4200000003:	from all iif eth1 lookup unspec 12 4200000003:	from all iif eth1 lookup unspec 12 4200000006:	from all iif br-lan lookup unspec 12 
root@OpenWrt:~# tcpdump -i eth0.1 -vn icmp6 tcpdump: listening on eth0.1, link-type EN10MB (Ethernet), capture size 262144 bytes 00:42:14.181386 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
         source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
00:42:14.181939 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
00:43:03.621388 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
         source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
00:43:03.622009 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
00:43:08.980929 IP6 (flowlabel 0x76eee, hlim 255, next-header ICMPv6 (58) payload length: 176) fe80::XXXX:XXXX:XXXX:XXXX > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 176
       hop limit 64, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
         source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
         mtu option (5), length 8 (1):  1500
         prefix info option (3), length 32 (4): 2XXX:XXXX:XXXX:XX10::/64, Flags [onlink, auto], valid time 11429s, pref. time 11429s
         prefix info option (3), length 32 (4): fddb:5435:878f::/64, Flags [onlink, auto], valid time infinity, pref. time infinity
         route info option (24), length 24 (3):  2XXX:XXXX:XXXX:XX10::/60, pref=medium, lifetime=1800s
         route info option (24), length 24 (3):  fddb:5435:878f::/48, pref=medium, lifetime=1800s
         rdnss option (25), length 24 (3):  lifetime 1800s, addr: fddb:5435:878f::1
         advertisement interval option (7), length 8 (1):  600ms
00:43:50.181393 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
         source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
00:43:50.182616 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
00:44:37.061387 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
         source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
00:44:37.062004 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
00:45:11.861385 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
         source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
00:45:11.862010 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]

^C
11 packets captured
11 packets received by filter

I can't run "ip -6 ro ls tab all", instead, I did "ip -6 ro".
Did I do something wrong ?

--
eiji

I don't know, it works fine on mine. Try ip -6 route list table all , although it shouldn't matter.
In the tcpdump you didn't enter the whole command and didn't capture the dhcp6.
Other than that I don't see any problem, there is one router advertisement in 19.07, I suppose the addresses are correct, and neighbour solicitations get their advertisement replies, I hope they are also correct.
So the client is acquiring the SLAAC address only and not the DHCP6 one?