Thanks, I will have a look and will try to follow the solution.
--
eiji
Sorry for late reply. I have read your thread and checked odhcp6c is running or not. For both 18.06 and 19.07, odhcp6c is running.
So I think, my problem is not the same as yours, unfortunately.
What has to be checked next, I wonder ...
--
eiji
I have tried to find out what are the differences between two logread, and not 100% sure, but there seems strange differences
From 18.06
Sat Feb 29 12:15:17 2020 daemon.debug odhcpd[945]: Received 127 Bytes from fe80::b196:dccf:ba12:c837%br-lan
Sat Feb 29 12:15:17 2020 daemon.notice odhcpd[945]: Got DHCPv6 request
Sat Feb 29 12:15:17 2020 daemon.warn odhcpd[945]: DHCPV6 CONFIRM IA_NA from 00046f6d78530d9497fef9b5e0e6726f8521 on br-lan: not on-link fda2:e36f:d923::2/128
Sat Feb 29 12:15:17 2020 daemon.debug odhcpd[945]: Sent 96 bytes to fe80::b196:dccf:ba12:c837%br-lan
Sat Feb 29 12:15:17 2020 daemon.debug odhcpd[945]: Received 71 Bytes from fe80::b196:dccf:ba12:c837%br-lan
Sat Feb 29 12:15:17 2020 daemon.notice odhcpd[945]: Got DHCPv6 request
Sat Feb 29 12:15:17 2020 daemon.warn odhcpd[945]: DHCPV6 SOLICIT IA_NA from 00046f6d78530d9497fef9b5e0e6726f8521 on br-lan: ok fda2:e36f:d923::2/128
Sat Feb 29 12:15:17 2020 daemon.debug odhcpd[945]: Sent 112 bytes to fe80::b196:dccf:ba12:c837%br-lan
Sat Feb 29 12:15:18 2020 daemon.debug odhcpd[945]: Received 113 Bytes from fe80::b196:dccf:ba12:c837%br-lan
Sat Feb 29 12:15:18 2020 daemon.notice odhcpd[945]: Got DHCPv6 request
Sat Feb 29 12:15:18 2020 daemon.warn odhcpd[945]: DHCPV6 REQUEST IA_NA from 00046f6d78530d9497fef9b5e0e6726f8521 on br-lan: ok fda2:e36f:d923::2/128
Sat Feb 29 12:15:18 2020 daemon.debug odhcpd[945]: Sent 112 bytes to fe80::b196:dccf:ba12:c837%br-lan
odhcpd received DHCPv6 request three times, and size of three requests are 127 bytes, 71 bytes and 113 bytes.
For each time, odhcpd wrote log
DHCPV6 {CONFIRM|SOLICIT|REQUEST} IA_NA from "DUID" on br-lan , brabrabra...
but, From 19.07
Sun Mar 1 02:52:42 2020 daemon.debug odhcpd[1113]: Received 99 Bytes from fe80::b196:dccf:ba12:c837%lan@br-lan
Sun Mar 1 02:52:42 2020 daemon.debug odhcpd[1113]: Got a DHCPv6-request on lan
Sun Mar 1 02:52:43 2020 daemon.debug odhcpd[1113]: Netlink newneigh fda2:e36f:d923:0:78c1:6660:65e2:c4b4 on lan
Sun Mar 1 02:52:43 2020 daemon.debug odhcpd[1113]: Received 99 Bytes from fe80::b196:dccf:ba12:c837%lan@br-lan
Sun Mar 1 02:52:43 2020 daemon.debug odhcpd[1113]: Got a DHCPv6-request on lan
Sun Mar 1 02:52:45 2020 daemon.debug odhcpd[1113]: Received 99 Bytes from fe80::b196:dccf:ba12:c837%lan@br-lan
Sun Mar 1 02:52:45 2020 daemon.debug odhcpd[1113]: Got a DHCPv6-request on lan
odhcpd received the request three times, this is same, but the size of the request is different. 99 bytes for each.
And there is no additional message logged.
I have tested with the same client pc with same settings. No difference at client side at all. but the logged message is not the same.
I have googled and tried to find anything similar but with no success.
Can anybody help me out to find the root cause ?
--
eiji
Check again with ISP, whether ipv6 is issued to you.
Try a different router.
Try to ping any ipv6 address .... for example
ping -6 google.com
Thanks for your advice.
I may have to build odhcpd by myself and debug it on the router ...
--
eiji
Here is another thread ...
What is output of:
ifstatus wan6; ifstatus lan
for a start
Thanks for your info. I have read through this thread and check "wan_6" interface, but in my router I don't have this "wan_6" interface.
Only, I have wan (for IPv4) , wan6 (for IPv6) and lan.
Please have a look at the result. Sorry, I have masked actual IPv6 address and network, with the letters such as 'X', 'Y', or 'Z', but this shouldn't be a problem I hope.
root@OpenWrt:~# ifstatus wan6
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 253588,
"l3_device": "eth1",
"proto": "dhcpv6",
"device": "eth1",
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
],
"ipv6-address": [
{
"address": "24XX:XXXX:XXXX:XXXX:ZZZZ:ZZZZ:ZZZZ:ZZZZ",
"mask": 64,
"preferred": 12543,
"valid": 14343
}
],
"ipv6-prefix": [
{
"address": "24XX:XXXX:XXXX:YYYY::",
"mask": 60,
"preferred": 12901,
"valid": 12901,
"class": "wan6",
"assigned": {
"lan": {
"address": "24XX:XXXX:XXXX:YYYY::",
"mask": 60
}
}
}
],
"ipv6-prefix-assignment": [
],
"route": [
{
"target": "24XX:XXXX:XXXX:XXXX::",
"mask": 64,
"nexthop": "::",
"metric": 256,
"valid": 14343,
"source": "::/0"
},
{
"target": "::",
"mask": 0,
"nexthop": "fe80::ZZZZ:ZZZZ:ZZZZ:ZZZZ",
"metric": 512,
"valid": 8943,
"source": "24XX:XXXX:XXXX:YYYY::/60"
},
{
"target": "::",
"mask": 0,
"nexthop": "fe80::ZZZZ:ZZZZ:ZZZZ:ZZZZ",
"metric": 512,
"valid": 8943,
"source": "24XX:XXXX:XXXX:XXXX:ZZZZ:ZZZZ:ZZZZ:ZZZZ/64"
}
],
"dns-server": [
"24XX:XXXX:XXXX:XXXX:ZZZZ:ZZZZ:ZZZZ:ZZZZ"
],
"dns-search": [
"flets-east.jp",
"iptvf.jp"
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
"passthru": "00160010240b0013234018000225dcfffe415b8f00170010240b0013234018000225dcfffe415b8f001800190a666c6574732d65617374026a7000056970747666026a7000001f0020240401a811020000000000000000000b240401a811020000000000000000000a"
}
}
root@OpenWrt:~# ifstatus lan
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 253597,
"l3_device": "br-lan",
"proto": "static",
"device": "br-lan",
"updated": [
"addresses"
],
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
{
"address": "192.168.2.254",
"mask": 24
}
],
"ipv6-address": [
],
"ipv6-prefix": [
],
"ipv6-prefix-assignment": [
{
"address": "24XX:XXXX:XXXX:YYYY::",
"mask": 60,
"preferred": 12901,
"valid": 12901,
"local-address": {
"address": "24XX:XXXX:XXXX:YYYY::1",
"mask": 60
}
},
{
"address": "fddb:5435:878f::",
"mask": 60,
"local-address": {
"address": "fddb:5435:878f::1",
"mask": 60
}
}
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
}
}
root@OpenWrt:~#
Theye are fine.
When you upgraded to 19.07 did you keep the settings or did you start from scratch (or did you do a reset)?
Only DHCPv6 is not working or SLAAC as well?
SLAAC is working I think. Because I can ping6 to Google.
Only DHCPv6 seems not working.
--
eiji
And what exactly is not working with DHCP6? The client is not getting an address or some other settings?
What is the content of cat /tmp/hosts/odhcpd
?
/tmp/hosts/odhcpd is empty.
My client PC is not getting ipv6 address with prefix 2XXX.XXXX.XXXX.YYYY which I could get with 18.06.
What should I do to check next ?
--
eiji
If the host is not getting at all a Global address then SLAAC is not working either.
Post here the output of:
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip6tables-save -c; \
ip -6 addr ; ip -6 ro ls tab all ; ip -6 ru; \
Also capture some packets to see if the transaction is correct.
tcpdump -i eth0.1 -vn icmp6 or udp port 546
Let it run for 5-10 minutes to capture router advertisements and dhcp solicitation.
I have followed your instruction for both 18.06 and 19.07.
Here are the results.
18.06
root@OpenWrt:~# uci export network
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fddb:5435:878f::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.2.254'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth1'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option gateway '192.168.1.254'
option broadcast '192.168.1.255'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
root@OpenWrt:~# uci export firewall
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
root@OpenWrt:~# head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
root@OpenWrt:~# ip6tables-save -c
# Generated by ip6tables-save v1.6.2 on Thu Mar 12 02:18:17 2020
*mangle
:PREROUTING ACCEPT [870:200725]
:INPUT ACCEPT [171:12196]
:FORWARD ACCEPT [598:174371]
:OUTPUT ACCEPT [190:15726]
:POSTROUTING ACCEPT [780:189418]
[9:720] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Mar 12 02:18:17 2020
# Generated by ip6tables-save v1.6.2 on Thu Mar 12 02:18:17 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[171:12196] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[6:681] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[66:4647] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[99:6868] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[598:174371] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[573:158056] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[20:15816] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[5:499] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[5:499] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[190:15726] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[8:1089] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[73:6304] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[109:8333] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[5:499] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[73:6304] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[20:15816] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[20:15816] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[66:4647] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[66:4647] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[73:6304] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[73:6304] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[66:4647] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[3:180] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[126:23969] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[5:499] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[5:499] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[99:6868] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[11:836] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[45:3240] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[1:96] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[42:2696] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[109:8333] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[109:8333] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Mar 12 02:18:17 2020
root@OpenWrt:~# ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2XXX:XXXX:XXXX:XX00:XXXX:XXXX:XXXX:XXXX/64 scope global dynamic
valid_lft 14377sec preferred_lft 12577sec
inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2XXX:XXXX:XXXX:XX10::1/60 scope global dynamic
valid_lft 12990sec preferred_lft 12990sec
inet6 fddb:5435:878f::1/60 scope global
valid_lft forever preferred_lft forever
inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link
valid_lft forever preferred_lft forever
root@OpenWrt:~# ip -6 ro
default from 2XXX:XXXX:XXXX:XX00::/64 via fe80::XXXX:XXXX:XXXX:XXXX dev eth1 metric 512
default from 2XXX:XXXX:XXXX:XX10::/60 via fe80::XXXX:XXXX:XXXX:XXXX dev eth1 metric 512
2XXX:XXXX:XXXX:XX00::/64 dev eth1 metric 256
2XXX:XXXX:XXXX:XX10::/64 dev br-lan metric 1024
unreachable 2XXX:XXXX:XXXX:XX10::/60 dev lo metric 2147483647 error -148
fddb:5435:878f::/64 dev br-lan metric 1024
unreachable fddb:5435:878f::/48 dev lo metric 2147483647 error -148
fe80::/64 dev eth0 metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev eth1 metric 256
unreachable default dev lo metric -1 error -128
ff00::/8 dev br-lan metric 256
ff00::/8 dev eth0 metric 256
ff00::/8 dev eth1 metric 256
unreachable default dev lo metric -1 error -128
root@OpenWrt:~# ip -6 ru
0: from all lookup local
32766: from all lookup main
4200000000: from 2XXX:XXXX:XXXX:XX10::1/60 iif br-lan lookup unspec unreachable
4200000001: from all iif lo lookup unspec 12
4200000003: from all iif eth1 lookup unspec 12
4200000003: from all iif eth1 lookup unspec 12
4200000006: from all iif br-lan lookup unspec 12
root@OpenWrt:~# cat /tmp/hosts/odhcpd
2XXX:XXXX:XXXX:XX10::2 io
fddb:5435:878f::2 io
# br-lan 00046f6d78530d9497fef9b5e0e6726f8521 5a8076d9 io -1 2 128 2XXX:XXXX:XXXX:XX10::2/128 fddb:5435:878f::2/128
root@OpenWrt:~# tcpdump -i eth0.1 -vn icmp6
tcpdump: listening on eth0.1, link-type EN10MB (Ethernet), capture size 262144 bytes
02:26:56.146954 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
02:26:56.148639 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
02:27:41.986969 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
02:27:41.987556 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
02:28:15.666964 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
02:28:15.668138 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
02:28:49.107004 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
02:28:49.110416 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
02:29:12.134460 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::XXXX:XXXX:XXXX:XXXX
source link-address option (1), length 8 (1): 00:23:5a:80:76:d9
02:29:12.134642 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::XXXX:XXXX:XXXX:XXXX, Flags [router, solicited]
02:29:17.186974 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::b196:dccf:ba12:c837
source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
02:29:17.187260 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::b196:dccf:ba12:c837, Flags [solicited]
02:29:18.547025 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
02:29:18.547706 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
02:29:57.106969 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
02:29:57.107557 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
02:30:42.146969 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
02:30:42.147566 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
^C
18 packets captured
20 packets received by filter
0 packets dropped by kernel
root@OpenWrt:~#
I wanted to attach 19.07 also, but seems too big. so I will post 19.07 result on next post.
--
eiji
Here is the result from 19.07.
root@OpenWrt:~# uci export network
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fddb:5435:878f::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.2.254'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth1'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option gateway '192.168.1.254'
option broadcast '192.168.1.255'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
root@OpenWrt:~# uci export firewall
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
root@OpenWrt:~# head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
root@OpenWrt:~# ip6tables-save -c
# Generated by ip6tables-save v1.8.3 on Thu Mar 12 00:28:58 2020
*mangle
:PREROUTING ACCEPT [56885:27069601]
:INPUT ACCEPT [5086:386944]
:FORWARD ACCEPT [46101:25798657]
:OUTPUT ACCEPT [5750:713810]
:POSTROUTING ACCEPT [51839:26511471]
[327:26088] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Mar 12 00:28:58 2020
# Generated by ip6tables-save v1.8.3 on Thu Mar 12 00:28:58 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[5086:386944] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[131:14646] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[763:51356] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[4192:320942] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[46101:25798657] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[45747:25770025] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[351:28248] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[3:384] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[3:384] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[5750:713810] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[183:27321] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1521:226224] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[4046:460265] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[3:384] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1521:226224] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[351:28248] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[351:28248] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[763:51356] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[763:51356] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1521:226224] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1521:226224] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[763:51356] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[9:612] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[4388:487901] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[3:384] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[3:384] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[4192:320942] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[45:10350] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[2610:198360] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[608:43776] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[281:26976] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[648:41480] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[4046:460265] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[4046:460265] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Mar 12 00:28:58 2020
root@OpenWrt:~# ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2XXX:XXXX:XXXX:XX00:XXXX:XXXX:XXXX:XXXX/64 scope global dynamic
valid_lft 13419sec preferred_lft 11619sec
inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2XXX:XXXX:XXXX:XX10::1/60 scope global dynamic
valid_lft 12157sec preferred_lft 12157sec
inet6 fddb:5435:878f::1/60 scope global
valid_lft forever preferred_lft forever
inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link
valid_lft forever preferred_lft forever
root@OpenWrt:~# ip -6 ro
default from 2XXX:XXXX:XXXX:XX00::/64 via fe80::XXXX:XXXX:XXXX:XXXX dev eth1 metric 512
default from 2XXX:XXXX:XXXX:XX10::/60 via fe80::XXXX:XXXX:XXXX:XXXX dev eth1 metric 512
2XXX:XXXX:XXXX:XX00::/64 dev eth1 metric 256
2XXX:XXXX:XXXX:XX10::/64 dev br-lan metric 1024
unreachable 2XXX:XXXX:XXXX:XX10::/60 dev lo metric 2147483647 error -148
fddb:5435:878f::/64 dev br-lan metric 1024
unreachable fddb:5435:878f::/48 dev lo metric 2147483647 error -148
fe80::/64 dev eth0 metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev eth1 metric 256
anycast 2XXX:XXXX:XXXX:XX00:: dev eth1 metric 0
anycast 2XXX:XXXX:XXXX:XX10:: dev br-lan metric 0
anycast fddb:5435:878f:: dev br-lan metric 0
anycast fe80:: dev eth0 metric 0
anycast fe80:: dev br-lan metric 0
anycast fe80:: dev eth1 metric 0
ff00::/8 dev br-lan metric 256
ff00::/8 dev eth0 metric 256
ff00::/8 dev eth1 metric 256
root@OpenWrt:~# ip -6 ru
0: from all lookup local
32766: from all lookup main
4200000000: from 2XXX:XXXX:XXXX:XX10::1/60 iif br-lan lookup unspec unreachable
4200000001: from all iif lo lookup unspec 12 4200000003: from all iif eth1 lookup unspec 12 4200000003: from all iif eth1 lookup unspec 12 4200000006: from all iif br-lan lookup unspec 12
root@OpenWrt:~# tcpdump -i eth0.1 -vn icmp6 tcpdump: listening on eth0.1, link-type EN10MB (Ethernet), capture size 262144 bytes 00:42:14.181386 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
00:42:14.181939 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
00:43:03.621388 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
00:43:03.622009 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
00:43:08.980929 IP6 (flowlabel 0x76eee, hlim 255, next-header ICMPv6 (58) payload length: 176) fe80::XXXX:XXXX:XXXX:XXXX > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 176
hop limit 64, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
mtu option (5), length 8 (1): 1500
prefix info option (3), length 32 (4): 2XXX:XXXX:XXXX:XX10::/64, Flags [onlink, auto], valid time 11429s, pref. time 11429s
prefix info option (3), length 32 (4): fddb:5435:878f::/64, Flags [onlink, auto], valid time infinity, pref. time infinity
route info option (24), length 24 (3): 2XXX:XXXX:XXXX:XX10::/60, pref=medium, lifetime=1800s
route info option (24), length 24 (3): fddb:5435:878f::/48, pref=medium, lifetime=1800s
rdnss option (25), length 24 (3): lifetime 1800s, addr: fddb:5435:878f::1
advertisement interval option (7), length 8 (1): 600ms
00:43:50.181393 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
00:43:50.182616 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
00:44:37.061387 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
00:44:37.062004 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
00:45:11.861385 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::XXXX:XXXX:XXXX:XXXX > 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
source link-address option (1), length 8 (1): 00:24:a5:ef:e8:a6
00:45:11.862010 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX > fe80::XXXX:XXXX:XXXX:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2XXX:XXXX:XXXX:XX10:XXXX:XXXX:XXXX:XXXX, Flags [solicited]
^C
11 packets captured
11 packets received by filter
I can't run "ip -6 ro ls tab all", instead, I did "ip -6 ro".
Did I do something wrong ?
--
eiji
I don't know, it works fine on mine. Try ip -6 route list table all
, although it shouldn't matter.
In the tcpdump you didn't enter the whole command and didn't capture the dhcp6.
Other than that I don't see any problem, there is one router advertisement in 19.07, I suppose the addresses are correct, and neighbour solicitations get their advertisement replies, I hope they are also correct.
So the client is acquiring the SLAAC address only and not the DHCP6 one?
I will check "ip -6 route list table all" tomorrow, but I'm using the same client to connect openwrt 18.06 and 19.07. so I don't think client is acquiring only SLAAC.
Do I have to do tcpdump much more longer time ?
--
eiji
Not necessarily, just run it and connect one device on the router to initiate the dhcp process.
The problem is that you did not run the whole tcpdump command and it wasn't capturing DHCP6 packets.