Enable IPv6 on a dual-band STA+AP router

zamar29 · November 19, 2021, 6:55am

Hi, I'm new to OpenWRT, so pls be patient. The issue I experience is not clearly explained step-by-step in any WiKi, forum thread or blog I read so far. I installed current release OpenWRT 21.02.1 on a dual-band TP-Link WDR4900 v1.3 router behind cable modem & router Hitron CGN3ACR. The TP-Link wlan0 5Hz is setup as wireless Client to the modem & router, and wlan1 2.4Hz is setup as my LAN AP.

This basic setup works fine in IPv4 with default OpenWRT config and obvious Interfaces options tune up. But I can't get IPv6 PC clients to reach internet. I added wwan6 interface with DHCP6 enabled as alias to wwan, and the PC adapters got IP and IPv6 leases. The TP-Link router is registered in the modem GUI with IP and 2 IPv6 addresses. I can ping Google 6 from the router, but not from wired or wireless PCs connected to it. And ipv6-test.com still shows "IPv6 not supported".

I think this topic needs a Wiki page, since default OpenWRT config comes without preconfigured IPv6 support, at least in Wireless STA+AP or STA scenario. Can someone suggest the shortest way to setup IPv6 connection? I don't want the modem to handover IPv6 addresses to the PC clients, they should be assigned for my network by the TP-Link router for improved segment isolation.

frollic · November 19, 2021, 7:07am

if you already have a router, the CGN3ACR, why would you set up the TP-Link as a router too ?

zamar29 · November 19, 2021, 7:09am

Hitron is a modem & router, and its WiFi connection is shared btw several unrelated people. I need to isolate my network segment for better security. I should add that Hitron GUI doesn't offer end user IPv6 options page, but if I connect my PC WiFi adapter directly to Hitron, it receives both IPv4 and IPv6 traffic. The ISP supports DHCPv6 /64 prefix delegation, if its relevant since I need the TP-Link router to assign IPv6 addresses to LAN devices to separate my LAN from the modem & router.

zamar29 · November 20, 2021, 2:44am

This is my current config using @trendy's commands to get it. Any thoughts?

uci export network; uci export wireless;
uci export dhcp; uci export firewall;
head -n -0 /etc/firewall.user;
iptables-save -c; ip6tables-save -c; \

OpenWrt 21.02.1, r16325-88151b8303
 -----------------------------------------------------
root@WDR4900:~# uci export network; uci export wireless; \
>
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd43:xxxx:c475::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'

config device
        option name 'eth0.2'
        option macaddr 'f8:1a:67:xx:xx:xx'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'wwan'
        option proto 'dhcp'
        option delegate '0'

config interface 'wwan6'
        option proto 'dhcpv6'
        option device '@wwan'
        option reqaddress 'try'
        option reqprefix 'auto'

config route6
        option interface 'wwan6'
        option target '2000::/3'
        option gateway 'fe80::be4d:fbff:xxxx:xxxx'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'ffe09000.pcie/pci9000:00/9000:00:00.0/xxxx:01:00.0'
        option cell_density '0'
        option htmode 'HT40'
        option channel '157'
        option country 'US'
        option txpower '16'
        option noscan '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'ffe0a000.pcie/pcia000:02/xxxx:02:00.0/a000:03:00.0'
        option cell_density '0'
        option channel '3'
        option txpower '16'
        option htmode 'HT20'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OWR2.4'
        option encryption 'psk2'
        option key '&#398xxxxxxxxx'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'sta'
        option network 'wwan'
        option ssid 'Hitron'
        option bssid 'BE:xx:FB:xx:xx:xx'
        option encryption 'psk2'
        option key 'Boyxxxxxx'

root@WDR4900:~# uci export dhcp; uci export firewall; \
>
package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra 'server'
        option dhcpv6 'server'
        option ndp 'relay'
        option ra_default '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
        list network 'wwan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

root@WDR4900:~# head -n -0 /etc/firewall.user; \
>
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
root@WDR4900:~# iptables-save -c; ip6tables-save -c; \
>
# Generated by iptables-save v1.8.7 on Fri Nov 19 20:53:52 2021
*nat
:PREROUTING ACCEPT [11235:1335964]
:INPUT ACCEPT [263:23503]
:OUTPUT ACCEPT [976:75388]
:POSTROUTING ACCEPT [355:26634]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[11235:1335964] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[2393:363085] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[8841:972677] -A PREROUTING -i wlan0 -m comment --comment "!fw3" -j zone_wan_prerouting
[2003:154674] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[4:1384] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[1648:128040] -A POSTROUTING -o wlan0 -m comment --comment "!fw3" -j zone_wan_postrouting
[4:1384] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_                         lan_rule
[2393:363085] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j preroutin                         g_lan_rule
[1648:128040] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrou                         ting_wan_rule
[1648:128040] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[8841:972677] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j preroutin                         g_wan_rule
COMMIT
# Completed on Fri Nov 19 20:53:52 2021
# Generated by iptables-save v1.8.7 on Fri Nov 19 20:53:52 2021
*mangle
:PREROUTING ACCEPT [164868:95415183]
:INPUT ACCEPT [12814:1946126]
:FORWARD ACCEPT [142520:92307511]
:OUTPUT ACCEPT [13459:7639956]
:POSTROUTING ACCEPT [155979:99947467]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixin                         g" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixin                         g" -j TCPMSS --clamp-mss-to-pmtu
[985:47280] -A FORWARD -o wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU                          fixing" -j TCPMSS --clamp-mss-to-pmtu
[356:16964] -A FORWARD -i wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU                          fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Nov 19 20:53:52 2021
# Generated by iptables-save v1.8.7 on Fri Nov 19 20:53:52 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[4100:346408] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[8717:1599838] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[7497:1475276] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[60:2880] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[237:24469] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[983:100093] -A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_wan_input
[142520:92307511] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[141371:92211797] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1149:95714] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[4100:346408] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[9365:7295020] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[8738:7244438] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[6:1828] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[621:48754] -A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[411:71629] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[60:2880] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -                         m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[6:1828] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[1149:95714] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_la                         n_rule
[1149:95714] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_des                         t_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCE                         PT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[237:24469] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j AC                         CEPT
[237:24469] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[6:1828] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[6:1828] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[237:24469] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -                         j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT                          leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wlan0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT l                         eakage" -j DROP
[1770:144468] -A zone_wan_dest_ACCEPT -o wlan0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o wlan0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_                         ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCE                         PT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[983:100093] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[164:13776] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[408:14688] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j AC                         CEPT
[411:71629] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[621:48754] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[621:48754] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[411:71629] -A zone_wan_src_REJECT -i wlan0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Nov 19 20:53:52 2021
# Generated by ip6tables-save v1.8.7 on Fri Nov 19 20:53:52 2021
*mangle
:PREROUTING ACCEPT [11863:1381391]
:INPUT ACCEPT [2007:205260]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2676:334563]
:POSTROUTING ACCEPT [2677:334611]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixin                         g" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixin                         g" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing                         " -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing                         " -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Nov 19 20:53:52 2021
# Generated by ip6tables-save v1.8.7 on Fri Nov 19 20:53:52 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[6:665] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[2001:204595] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[268:41416] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[48:3264] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[733:67507] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[1:48] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[999:95624] -A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[6:665] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[2670:333898] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[922:138631] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[267:30968] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[423:66302] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[1058:97997] -A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[48:3264] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -                         m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[267:30968] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEP                         T
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[733:67507] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[733:67507] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[267:30968] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[267:30968] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[733:67507] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -                         j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT                          leakage" -j DROP
[423:66302] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wlan0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT l                         eakage" -j DROP
[1058:97997] -A zone_wan_dest_ACCEPT -o wlan0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o wlan0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --commen                         t "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --commen                         t "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment                          "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment                          "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment                          "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --commen                         t "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --commen                         t "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_                         ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[1000:95672] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHC                         Pv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allo                         w-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allo                         w-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allo                         w-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allo                         w-MLD" -j ACCEPT
[246:25584] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --co                         mment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment                          "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!                         fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!                         fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!                         fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment                          "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment                          "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[27:1400] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comm                         ent "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[327:23544] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --co                         mment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[143:28600] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --co                         mment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[257:16544] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --co                         mment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[1481:164299] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[1481:164299] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i wlan0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Nov 19 20:53:52 2021

zamar29 · November 20, 2021, 2:48am

Cont. config:
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru;
ls -l /etc/resolv.* /tmp/resolv.; head -n -0 /etc/resolv. /tmp/resolv.*

root@WDR4900:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.0.260/24 brd 192.168.0.255 scope global wlan0
       valid_lft forever preferred_lft forever
default via 192.168.0.1 dev wlan0  src 192.168.0.260
192.168.0.0/24 dev wlan0 scope link  src 192.168.0.260
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.0.0 dev wlan0 table local scope link  src 192.168.0.260
local 192.168.0.260 dev wlan0 table local scope host  src 192.168.0.260
broadcast 192.168.0.255 dev wlan0 table local scope link  src 192.168.0.260
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
root@WDR4900:~#
root@WDR4900:~# ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::xxxx:xxxx:xxxx:6be9/64 scope link
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd43:5f77:xxxx::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::xxxx:xxxx:xxxx:6be9/64 scope link
       valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::xxxx:xxxx:xxxx:6bea/64 scope link
       valid_lft forever preferred_lft forever
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::fa1a:xxxx:xxxx:xxxx:6be8/64 scope link
       valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd00:bc4d:xxxx:xxxx:xxxx:xxxx:xxxx:6be9/64 scope global dynamic noprefixroute
       valid_lft 535075sec preferred_lft 401218sec
    inet6 2607:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:6be9/64 scope global dynamic noprefixroute
       valid_lft 604447sec preferred_lft 172447sec
    inet6 2607:xxxx:xxxx:xxx::9/128 scope global dynamic noprefixroute
       valid_lft 553776sec preferred_lft 121776sec
    inet6 fe80::xxxx:xxxx:xxxx:6be9/64 scope link
       valid_lft forever preferred_lft forever
default from 2607:xxxx:xxxx:xxx::9 via fe80::xxxx:xxxx:xxxx:1612 dev wlan0  metric 512
default from 2607:xxxx:xxxx56e0:xxx::/64 via fe80::xxxx:xxxx:xxxx:1612 dev wlan0  metric 512
default from fd00:bc4d:xxxx:1612::/64 via fe80::xxxx:xxxx:xxxx:1612 dev wlan0  metric 512
2607:xxxx:56e0:xxx::/64 dev wlan0  metric 256
2607:xxxx:56e0:xxx::/64 via fe80::xxxx:xxxx:xxxx:1612 dev wlan0  metric 512
unreachable 2607:xxxx:xxxx:xxx::/64 dev lo  metric 2147483647
2000::/3 via fe80::xxxx:xxxx:xxxx:1612 dev wlan0  metric 1024
fc00::/7 from 2607:xxxx:xxxx:xxx::9 via fe80::xxxx:xxxx:xxxx:1612 dev wlan0  metric 512
fc00::/7 from 2607:xxxx:xxxx:xxx::/64 via fe80::xxxx:xxxx:xxxx:1612 dev wlan0  metric 512
fc00::/7 from fd00:bc4d:xxxx:xxx::/64 via fe80::xxxx:xxxx:xxxx:1612 dev wlan0  metric 512
fd00:bc4d:xxxx:1612::/64 dev wlan0  metric 256
unreachable fd00:xxxx:xxxx:xxxx::/64 dev lo  metric 2147483647
fd43:5f77:xxxx:xxxx:xxxx:ee44:7954 dev br-lan  metric 1024
fd43:5f77:xxxx:xxxx:xxxx:fc52:6ed dev br-lan  metric 1024
fd43:5f77:xxxx:xxxx:xxxx:cb2d:9556 dev br-lan  metric 1024
fd43:5f77:xxxx:xxxx:xxxx:29f5:709e dev br-lan  metric 1024
fd43:5f77:c475::/64 dev br-lan  metric 1024
unreachable fd43:5f77:xxxx::/48 dev lo  metric 2147483647
fe80::/64 dev eth0  metric 256
fe80::/64 dev eth0.2  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev wlan1  metric 256
fe80::/64 dev wlan0  metric 256
local ::1 dev lo table local  metric 0
anycast 2607:xxxx:xxxx:xxxx:: dev wlan0 table local  metric 0
local 2607:xxxx:56e0:xxx::9 dev wlan0 table local  metric 0
local 2607:xxxx:56e0:xxx:xxxx:xxxx:xxxx:6be9 dev wlan0 table local  metric 0
anycast fd00:bc4d:xxxx:1612:: dev wlan0 table local  metric 0
local fd00:bc4d:xxxx:1612:xxxx:xxxx:xxxx:6be9 dev wlan0 table local  metric 0
anycast fd43:5f77:xxx:: dev br-lan table local  metric 0
local fd43:5f77:xxxx::1 dev br-lan table local  metric 0
anycast fe80:: dev eth0.2 table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev wlan1 table local  metric 0
anycast fe80:: dev wlan0 table local  metric 0
local fe80::xxxx:xxxx:xxxx:6be8 dev wlan1 table local  metric 0
local fe80::xxxx:xxxx:xxxx:6be9 dev eth0 table local  metric 0
local fe80::xxxx:xxxx:xxxx:6be9 dev br-lan table local  metric 0
local fe80::xxxx:xxxx:xxxx:6be9 dev wlan0 table local  metric 0
local fe80::xxxx:xxxx:xxxx:6bea dev eth0.2 table local  metric 0
multicast ff00::/8 dev eth0 table local  metric 256
multicast ff00::/8 dev br-lan table local  metric 256
multicast ff00::/8 dev eth0.2 table local  metric 256
multicast ff00::/8 dev wlan1 table local  metric 256
multicast ff00::/8 dev wlan0 table local  metric 256
0:      from all lookup local
32766:  from all lookup main
4200000001:     from all iif lo lookup unspec 12
4200000005:     from all iif br-lan lookup unspec 12
4200000009:     from all iif wlan0 lookup unspec 12
4200000009:     from all iif wlan0 lookup unspec 12

root@WDR4900:~# ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
lrwxrwxrwx    1 root     root            16 Oct 24 05:01 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Nov 19 20:30 /tmp/resolv.conf

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           130 Nov 19 06:44 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

trendy · November 20, 2021, 7:45am

I don't see anything delegated to the OpenWrt, although the configuration is correct. Maybe you should specify the prefix length under wwan6 options?
Also the static route is not needed.

zamar29 · November 20, 2021, 4:18pm

Are you talking about Route6?

The prefix length suggestion didn't work alone. I then set WWAN6 in Relay mode without prefix length specified. In that scenario IPv6 on my PC clients is working fine. It turns out the ISP delegates /64 prefixes, so they are relayed to my LAN Win 10 PCs and other devices.

However, I suspect in the Relay mode all my end PCs are exposed to other Hitron modem & router WiFi clients and the ISP for that matter in IPv6 protocol, and can be exploited since they are placed on the modem & router LAN??? I wanted to have IPv6 network isolated similar to IPv4 behind my OpenWRT router NAT6. It looks like NAT6 and IPv6 masquerading is a more suitable approach for that? Or any other approach to hide my devices behind OpenWRT that allows to use /64 prefixes from the ISP?

I'm not that familiar with IPv6, so my above assumptions may be wrong altogether? Btw, how did you find out from the above config that IPv6 prefix is not delegated? I want to learn the debug process...

trendy · November 20, 2021, 9:16pm

Yes.

Super lame of them.

That's a different kind of relay they are writing about.

The firewall by default doesn't allow any incoming traffic from wan to lan. Do you see that this is not the case?

zamar29 · November 20, 2021, 10:43pm

Will check traffic with Wireshark. However, I see heavy pen tests of my PCs open ports from LAN when directly connected to the Hitron's WiFi, and am notified by PC Firewall of malicious traffic.Any workaround to /64 ISP's prefix delegation?

The modem & router GUI doesn't have a separate consumer IPv6 config page. It shows a number of IP addresses registered under my OpenWRT router's wlan0 MAC. But I suspect other PCs directly connected to the modem may use exploits and tools to see my PCs MACs behind OpenWRT router in the IPv6 Relay mode, and do pen tests. In fact I had leaks via IPv4 before adding the OpenWRT router when not using VPN, and especially when temp switching the PC firewall off.

trendy · November 21, 2021, 4:53am

Give them a call and tell them they are lame. Change ISP.

zamar29 · November 21, 2021, 5:09am

This ISP forum thread shows some customers get /56 prefixes using dhcpcd instead of odhcp. But I'm not getting even /64 prefix regardless of wwan6 settings. How I can troubleshoot WHY?

If prefix length is /64, would it be still received by the OpenWRT router and visible at running ifstatus wwan6? This thread Debugging DHCPv6-PD exposes some issues in getting prefixes via odhcp. I couldn't find a reference on how to use dhcpcd instead in OpenWRT?

trendy · November 21, 2021, 5:47am

What they describe in the forum is someone using dhcpcd to get a /56 directly from this ISP. You have the OpenWrt downstream from the main router, which is supposed to ask for a prefix from the ISP and then to delegate some part of it to OpenWrt.

zamar29 · November 21, 2021, 7:05am

Are you hinting they use the cable modem in Bridge mode, which requires wired connection of an OpenWRT router to it, since the modem & router WiFi is only accessible in Gateway mode? But I can only connect OpenWRT to the modem via WiFi, as no wires run through the house, and the modem WiFi can't be switched off anyway as used by other folks. However, this ISP's post doesn't require switching their modem into Bridge mode to obtain IPv6 prefix by various downstream routers.

So you suggest the modem's FW doesn't allow to obtain or delegate IPv6 prefix for downstream networks in Gateway mode despite OpenWRT Client correctly asks for it via WiFi? But how to check for sure which device is at fault here: the modem or OpenWRT router?

trendy · November 21, 2021, 7:13am

This seems to be the case.

The ISP modem/router should request and get a /56. Then it should delegate a smaller prefix, like /60, to the OpenWrt. You could try to connect the OpenWrt by cable to the ISP modem/router and use it in Brnidge mode to verify that ISP does indeed provide a bigger prefix.