Equivalent settings to "IPv6 Passthrough"?`

golddranks · January 19, 2020, 7:49am

So, it seems that Passthrough means that the router functions as a bridge and passes IPv6 packets through without routing at all, and the uplink router communicates directly to whoever answers those packets. What sounds weird to me is that if packets are going unrouted, is the router sending them just to every connected device? Is that only the phase where there isn't assigned IPv6 addresses yet and the protocols used are using broadcasting?

Anyway, NAT sounds like a sensible way to fix the situation. But ideally, my ISP should provide a better protocol for address assigment, right?

I tried to follow the linked NAT6 tutorial. I got the settings done, but no avail. Trying to run the firewall script manually shows:

root@mon:~# /etc/firewall.d/with_reload/90-nat6.fw
nat6: Firewall config="cfg02dc81" zone="lan" zone_masq6="0".
nat6: Firewall config="cfg03dc81" zone="wan" zone_masq6="1".
nat6: Found firewall zone_name="wan" with zone_masq6="1" zone_masq6_privacy="1".
nat6: Setting up masquerading nat6 for zone_name="wan" with zone_masq6_privacy="1"
nat6: Ensuring ip6tables chain="zone_wan_postrouting" contains our MASQUERADE.
ip6tables: No chain/target/match by that name.

I don't know enough about netfilter and ip6tables to make sense what's wrong, so any pointers would be appreciated. Meanwhile, I think I'm trying to read and understand the script and study more.

golddranks · January 19, 2020, 8:28am

Ok, I got one step further. I've got zone_wan_postrouting in iptables, but ip6tables is indeed lacking that custom chain. I think it's firewall3's responsibility to set it up, but I'm not sure how I should change the configuration to make it do so.

anon45274024 · January 19, 2020, 8:59am

It is definitely an odd way NTT has implemented IPv6 and as much is voiced in various places in the public domain.
Maybe it is economically motivated for generating an extra revenue stream since it was mentioned somewhere that with a landline subscription comes a /56 prefix delegation...

IPv6 contains routing information in its header. If bridged - that if it is for IPv6 only - only unsolicited IPv6 traffic from the WAN would be flushed to all all clients that is allowed to pass through the WAN firewall
Else, it would be connection tracked - and since the clients should have an IPv6 with the bridge scenario.
The problem is to bridge only IPv6 but not IPv4 - which would doable with VLAN but such does not seem to be offered by the ISP.
Anyway, personally I would prefer not to bridge WAN with LAN segments since it renders the bridged LAN segment layout transparent to the ISP.

Have you got kmod-ipt-nat6 and kmod-nf-nat6 installed?

golddranks · January 19, 2020, 10:57am

Thanks for the pointer. I have both installed. I wonder if I'm missing some command that would re-create the config, or then there's something missing in the config itself. Here's the config:

root@mon:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option masq6 '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
...
(skipping various "allow protocol" directives)
...

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option dest_port '22'
	option src 'wan'
	option name 'SSH → poi'
	option src_dport '22'
	option target 'DNAT'
	option dest_ip '192.168.1.156'
	option dest 'lan'
	option proto 'tcp udp'

golddranks · January 19, 2020, 11:03am

All right, another step forward: found out about fw3 reload.

root@mon:~# fw3 reload
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Option @zone[1].masq6 is unknown
 * Clearing IPv4 filter table
 * Clearing IPv4 nat table
 * Clearing IPv4 mangle table
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Redirect 'SSH → poi'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Redirect 'SSH → poi'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Clearing IPv6 filter table
 * Clearing IPv6 nat table
 * Clearing IPv6 mangle table
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 nat table
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on

The warning Warning: Option @zone[1].masq6 is unknown and the warnings under * Populating IPv6 nat table seem to be very relevant to this case.

golddranks · January 19, 2020, 11:15am

Okay, something about this tutorial https://oldwiki.archive.openwrt.org/doc/howto/ipv6.nat6 is weird. It mentions the option masq6, but even grepping through the whole history of the Git repo of firewall3 ( https://git.openwrt.org/project/firewall3.git ), there is not a single match of option masq6. Unless the available options are extended by kmod-ipt-nat6 or kmod-nf-nat6, such option shouldn't exist.

golddranks · January 19, 2020, 11:26am

It seems that firewall3's support for IPv6 NAT table is less than splendid: https://bugs.openwrt.org/index.php?do=details&task_id=500&order=id&sort=desc

anon45274024 · January 19, 2020, 11:26am

That is strange, the other tutorial link ^[2] being probably legacy but even the current ^[3] leverages the syntax masq6='1'

uci set $(uci show firewall | sed -n -e "/\.name='wan'$/s//.masq6='1'/p" | sed -n -e "1p")

kmod-ipt-nat6 or kmod-nf-nat6 should be loaded upon installation but might not have, perhaps check with lsmod | grep nat6. Maybe rebooting the router helps?

^[3] https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6

golddranks · January 19, 2020, 11:34am

That exact query doesn't show any results, but at least modules called ip6table_nat and nf_nat_ipv6 are loaded:

root@mon:~# lsmod | grep -E 'ipv?6'
ip6_tables             10464 18 ip6table_nat,ip6table_mangle,ip6table_filter
ip6t_MASQUERADE          512  0
ip6t_NPT                1536  0
ip6t_REJECT              992  2
ip6table_filter          608  1
ip6table_mangle         1184  1
ip6table_nat             672  0
nf_conntrack           60288 15 ipt_MASQUERADE,xt_state,xt_nat,xt_conntrack,xt_REDIRECT,xt_CT,nf_nat_masquerade_ipv4,nf_conntrack_ipv4,nf_nat_ipv4,nf_flow_table,nf_conntrack_rtcache,nf_conntrack_ipv6,nf_nat_ipv6,nf_nat_masquerade_ipv6,nf_nat
nf_conntrack_ipv6       5424  7
nf_defrag_ipv6          4704  1 nf_conntrack_ipv6
nf_log_common           2592  2 nf_log_ipv4,nf_log_ipv6
nf_log_ipv6             4000  0
nf_nat                 10032  6 xt_nat,nf_nat_redirect,nf_nat_masquerade_ipv4,nf_nat_ipv4,nf_nat_ipv6,nf_nat_masquerade_ipv6
nf_nat_ipv6             4240  1 ip6table_nat
nf_nat_masquerade_ipv6    1840  1 ip6t_MASQUERADE
nf_reject_ipv6          2432  1 ip6t_REJECT
x_tables               12656 26 ipt_REJECT,ipt_MASQUERADE,xt_time,xt_tcpudp,xt_state,xt_nat,xt_multiport,xt_mark,xt_mac,xt_limit,xt_conntrack,xt_comment,xt_TCPMSS,xt_REDIRECT,xt_LOG,xt_FLOWOFFLOAD,xt_CT,iptable_mangle,iptable_filter,ip_tables,ip6t_NPT,ip6t_MASQUERADE,ip6table_mangle,ip6table_filter,ip6_tables,ip6t_REJECT

tmomas · January 19, 2020, 11:35am

grafik
New URL see above.

anon45274024 · January 19, 2020, 11:39am

Afraid that is the end of the road for my input on subject, I am not familiar with the intricacies of NAT6... and then with the aforementioned unresolved bug...

golddranks · January 19, 2020, 11:42am

Big thanks for following up this far! I'll post here if I learn something new.

golddranks · January 19, 2020, 4:02pm

There seems to be 5 years old thread in Github (about adding GUI option for masq6) that indicates that the patches for adding masq6 option were shot down: https://github.com/openwrt/luci/pull/381

Here's the patch set: https://openwrt-devel.openwrt.narkive.com/AkOZ84sM/patch-0-2-firewall3-add-support-for-ipv6-nat-i-e-masquerading

The search functionality doesn't seem to work (HTTP 400), so I haven't found any related discussion.

Also, the official mailing list archive has links only to stuff newer than year 2016, and this seems to be from July 2015. I wonder what the current situation is, and are there any accessible mailing list archives? It seems from the looks of it that firewall3 doesn't have the necessary functionality for setting up IPv6 NAT.

It should be possible to set up with iptables directly.

anon45274024 · January 19, 2020, 4:22pm

Reading this thread

pointing to the same bug plus the absence of masq6 from the FW3 source code would imply that it is indeed not implemented and requires a custom script/rule.

golddranks · January 19, 2020, 5:03pm

I tried to enable masquerading by adding

ip6tables -t nat -A POSTROUTING -j MASQUERADE

to /etc/firewall.user. It successfully adds the rule to iptables, but stuff's still not working. Or should I say, it worked briefly (I was able to get browser-based IPv6 tests working) but after rebooting the router, it stopped working again.

I'm now trying to troubleshoot, but I don't know what to do. It says on the interfaces page of the GUI that the LAN interface IPv6 address is fd26:e9f1:e833::1. I'm able to ping6 and traceroute6 that address from my computer. Vice versa for pinging my computer fd26:e9f1:e833::a074:2e95:b44e:82bb (seems to be an address from the ULA range) from router. However, I'm not able to ping non-local addresses (tried with 2404:6800:4004:80e::200e which is from ipv6.google.com) from my computer, but traceroute6 says that at least it hops to the router, so the computer's routing table is okay, I guess.

How should I go troubleshooting this?

golddranks · January 19, 2020, 6:06pm

As said in the other IPv6 thread, it's better to post info from certain commands, so here goes:

root@mon:~# uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro ; ip -4 ru; \
> ip -6 addr ; ip -6 ro ; ip -6 ru; \
> iptables-save -c; ip6tables-save -c; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
+ uci export network
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd26:e9f1:e833::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ip6assign '64'
	list ipaddr '192.168.1.1/24'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'pppoe'
	option ipv6 'auto'
	option password 'MY_PASSWORD'
	option username 'MY_USERNAME@biglobe.ne.jp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '5 4 3 2 0t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 1'
	option vid '2'

+ uci export dhcp
package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra_default '1'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option mac 'DC:A6:32:08:DB:FC'
	option name 'poi'
	option dns '1'
	option ip '192.168.1.156'

+ uci export firewall
package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option masq6 '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option dest_port '22'
	option src 'wan'
	option name 'SSH → poi'
	option src_dport '22'
	option target 'DNAT'
	option dest_ip '192.168.1.156'
	option dest 'lan'
	option proto 'tcp udp'

+ head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
ip6tables -t nat -A POSTROUTING -j MASQUERADE
+ ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
10: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1454 qdisc fq_codel state UNKNOWN qlen 3
    inet 119.242.15.30 peer 133.205.148.167/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
+ ip -4 ro
default via 133.205.148.167 dev pppoe-wan
133.205.148.167 dev pppoe-wan scope link  src 119.242.15.30
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
+ ip -4 ru
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
+ ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::1aa6:f7ff:fe8d:c0d4/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::1aa6:f7ff:fe8d:c0d3/64 scope link
       valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2404:7a80:9621:7100:1aa6:f7ff:fe8d:c0d4/64 scope global dynamic
       valid_lft 2591862sec preferred_lft 604662sec
    inet6 fe80::1aa6:f7ff:fe8d:c0d4/64 scope link
       valid_lft forever preferred_lft forever
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::1aa6:f7ff:fe8d:c0d2/64 scope link
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd26:e9f1:e833::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 dd26:e9f1:e833::1/60 scope global deprecated dynamic
       valid_lft 1755sec preferred_lft 0sec
    inet6 fe80::1aa6:f7ff:fe8d:c0d3/64 scope link
       valid_lft forever preferred_lft forever
+ ip -6 ro
default from 2404:7a80:9621:7100::/64 via fe80::207:7dff:fe99:f7c5 dev eth0.2  metric 512
2404:7a80:9621:7100::/64 dev eth0.2  metric 256
fd26:e9f1:e833::/64 dev br-lan  metric 1024
unreachable fd26:e9f1:e833::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev eth0  metric 256
fe80::/64 dev eth0.2  metric 256
fe80::/64 dev wlan0  metric 256
fe80::/64 dev eth1  metric 256
fe80::/64 dev br-lan  metric 256
anycast 2404:7a80:9621:7100:: dev eth0.2  metric 0
anycast dd26:e9f1:e833:: dev br-lan  metric 0
anycast fd26:e9f1:e833:: dev br-lan  metric 0
anycast fe80:: dev eth0  metric 0
anycast fe80:: dev eth0.2  metric 0
anycast fe80:: dev wlan0  metric 0
anycast fe80:: dev eth1  metric 0
anycast fe80:: dev br-lan  metric 0
ff00::/8 dev eth0  metric 256
ff00::/8 dev eth0.2  metric 256
ff00::/8 dev wlan0  metric 256
ff00::/8 dev eth1  metric 256
ff00::/8 dev br-lan  metric 256
+ ip -6 ru
0:	from all lookup local
32766:	from all lookup main
4200000001:	from all iif lo lookup unspec 12
4200000009:	from all iif eth0.2 lookup unspec 12
4200000010:	from all iif pppoe-wan lookup unspec 12
4200000012:	from all iif br-lan lookup unspec 12
+ iptables-save -c
# Generated by iptables-save v1.8.3 on Mon Jan 20 03:08:00 2020
*nat
:PREROUTING ACCEPT [4230:289565]
:INPUT ACCEPT [2581:160967]
:OUTPUT ACCEPT [1163:96959]
:POSTROUTING ACCEPT [527:52572]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[4306:294041] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[3741:267321] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[565:26720] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[2697:187611] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[78:5132] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[2170:135039] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[78:5132] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.156/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH → poi (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.156/32 -p udp -m udp --dport 22 -m comment --comment "!fw3: SSH → poi (reflection)" -j SNAT --to-source 192.168.1.1
[3741:267321] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 119.242.15.30/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH → poi (reflection)" -j DNAT --to-destination 192.168.1.156:22
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 119.242.15.30/32 -p udp -m udp --dport 22 -m comment --comment "!fw3: SSH → poi (reflection)" -j DNAT --to-destination 192.168.1.156:22
[2170:135039] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[2170:135039] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[565:26720] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[76:4476] -A zone_wan_prerouting -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH → poi" -j DNAT --to-destination 192.168.1.156:22
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 22 -m comment --comment "!fw3: SSH → poi" -j DNAT --to-destination 192.168.1.156:22
COMMIT
# Completed on Mon Jan 20 03:08:00 2020
# Generated by iptables-save v1.8.3 on Mon Jan 20 03:08:00 2020
*mangle
:PREROUTING ACCEPT [228876:110668802]
:INPUT ACCEPT [79909:8439095]
:FORWARD ACCEPT [148776:102142131]
:OUTPUT ACCEPT [85293:39722114]
:POSTROUTING ACCEPT [234031:141862096]
[1213:76984] -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Jan 20 03:08:00 2020
# Generated by iptables-save v1.8.3 on Mon Jan 20 03:08:00 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[7110:701958] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[72803:7737345] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[69540:7546312] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1240:72312] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[2573:160637] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[690:30396] -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[148776:102142131] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[147507:102060490] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1193:77165] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[76:4476] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[7110:701958] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[78188:39021408] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[77452:38970514] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:656] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[734:50238] -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[514:21147] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[23:1463] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[1240:72312] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[2:656] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[1193:77165] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[1193:77165] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2573:160637] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2573:160637] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[2:656] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[2:656] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2573:160637] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[38:2149] -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1889:125254] -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[76:4476] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[76:4476] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[690:30396] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[153:7786] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[537:22610] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[734:50238] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[734:50238] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[537:22610] -A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Mon Jan 20 03:08:00 2020
+ ip6tables-save -c
# Generated by ip6tables-save v1.8.3 on Mon Jan 20 03:08:00 2020
*nat
:PREROUTING ACCEPT [1708:171644]
:INPUT ACCEPT [1302:108675]
:OUTPUT ACCEPT [1892:165193]
:POSTROUTING ACCEPT [0:0]
[1892:165193] -A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Mon Jan 20 03:08:00 2020
# Generated by ip6tables-save v1.8.3 on Mon Jan 20 03:08:00 2020
*mangle
:PREROUTING ACCEPT [5979:782649]
:INPUT ACCEPT [5510:710103]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5755:1896057]
:POSTROUTING ACCEPT [5755:1896057]
[0:0] -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Jan 20 03:08:00 2020
# Generated by ip6tables-save v1.8.3 on Mon Jan 20 03:08:00 2020
*filter
:INPUT ACCEPT [1:72]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4:424]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[6:624] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[5504:709479] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[4651:641233] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[124:10416] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[769:61294] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
[83:6880] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[6:624] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[5749:1895433] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[4080:1751122] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[173:14576] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
[1492:129311] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[124:10416] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[173:14576] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[769:61294] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[769:61294] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[173:14576] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[173:14576] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[769:61294] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1492:129311] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[83:6880] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[31:2232] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[33:3432] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[19:1216] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[1492:129311] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[1492:129311] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Mon Jan 20 03:08:00 2020
+ ls -l /etc/resolv.conf /tmp/resolv.conf /tmp/resolv.conf.auto /tmp/resolv.conf.ppp
lrwxrwxrwx    1 root     root            16 Jan  7 01:47 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Jan 20 01:30 /tmp/resolv.conf
-rw-r--r--    1 root     root           180 Jan 20 00:17 /tmp/resolv.conf.auto
-rw-r--r--    1 root     root            50 Jan 20 00:17 /tmp/resolv.conf.ppp
+ head -n -0 /etc/resolv.conf /tmp/resolv.conf /tmp/resolv.conf.auto /tmp/resolv.conf.ppp
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 210.147.235.3
nameserver 133.205.66.51
# Interface wan6
nameserver 2404:1a8:7f01:b::3
nameserver 2404:1a8:7f01:a::3
search flets-east.jp
search iptvf.jp

==> /tmp/resolv.conf.ppp <==
nameserver 210.147.235.3
nameserver 133.205.66.51

golddranks · January 20, 2020, 9:37am

Just a heads up – I got the relay working in the end, without NAT. Here's the working setup:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra 'relay'
	option dhcpv6 'relay'
	option ndp 'relay'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'wan6'
	option interface 'wan6'
	option ignore '1'
	option dhcpv6 'relay'
	option ra 'relay'
	option ndp 'relay'
	option master '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option mac 'DC:A6:32:08:DB:FC'
	option name 'poi'
	option dns '1'
	option ip '192.168.1.156'

It's very similar than what I started with, so I'm perplexed what went wrong at the start, but at least it works now. Thanks for everybody who provided help!

jim1 · May 3, 2020, 10:21am

I tried your final solution with my NTT FLETS connection without success. Are there additional changes you made other than the /etc/config/dhcp file?

golddranks · May 3, 2020, 10:48am

Out of curiosity, what OS do you have? (macOS for me.)

golddranks · May 3, 2020, 10:51am

Be sure to check this thread out too: How to send ICMP6 neighbor solicitation with a link-local source address

You can't have a link local address specified or it doesn't work.