Equivalent settings to "IPv6 Passthrough"?`

golddranks · January 19, 2020, 6:06pm

As said in the other IPv6 thread, it's better to post info from certain commands, so here goes:

root@mon:~# uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro ; ip -4 ru; \
> ip -6 addr ; ip -6 ro ; ip -6 ru; \
> iptables-save -c; ip6tables-save -c; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
+ uci export network
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd26:e9f1:e833::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ip6assign '64'
	list ipaddr '192.168.1.1/24'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'pppoe'
	option ipv6 'auto'
	option password 'MY_PASSWORD'
	option username 'MY_USERNAME@biglobe.ne.jp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '5 4 3 2 0t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 1'
	option vid '2'

+ uci export dhcp
package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra_default '1'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option mac 'DC:A6:32:08:DB:FC'
	option name 'poi'
	option dns '1'
	option ip '192.168.1.156'

+ uci export firewall
package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option masq6 '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option dest_port '22'
	option src 'wan'
	option name 'SSH → poi'
	option src_dport '22'
	option target 'DNAT'
	option dest_ip '192.168.1.156'
	option dest 'lan'
	option proto 'tcp udp'

+ head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
ip6tables -t nat -A POSTROUTING -j MASQUERADE
+ ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
10: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1454 qdisc fq_codel state UNKNOWN qlen 3
    inet 119.242.15.30 peer 133.205.148.167/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
+ ip -4 ro
default via 133.205.148.167 dev pppoe-wan
133.205.148.167 dev pppoe-wan scope link  src 119.242.15.30
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
+ ip -4 ru
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
+ ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::1aa6:f7ff:fe8d:c0d4/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::1aa6:f7ff:fe8d:c0d3/64 scope link
       valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2404:7a80:9621:7100:1aa6:f7ff:fe8d:c0d4/64 scope global dynamic
       valid_lft 2591862sec preferred_lft 604662sec
    inet6 fe80::1aa6:f7ff:fe8d:c0d4/64 scope link
       valid_lft forever preferred_lft forever
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::1aa6:f7ff:fe8d:c0d2/64 scope link
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd26:e9f1:e833::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 dd26:e9f1:e833::1/60 scope global deprecated dynamic
       valid_lft 1755sec preferred_lft 0sec
    inet6 fe80::1aa6:f7ff:fe8d:c0d3/64 scope link
       valid_lft forever preferred_lft forever
+ ip -6 ro
default from 2404:7a80:9621:7100::/64 via fe80::207:7dff:fe99:f7c5 dev eth0.2  metric 512
2404:7a80:9621:7100::/64 dev eth0.2  metric 256
fd26:e9f1:e833::/64 dev br-lan  metric 1024
unreachable fd26:e9f1:e833::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev eth0  metric 256
fe80::/64 dev eth0.2  metric 256
fe80::/64 dev wlan0  metric 256
fe80::/64 dev eth1  metric 256
fe80::/64 dev br-lan  metric 256
anycast 2404:7a80:9621:7100:: dev eth0.2  metric 0
anycast dd26:e9f1:e833:: dev br-lan  metric 0
anycast fd26:e9f1:e833:: dev br-lan  metric 0
anycast fe80:: dev eth0  metric 0
anycast fe80:: dev eth0.2  metric 0
anycast fe80:: dev wlan0  metric 0
anycast fe80:: dev eth1  metric 0
anycast fe80:: dev br-lan  metric 0
ff00::/8 dev eth0  metric 256
ff00::/8 dev eth0.2  metric 256
ff00::/8 dev wlan0  metric 256
ff00::/8 dev eth1  metric 256
ff00::/8 dev br-lan  metric 256
+ ip -6 ru
0:	from all lookup local
32766:	from all lookup main
4200000001:	from all iif lo lookup unspec 12
4200000009:	from all iif eth0.2 lookup unspec 12
4200000010:	from all iif pppoe-wan lookup unspec 12
4200000012:	from all iif br-lan lookup unspec 12
+ iptables-save -c
# Generated by iptables-save v1.8.3 on Mon Jan 20 03:08:00 2020
*nat
:PREROUTING ACCEPT [4230:289565]
:INPUT ACCEPT [2581:160967]
:OUTPUT ACCEPT [1163:96959]
:POSTROUTING ACCEPT [527:52572]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[4306:294041] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[3741:267321] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[565:26720] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[2697:187611] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[78:5132] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[2170:135039] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[78:5132] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.156/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH → poi (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.156/32 -p udp -m udp --dport 22 -m comment --comment "!fw3: SSH → poi (reflection)" -j SNAT --to-source 192.168.1.1
[3741:267321] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 119.242.15.30/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH → poi (reflection)" -j DNAT --to-destination 192.168.1.156:22
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 119.242.15.30/32 -p udp -m udp --dport 22 -m comment --comment "!fw3: SSH → poi (reflection)" -j DNAT --to-destination 192.168.1.156:22
[2170:135039] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[2170:135039] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[565:26720] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[76:4476] -A zone_wan_prerouting -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH → poi" -j DNAT --to-destination 192.168.1.156:22
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 22 -m comment --comment "!fw3: SSH → poi" -j DNAT --to-destination 192.168.1.156:22
COMMIT
# Completed on Mon Jan 20 03:08:00 2020
# Generated by iptables-save v1.8.3 on Mon Jan 20 03:08:00 2020
*mangle
:PREROUTING ACCEPT [228876:110668802]
:INPUT ACCEPT [79909:8439095]
:FORWARD ACCEPT [148776:102142131]
:OUTPUT ACCEPT [85293:39722114]
:POSTROUTING ACCEPT [234031:141862096]
[1213:76984] -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Jan 20 03:08:00 2020
# Generated by iptables-save v1.8.3 on Mon Jan 20 03:08:00 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[7110:701958] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[72803:7737345] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[69540:7546312] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1240:72312] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[2573:160637] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[690:30396] -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[148776:102142131] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[147507:102060490] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1193:77165] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[76:4476] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[7110:701958] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[78188:39021408] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[77452:38970514] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:656] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[734:50238] -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[514:21147] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[23:1463] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[1240:72312] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[2:656] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[1193:77165] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[1193:77165] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2573:160637] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2573:160637] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[2:656] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[2:656] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2573:160637] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[38:2149] -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1889:125254] -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[76:4476] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[76:4476] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[690:30396] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[153:7786] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[537:22610] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[734:50238] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[734:50238] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[537:22610] -A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Mon Jan 20 03:08:00 2020
+ ip6tables-save -c
# Generated by ip6tables-save v1.8.3 on Mon Jan 20 03:08:00 2020
*nat
:PREROUTING ACCEPT [1708:171644]
:INPUT ACCEPT [1302:108675]
:OUTPUT ACCEPT [1892:165193]
:POSTROUTING ACCEPT [0:0]
[1892:165193] -A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Mon Jan 20 03:08:00 2020
# Generated by ip6tables-save v1.8.3 on Mon Jan 20 03:08:00 2020
*mangle
:PREROUTING ACCEPT [5979:782649]
:INPUT ACCEPT [5510:710103]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5755:1896057]
:POSTROUTING ACCEPT [5755:1896057]
[0:0] -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Jan 20 03:08:00 2020
# Generated by ip6tables-save v1.8.3 on Mon Jan 20 03:08:00 2020
*filter
:INPUT ACCEPT [1:72]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4:424]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[6:624] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[5504:709479] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[4651:641233] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[124:10416] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[769:61294] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
[83:6880] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[6:624] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[5749:1895433] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[4080:1751122] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[173:14576] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
[1492:129311] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[124:10416] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[173:14576] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[769:61294] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[769:61294] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[173:14576] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[173:14576] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[769:61294] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1492:129311] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[83:6880] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[31:2232] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[33:3432] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[19:1216] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[1492:129311] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[1492:129311] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Mon Jan 20 03:08:00 2020
+ ls -l /etc/resolv.conf /tmp/resolv.conf /tmp/resolv.conf.auto /tmp/resolv.conf.ppp
lrwxrwxrwx    1 root     root            16 Jan  7 01:47 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Jan 20 01:30 /tmp/resolv.conf
-rw-r--r--    1 root     root           180 Jan 20 00:17 /tmp/resolv.conf.auto
-rw-r--r--    1 root     root            50 Jan 20 00:17 /tmp/resolv.conf.ppp
+ head -n -0 /etc/resolv.conf /tmp/resolv.conf /tmp/resolv.conf.auto /tmp/resolv.conf.ppp
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 210.147.235.3
nameserver 133.205.66.51
# Interface wan6
nameserver 2404:1a8:7f01:b::3
nameserver 2404:1a8:7f01:a::3
search flets-east.jp
search iptvf.jp

==> /tmp/resolv.conf.ppp <==
nameserver 210.147.235.3
nameserver 133.205.66.51

golddranks · January 20, 2020, 9:37am

Just a heads up – I got the relay working in the end, without NAT. Here's the working setup:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra 'relay'
	option dhcpv6 'relay'
	option ndp 'relay'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'wan6'
	option interface 'wan6'
	option ignore '1'
	option dhcpv6 'relay'
	option ra 'relay'
	option ndp 'relay'
	option master '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option mac 'DC:A6:32:08:DB:FC'
	option name 'poi'
	option dns '1'
	option ip '192.168.1.156'

It's very similar than what I started with, so I'm perplexed what went wrong at the start, but at least it works now. Thanks for everybody who provided help!

jim1 · May 3, 2020, 10:21am

I tried your final solution with my NTT FLETS connection without success. Are there additional changes you made other than the /etc/config/dhcp file?

golddranks · May 3, 2020, 10:48am

Out of curiosity, what OS do you have? (macOS for me.)

golddranks · May 3, 2020, 10:51am

Be sure to check this thread out too: How to send ICMP6 neighbor solicitation with a link-local source address

You can't have a link local address specified or it doesn't work.