I have multiple VLANs configured on my home network. The "Admin" VLAN has full access to the OpenWRT router, while the "lan" VLAN has only necessary ports accessible for e.g. DHCP and DNS requests.
When my computer is on the "Admin" VLAN, it can get a DHCPv6 lease without any issue. When it is on the "lan" VLAN, all DHCPv6 requests time out. (DHCPv4 requests work fine.) I have to assume something is wrong with my firewall configuration, but exactly what that is eludes me.
Thanks for your help! (Everything below is config files)
Relevant sections of /etc/config/network:
config interface 'admin'
option type 'bridge'
option ifname 'eth1.10 tap0'
option proto 'static'
option ipaddr '192.168.101.1'
option netmask '255.255.255.0'
option ip6assign '64'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.11'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '64'
config interface 'wan'
option ifname 'eth0.1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.1'
option proto 'dhcpv6'
option reqprefix 56
# WAN
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '5 0t'
# Admin
config switch_vlan
option device 'switch0'
option vlan '10'
option ports '1 3t 4t 6t'
# lan
config switch_vlan
option device 'switch0'
option vlan '11'
option ports '2 3t 4t 6t'
Relevant sections of /etc/config/dhcp:
config dhcp 'admin'
option interface 'admin'
option start '100'
option limit '100'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
Relevant sections of /etc/config/firewall:
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name admin
list network 'admin'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
# option conntrack 1
config zone
option name lan
list network 'lan'
# option conntrack '1'
option input REJECT
option output ACCEPT
option forward REJECT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src admin
option dest wan
config forwarding
option src admin
option dest lan
config forwarding
option src lan
option dest wan
config rule
option name Allow-lan-DHCP
option src 'lan'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name Allow-lan-DHCPv6
option src 'lan'
option dest_port '547'
option proto 'udp'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name Allow-lan-DNS
option src 'lan'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
# option src_ip fc00::/6
# option dest_ip fc00::/6
option dest_port 546
option family ipv6
option target ACCEPT