Firewall rules preventing DHCPv6 from being accepted?

Hi all,

I think the 18.06.4 release IP6 firewall rules are preventing DHCPv6 packets (from the ISP) from being accepted.

This is my tcp packet dump rule:
tcpdump -i eth1.2 not port 22 and "ip6 and (udp port 546 or udp port 547 or icmp6)" -vv

tcp dump:
04:36:55.183780 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 24) **2401:xxxx:xxxx::1** > **fe80::xxxx:xxxx:xxxx:bf4:** [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is *fe80::xxxx:xxxx:xxxx:6402*, Flags [router, solicited]

If I'm reading this dump correctly, 2401:xxxx:xxxx::1 is the source address and fe80::xxxx:xxxx:xxxx:bf4 is the destination with the target being fe80::xxxx:xxxx:xxxx:6402

"ip neigh show":
192.168.1.2 dev br-lan lladdr 40:xx:xx:xx:xx:c7 ref 1 used 0/0/0 probes 1 REACHABLE
2xx.1xx.1xx.1xx dev eth1.2 lladdr c0:xx:xx:xx:xx:02 ref 1 used 0/0/0 probes 1 REACHABLE
192.168.1.179 dev br-lan lladdr 04:xx:xx:xx:xx:8a ref 1 used 0/0/0 probes 1 REACHABLE
192.168.1.209 dev br-lan lladdr b0:xx:xx:xx:xx:e2 ref 1 used 0/0/0 probes 1 REACHABLE
192.168.1.227 dev br-lan lladdr b0:xx:xx:xx:xx:c3 ref 1 used 0/0/0 probes 1 REACHABLE
fd16:xxxx:xxxx::xxxx:xxxx:xxxx:e2f2 dev br-lan lladdr 04:xx:xx:xx:xx:8a router used 0/0/0 probes 1 STALE
***fe80::xxxx:xxxx:xxxx:6402*** dev eth1.2 lladdr c0:xx:xx:xx:xx:02 router used 0/0/0 probes 0 STALE
fd16:xxxx:xxxx::xxxx:xxxx:xxxx:f969 dev br-lan lladdr 04:xx:xx:xx:xx:8a router used 0/0/0 probes 1 STALE
fe80::xxxx:xxxx:xxxx:ed8a dev br-lan lladdr 04:xx:xx:xx:xx:8a router used 0/0/0 probes 1 STALE
fe80::xxxx:xxxx:xxxx:6ef3 dev br-lan lladdr 40:xx:xx:xx:xx:c7 used 0/0/0 probes 1 STALE
fe80::xxxx:xxxx:xxxx:4775 dev eth1.2 lladdr b4:xx:xx:xx:xx:75 used 0/0/0 probes 0 STALE

Here are the relevant ip6 firewall rules:
Name: Allow-DHCPv6
Rule: IPv6-udp
From IP range fc00::/6 in wan
To IP range fc00::/6 at port 546 on this device

Name: Allow-MLD
Rule: IPv6-icmp with types 130/0, 131/0, 132/0, 143/0
From IP range fe80::/10 in wan
To any router IP on this device

It appears the Allow-DHCPv6 rule is too strict and doesn't allow DHCPv6 packets to go through.

What is/are the rule(s) I should write to enable DHCPv6 packets to pass through?

Does your ISP offer DHCPv6? Or just the stateless router advertisement (slaac)?

Ps.
All those fc00/6 addresses like fd16..., fe80... are linklocal ipv6 addresses, not proper routable addresses.

Yes, I was able to obtain IPv6 addresses in the past with the same ISP, and this was before I upgraded to 18.06.4, 2 days ago.

I'm not certain at this point whether there's some screw-up on the ISP level (there were some Internet issues a few weeks back), or due to changes in OpenWRT, which is why I'm doing troubleshooting and asking questions now.

Did you reset your router to defaults while upgrading?

1 Like

Yes, I did.

Anyway, the problem has been solved. Screw-up at the ISP level.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.