Some progress:
I now have IPv6 connectivity on br-lan and br-streaming (huzzah!).
I still don't have IPv6 connectivity on br-guest. I've modified the pertinent firewall rules (Allow-MLD; Allow-ICMPv6-Input; Allow-ICMPv6-Forward), adding option src '*'
and have also added:
config rule
option dest_port '546-547'
option src 'guest'
option name 'DHCPv6 Guest'
option family 'ipv6'
option target 'ACCEPT'
list proto 'udp'
Perhaps this is still, somehow, firewall related?
ip -6 addr show br-guest
looks good:
26: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet6 fdf3:xxxx:yyyy:dd::1/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 2a02:xxxx:yyyy:dd::1/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::20d:xxxx:yyyy:2639/64 scope link
valid_lft forever preferred_lft forever
tcpdump -n -i br-guest ip6
; I see the router advertisement, but nothing else (other interfaces are far more 'chatty'):
listening on br-guest, link-type EN10MB (Ethernet), capture size 262144 bytes
23:19:18.263018 IP6 fe80::xxxx:yyyy:zzzz:2639 > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
23:19:19.012947 IP6 fe80::xxxx:yyyy:zzzz:2639 > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
23:19:19.245274 IP6 fe80::xxxx:yyyy:zzzz:2639 > ff02::1: ICMP6, router advertisement, length 176
ifstatus wan6; ifstatus guest
shows:
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 22870,
"l3_device": "pppoe-wan",
"proto": "dhcpv6",
"device": "pppoe-wan",
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
],
"ipv6-address": [
{
"address": "2a02:xxxx:yyyy:zzzz::1",
"mask": 64,
"preferred": 1790,
"valid": 17990
}
],
"ipv6-prefix": [
{
"address": "2a02:xxxx:yyyy:zzzz:",
"mask": 48,
"class": "wan6",
"assigned": {
"lan": {
"address": "2a02:xxxx:yyyy:zzzz:aa::",
"mask": 64
},
"streaming": {
"address": "2a02:xxxx:yyyy:zzzz:bb::",
"mask": 64
},
"family": {
"address": "2a02:xxxx:yyyy:zzzz:cc::",
"mask": 64
},
"guest": {
"address": "2a02:xxxx:yyyy:zzzz:dd::",
"mask": 64
}
}
}
],
"ipv6-prefix-assignment": [
],
"route": [
{
"target": "2a02:xxxx:yyyy:zzzz::",
"mask": 64,
"nexthop": "::",
"metric": 256,
"valid": 17990,
"source": "::/0"
},
{
"target": "::",
"mask": 0,
"nexthop": "fe80::xxxx:yyyy:zzzz:e000",
"metric": 512,
"valid": 1190,
"source": "2a02:xxxx:yyyy:zzzz::/48"
},
{
"target": "::",
"mask": 0,
"nexthop": "fe80::xxxx:yyyy:zzzz:e000",
"metric": 512,
"valid": 1190,
"source": "2a02:xxxx:yyyy:zzzz::1/64"
}
],
"dns-server": [
"2a0d:2a00:1::2",
"2a0d:2a00:2::2"
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
"2a02:8010:1:0:212:23:3:100"
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
"passthru": "001700102a028010000100000212002300030100"
}
}
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 1595,
"l3_device": "br-guest",
"proto": "static",
"device": "br-guest",
"updated": [
"addresses"
],
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
{
"address": "10.0.0.1",
"mask": 24
}
],
"ipv6-address": [
],
"ipv6-prefix": [
],
"ipv6-prefix-assignment": [
{
"address": "2a02:xxxx:yyyy:zzzz:dd::",
"mask": 64,
"local-address": {
"address": "2a02:xxxx:yyyy:zzzz:dd::1",
"mask": 64
}
},
{
"address": "fdf3:xxxx:yyyy:zzzz:dd::",
"mask": 64,
"local-address": {
"address": "fdf3:xxxx:yyyy:zzzz:dd::1",
"mask": 64
}
}
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
}
}
Apologies if there's a suggestion in this threat that I've skipped over. If I have, it wasn't my intention.
Here are my update configs:
/etc/config/dhcp
config dnsmasq 'main'
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option noresolv '1'
option dnssec '1'
option serversfile '/tmp/adb_list.overall'
list server '127.0.0.1#5453'
list server '0::1#5453'
config dnsmasq 'family'
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/family/'
option domain 'family'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases.family'
option serversfile '/tmp/adb_list.overall'
option localservice '1'
option noresolv '1'
list interface 'family'
list notinterface 'lo'
option dnssec '1'
list server '185.228.168.168'
list server '185.228.169.168'
list server '2a0d:2a00:1::'
list server '2a0d:2a00:2::'
config dhcp 'lan'
option instance 'main'
option interface 'lan'
option start '100'
option limit '150'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option force '1'
option leasetime '168h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'streaming'
option start '100'
option limit '150'
option interface 'streaming'
option instance 'main'
option leasetime '168h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option force '1'
config dhcp 'guest'
option start '100'
option limit '150'
option interface 'guest'
option instance 'main'
option leasetime '48h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option force '1'
config dhcp 'familysafe'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'family'
option instance 'family'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option force '1'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf3:e716:6c30::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ip6assign '60'
option netmask '255.255.255.0'
option ipaddr '192.168.10.1'
option ifname 'eth1 eth2'
option ip6assign '64'
option ip6hint 'AA'
config interface 'wan'
option proto 'pppoe'
option ifname 'eth0'
option ipv6 'auto'
option peerdns '0'
option dns '185.228.168.9 185.228.169.9'
option username '...'
option password '...'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
option dns '2a0d:2a00:1::2 2a0d:2a00:2::2'
config interface 'modem'
option proto 'static'
option ifname 'eth0'
option ipaddr '192.168.2.2'
option netmask '255.255.255.0'
config interface 'streaming'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
option ifname 'eth1.20'
option ip6assign '64'
option ip6hint 'BB'
config interface 'guest'
option proto 'static'
option ifname 'eth1.100'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
option type 'bridge'
option ip6assign '64'
option ip6hint 'DD'
config interface 'family'
option type 'bridge'
option proto 'static'
option ifname 'eth1.30'
option ipaddr '192.168.30.1'
option netmask '255.255.255.0'
option ip6assign '64'
option ip6hint 'CC'
/etc/config/firewall
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src '*'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src '*'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option dest_port '546-547'
option src 'guest'
option name 'DHCPv6 Guest'
option family 'ipv6'
option target 'ACCEPT'
list proto 'udp'
config rule
option dest_port '546-547'
option src 'family'
option name 'DHCPv6 Family'
option family 'ipv6'
option target 'ACCEPT'
list proto 'udp'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '52000'
option name 'Allow-Wireguard-Inbound'
config rule
option target 'ACCEPT'
option src 'wan'
option name 'Allow-Plex-Inbound'
option proto 'tcp'
option dest_port '2096'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'guest_dhcp'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'guest_dns'
option src 'guest'
config rule
option src 'guest'
option name 'Disable Modem Access Guest'
option dest 'wan'
option dest_ip '192.168.2.1'
option target 'DROP'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'family_dhcp'
option src 'family'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'family_dns'
option src 'family'
config rule
option name 'Disable Modem Access Family'
option src 'family'
option dest 'wan'
option dest_ip '192.168.2.1'
option target 'DROP'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan streaming wgserver'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'modem wan wan6'
config zone
option name 'wan_vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'mullvad'
option masq6 '1'
option masq6_privacy '1'
config include
option path '/etc/firewall.user'
config defaults
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'lan'
config redirect 'adblock_dns'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option name 'Adblock DNS'
option dest_ip '192.168.10.1'
config zone
option name 'guest'
option network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'guest'
config redirect
option target 'DNAT'
option src 'guest'
option proto 'tcp udp'
option src_dport '53'
option dest_ip '10.0.0.1'
option dest_port '53'
option name 'Adblock DNS Guest'
config zone
option name 'family'
option input 'REJECT'
option forward 'REJECT'
option network 'family'
option output 'ACCEPT'
config forwarding
option dest 'wan'
option src 'family'
config redirect
option target 'DNAT'
option src 'family'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option name 'Adblock DNS Family'
option dest_ip '192.168.30.1'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option dest_ip '192.168.20.239'
option dest_port '32400'
option name 'plex'
option proto 'tcp'
option src_dport '2096'
config forwarding
option dest 'wan_vpn'
option src 'lan'
config forwarding
option dest 'wan_vpn'
option src 'family'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'