Try adding:
list ip6class 'wan6'
list ip6class 'local'
under "lan", "guest" and all the interfaces that are supposed to have IPV6.
2 Likes
I am referring to the devices you are connecting to the router.
Link Local IPv6 addresses must be there, regardless of the router configuration.
If they are not, then the device doesn't support IPv6 or it is disabled.
1 Like
Thanks everybody. Just acknowledging for now; will come back with more once I've worked through all your suggestions.
1 Like
Did you try adding rules that allow DHCPv6 Input from the guest zone?
Why would that rule be needed?
Edit: Nevermind. Have just seen that input to the zone is rejected by default.
@krazeh
If you tell your firewall to block traffic first then you would need to open it up again for specific traffic.
@shm0
If you look trough the firewall rules a few posts above. There is a guest zone configured.
looks to me like firewall zone accepts output to guest zone but rejects input from guest zone. Therefore the ACCEPT rule with src guest might be added.
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'guest_dhcp'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'guest_dns'
option src 'guest'
config rule
option src 'guest'
option name 'Disable Modem Access Guest'
option dest 'wan'
option dest_ip '192.168.2.1'
option target 'DROP'
config zone
option name 'guest'
option network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'guest'
config redirect
option target 'DNAT'
option src 'guest'
option proto 'tcp udp'
option src_dport '53'
option dest_ip '10.0.0.1'
option dest_port '53'
option name 'Adblock DNS Guest'
config rule
option name 'Allow-Guest-NDP-Input'
option src 'guest'
option target 'ACCEPT'
option family 'ipv6'
list proto 'icmp'
list icmp_type 'neighbour-advertisement'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-solicitation'
I can't see any rules there that allow DHCPv6, only DHCPv4.
I also have a guest network, with working IPv6. You definitely need a few firewall rules to get it working, however. Note that in my examples my guest network is called "untrusted". The first rule is required to get DHCPv6 working, which uses different ports than DHCPv4:
config rule
option dest_port '546-547'
option src 'untrusted'
option name 'DHCPv6 Untrusted'
option family 'ipv6'
option target 'ACCEPT'
list proto 'udp'
Furthermore, there is 3 IPv6 relevant firewall rules by default:
- Allow-MLD
- Allow-ICMPv6-Input
- Allow-ICMPv6-Forward
By default, these 3 rules have a source zone of WAN. Change these 3 to a source zone of any, since ICMP traffic is mandatory for properly functioning IPv6 functionality. By default these rules correctly allow this traffic from WAN, but this traffic is also required from zones such as guest/untrusted for proper IPv6 functionality, so changing the source to any is the easiest fix, like so:
config rule
option name 'Allow-ICMPv6-Input'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option src '*'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
Emphasis on the line:
option src '*'
Note that the above example is just one of the above mentioned 3 rules. Make sure you change the src line for all 3 rules to any.
There is default firewall rule that allows necessary ipv6 icmp traffic to be forwarded.
And the MLD is only needed for multicast traffic.
I know IPv6 uses multicast but I think MLD is not needed to make the "basic" things work.
generic offtopic:
Maybe it is better to split the default INPUT ICMPv6 rules to
NDP and "misc"
and add an additional check to the NDP rule: -m hl --hl-eq 255
The default limit of 1000/sec for all ICMP rules also seems quite high for me.
Maybe limit this to 60/min based on src ip with hashlimit module.
As mentioned in my previous post, that default rule only forwards ipv6 icmp traffic from WAN, and not from other zones such as Guest, which also require it.
There is:
config forwarding
option dest 'wan'
option src 'guest'
All traffic from guest to wan gets forwarded anyway, so no need to add a rule that allows ICMP forward from guest to wan.
Actually, you're absolutely right. If the guest network is a totally isolated network this is definitely enough.
The reason why I still employ a dedicated icmp forward rule, is since I also have a rule that allows devices from my lan zone to connect to devices in the untrusted zone (but not the other way around). In order for IPv6 to work properly between these two zones I still need to forward icmp traffic from untrusted to lan.
So there's two ways I can fix this:
- Create a second ipv6 icmp forward rule, that's basically a copy/paste from the default one, but make the source
untrusted - Or, the IMO easier route, change the source in the rule that's already there to
any. This will also make sure ipv6 will work in any future ipv6 networks I might set up.
Thanks, everybody. There's a lot to go through here. My initial steps are going to be:
-
Go though @Nocte's recommendations for investigating further and improving my knowledge on the subject
APU2 board -> trunks to a Managed Switch -> trunks to wireless APs.
Will report back soon.
Some progress:
I now have IPv6 connectivity on br-lan and br-streaming (huzzah!).
I still don't have IPv6 connectivity on br-guest. I've modified the pertinent firewall rules (Allow-MLD; Allow-ICMPv6-Input; Allow-ICMPv6-Forward), adding option src '*' and have also added:
config rule
option dest_port '546-547'
option src 'guest'
option name 'DHCPv6 Guest'
option family 'ipv6'
option target 'ACCEPT'
list proto 'udp'
Perhaps this is still, somehow, firewall related?
ip -6 addr show br-guest looks good:
26: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet6 fdf3:xxxx:yyyy:dd::1/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 2a02:xxxx:yyyy:dd::1/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::20d:xxxx:yyyy:2639/64 scope link
valid_lft forever preferred_lft forever
tcpdump -n -i br-guest ip6; I see the router advertisement, but nothing else (other interfaces are far more 'chatty'):
listening on br-guest, link-type EN10MB (Ethernet), capture size 262144 bytes
23:19:18.263018 IP6 fe80::xxxx:yyyy:zzzz:2639 > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
23:19:19.012947 IP6 fe80::xxxx:yyyy:zzzz:2639 > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
23:19:19.245274 IP6 fe80::xxxx:yyyy:zzzz:2639 > ff02::1: ICMP6, router advertisement, length 176
ifstatus wan6; ifstatus guest shows:
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 22870,
"l3_device": "pppoe-wan",
"proto": "dhcpv6",
"device": "pppoe-wan",
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
],
"ipv6-address": [
{
"address": "2a02:xxxx:yyyy:zzzz::1",
"mask": 64,
"preferred": 1790,
"valid": 17990
}
],
"ipv6-prefix": [
{
"address": "2a02:xxxx:yyyy:zzzz:",
"mask": 48,
"class": "wan6",
"assigned": {
"lan": {
"address": "2a02:xxxx:yyyy:zzzz:aa::",
"mask": 64
},
"streaming": {
"address": "2a02:xxxx:yyyy:zzzz:bb::",
"mask": 64
},
"family": {
"address": "2a02:xxxx:yyyy:zzzz:cc::",
"mask": 64
},
"guest": {
"address": "2a02:xxxx:yyyy:zzzz:dd::",
"mask": 64
}
}
}
],
"ipv6-prefix-assignment": [
],
"route": [
{
"target": "2a02:xxxx:yyyy:zzzz::",
"mask": 64,
"nexthop": "::",
"metric": 256,
"valid": 17990,
"source": "::/0"
},
{
"target": "::",
"mask": 0,
"nexthop": "fe80::xxxx:yyyy:zzzz:e000",
"metric": 512,
"valid": 1190,
"source": "2a02:xxxx:yyyy:zzzz::/48"
},
{
"target": "::",
"mask": 0,
"nexthop": "fe80::xxxx:yyyy:zzzz:e000",
"metric": 512,
"valid": 1190,
"source": "2a02:xxxx:yyyy:zzzz::1/64"
}
],
"dns-server": [
"2a0d:2a00:1::2",
"2a0d:2a00:2::2"
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
"2a02:8010:1:0:212:23:3:100"
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
"passthru": "001700102a028010000100000212002300030100"
}
}
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 1595,
"l3_device": "br-guest",
"proto": "static",
"device": "br-guest",
"updated": [
"addresses"
],
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
{
"address": "10.0.0.1",
"mask": 24
}
],
"ipv6-address": [
],
"ipv6-prefix": [
],
"ipv6-prefix-assignment": [
{
"address": "2a02:xxxx:yyyy:zzzz:dd::",
"mask": 64,
"local-address": {
"address": "2a02:xxxx:yyyy:zzzz:dd::1",
"mask": 64
}
},
{
"address": "fdf3:xxxx:yyyy:zzzz:dd::",
"mask": 64,
"local-address": {
"address": "fdf3:xxxx:yyyy:zzzz:dd::1",
"mask": 64
}
}
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
}
}
Apologies if there's a suggestion in this threat that I've skipped over. If I have, it wasn't my intention.
Here are my update configs:
/etc/config/dhcp
config dnsmasq 'main'
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option noresolv '1'
option dnssec '1'
option serversfile '/tmp/adb_list.overall'
list server '127.0.0.1#5453'
list server '0::1#5453'
config dnsmasq 'family'
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/family/'
option domain 'family'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases.family'
option serversfile '/tmp/adb_list.overall'
option localservice '1'
option noresolv '1'
list interface 'family'
list notinterface 'lo'
option dnssec '1'
list server '185.228.168.168'
list server '185.228.169.168'
list server '2a0d:2a00:1::'
list server '2a0d:2a00:2::'
config dhcp 'lan'
option instance 'main'
option interface 'lan'
option start '100'
option limit '150'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option force '1'
option leasetime '168h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'streaming'
option start '100'
option limit '150'
option interface 'streaming'
option instance 'main'
option leasetime '168h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option force '1'
config dhcp 'guest'
option start '100'
option limit '150'
option interface 'guest'
option instance 'main'
option leasetime '48h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option force '1'
config dhcp 'familysafe'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'family'
option instance 'family'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option force '1'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf3:e716:6c30::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ip6assign '60'
option netmask '255.255.255.0'
option ipaddr '192.168.10.1'
option ifname 'eth1 eth2'
option ip6assign '64'
option ip6hint 'AA'
config interface 'wan'
option proto 'pppoe'
option ifname 'eth0'
option ipv6 'auto'
option peerdns '0'
option dns '185.228.168.9 185.228.169.9'
option username '...'
option password '...'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
option dns '2a0d:2a00:1::2 2a0d:2a00:2::2'
config interface 'modem'
option proto 'static'
option ifname 'eth0'
option ipaddr '192.168.2.2'
option netmask '255.255.255.0'
config interface 'streaming'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
option ifname 'eth1.20'
option ip6assign '64'
option ip6hint 'BB'
config interface 'guest'
option proto 'static'
option ifname 'eth1.100'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
option type 'bridge'
option ip6assign '64'
option ip6hint 'DD'
config interface 'family'
option type 'bridge'
option proto 'static'
option ifname 'eth1.30'
option ipaddr '192.168.30.1'
option netmask '255.255.255.0'
option ip6assign '64'
option ip6hint 'CC'
/etc/config/firewall
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src '*'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src '*'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option dest_port '546-547'
option src 'guest'
option name 'DHCPv6 Guest'
option family 'ipv6'
option target 'ACCEPT'
list proto 'udp'
config rule
option dest_port '546-547'
option src 'family'
option name 'DHCPv6 Family'
option family 'ipv6'
option target 'ACCEPT'
list proto 'udp'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '52000'
option name 'Allow-Wireguard-Inbound'
config rule
option target 'ACCEPT'
option src 'wan'
option name 'Allow-Plex-Inbound'
option proto 'tcp'
option dest_port '2096'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'guest_dhcp'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'guest_dns'
option src 'guest'
config rule
option src 'guest'
option name 'Disable Modem Access Guest'
option dest 'wan'
option dest_ip '192.168.2.1'
option target 'DROP'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'family_dhcp'
option src 'family'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'family_dns'
option src 'family'
config rule
option name 'Disable Modem Access Family'
option src 'family'
option dest 'wan'
option dest_ip '192.168.2.1'
option target 'DROP'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan streaming wgserver'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'modem wan wan6'
config zone
option name 'wan_vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'mullvad'
option masq6 '1'
option masq6_privacy '1'
config include
option path '/etc/firewall.user'
config defaults
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'lan'
config redirect 'adblock_dns'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option name 'Adblock DNS'
option dest_ip '192.168.10.1'
config zone
option name 'guest'
option network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'guest'
config redirect
option target 'DNAT'
option src 'guest'
option proto 'tcp udp'
option src_dport '53'
option dest_ip '10.0.0.1'
option dest_port '53'
option name 'Adblock DNS Guest'
config zone
option name 'family'
option input 'REJECT'
option forward 'REJECT'
option network 'family'
option output 'ACCEPT'
config forwarding
option dest 'wan'
option src 'family'
config redirect
option target 'DNAT'
option src 'family'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option name 'Adblock DNS Family'
option dest_ip '192.168.30.1'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option dest_ip '192.168.20.239'
option dest_port '32400'
option name 'plex'
option proto 'tcp'
option src_dport '2096'
config forwarding
option dest 'wan_vpn'
option src 'lan'
config forwarding
option dest 'wan_vpn'
option src 'family'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
aaaaaand, it's all working now. There's a 'Guest Network' switch in the Unifi Network settings for my APs: switched that off, and the guest network now obtains a DHCPv6 lease and can browse IPv6 Internet.
So it looks like there were two things going on here:
-
Firewall rules
-
Unifi settings interfering.
1 Like
Guest network in Unifi works fine. I am using it myself. The thing is that after you enable the guest network for some SSID, you need to take care of the captive portal settings too, which includes allowing traffic from guest to the captive portal.
1 Like
Thanks; that's good to know. I'll make that my next argument. I'm going to modify my VPN-PBR now, and then once that's working properly, I'll revisit the Unifi Settings.
For the curious; seems to be a 'known issue' for which I've not yet found a solution. (Slightly) off topic, so I'll won't say anything more no the subject.