Help me figure out why my IPv6 has stopped working

Been tearing my hair out recently, basically ever since I migrated my home server from Debian 11 to Ubuntu Server 24.0.4.2 LTS, and (after regretting the jump to Ubuntu) then back to Debian again, this time version 12 stable. Prior to this, just about everything relating to IPv6 on my home network was working flawlessly. I could connect to devices using either IP from either their public or private prefix that I have set up in my network, or even just DNS a majority of the time, with both A and AAAA records in place. And if something wasn't connecting, it was usually a case of a service not running (e.g. "connection refused"), or a port being blocked by one of the firewalls.

Around the same time I migrated away from Debian 11, I did change some network config on my home router. But my memory is iffy, now, on what it could have been that broke half of my IPv6 setup. Plus it was also a while ago now.

If I run a test to isp.test-ipv6.com, while on a remote desktop connection to my server in question, the test completely passes with flying colours; there I get a result code of 46 which indicates I am running a dual-stack network, as expected. So everything should be all good, right?

Well... No. Issues become apparent though when I try to connect to my home Minecraft server. IPv4 get through just fine; my router sees the incoming traffic, sees it is permitted, and passes it from the main home VLAN, into the servers VLAN. Then when it reaches my home server, the server's firewall will also permit it since it's Minecraft traffic.

If I switch things around, and try to connect with IPv6, all kinds of weird things that I cannot pin down start to arise. The main one is that a lot of traffic seems to be getting blackholed? Because if I do a packet capture while I say, connect to my Minecraft server, I see various ICMP "destination unreachable" packets being logged, which I don't see at all for IPv4 connections. ICMP echo traffic also seems really unpredictable on IPv6. I've had times where pings from my PC in my main VLAN will get through just fine to my server. But as I'm typing this, I'm trying again now, and ICMP echo requests are just timing out on me. Traceroutes aren't any better, usually timing out over and over until the max hop limit is reached.

All I want is perfect end-to-end connectivity for anyone fortunate enough to also have IPv6, who may also want to access services I am hosting over v6. And I don't have that anymore. I also hate that it's even reached this point where I even have to ask for help online, instead of being able to figure this out myself...

I would also share a saved, sample packet capture in .pcap form, but I am unsure on what the best way to do that would be, here.

Device info:

root@apollo:~# ubus call system board
{
        "kernel": "5.15.167",
        "hostname": "apollo",
        "system": "Intel(R) Celeron(R) CPU J3455E @ 1.50GHz",
        "model": "Qotom Q710G4",
        "board_name": "Qotom Q710G4",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "x86/64",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}

And I had to split all the config stuff into a separate comment, here.

/etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd42:192:168::/48'
        option packet_steering '1'

config interface 'trustednet'
        option proto 'static'
        option device 'eth2'
        option ipaddr '192.168.241.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option ip6assign '64'
        option ip6hint '241'
        option metric '30'

config interface 'guestnet'
        option proto 'static'
        option device 'eth2.20'
        option ipaddr '192.168.243.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ip6hint '243'
        option metric '33'
        option delegate '0'

config interface 'servernet'
        option proto 'static'
        option device 'eth3'
        option ipaddr '192.168.242.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ip6hint '242'
        option metric '32'
        option delegate '0'

config interface 'trustedwg'
        option proto 'wireguard'
        option private_key 'redacted'
        option listen_port '26100'
        option delegate '0'
        list dns '192.168.251.1'
        list dns 'fd42:192:168:251::1'
        option defaultroute '0'
        option metric '31'
        list addresses '192.168.251.1/24'
        list addresses 'fd42:192:168:251::1/64'

config interface 'wan1v6'
        option proto 'dhcpv6'
        option device 'eth0'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        option metric '21'
        list dns '2606:4700:4700::1111'
        list dns '2001:4860:4860::8888'
        list dns '2620:fe::10'

config interface 'wan1v4'
        option proto 'dhcp'
        option device 'eth0'
        option peerdns '0'
        option metric '21'
        option delegate '0'
        list dns '1.1.1.1'
        list dns '8.8.8.8'
        list dns '9.9.9.10'

config interface 'wan2v4'
        option proto 'dhcp'
        option device 'usb0'
        option auto '0'
        option peerdns '0'
        option metric '20'
        option delegate '0'
        list dns '9.9.9.11'
        list dns '1.1.1.1'
        list dns '8.8.8.8'

config wireguard_trustedwg
        option description 'Emily'\''s Galaxy S23'
        option public_key 'redacted'
        option private_key 'redacted'
        option preshared_key 'redacted'
        list allowed_ips '192.168.251.200/32'
        list allowed_ips 'fd42:192:168:251::200/128'
        list allowed_ips '2404:e80:92da:251::200/128'
        list allowed_ips '192.168.251.0/24'
        list allowed_ips '192.168.241.0/24'
        list allowed_ips '192.168.242.0/24'
        list allowed_ips 'fd42:192:168:251::/64'
        list allowed_ips 'fd42:192:168:241::/64'
        list allowed_ips 'fd42:192:168:242::/64'
        list allowed_ips '2404:e80:92da:251::/64'
        list allowed_ips '2404:e80:92da:241::/64'
        list allowed_ips '2404:e80:92da:242::/64'

config wireguard_trustedwg
        option description 'Emily'\''s Galaxy Tab S9'
        option public_key 'redacted'
        option private_key 'redacted'
        option preshared_key 'redacted'
        list allowed_ips '192.168.251.202/32'
        list allowed_ips 'fd42:192:168:251::202/128'
        list allowed_ips '2404:e80:92da:251::202/128'
        list allowed_ips '192.168.251.0/24'
        list allowed_ips '192.168.241.0/24'
        list allowed_ips '192.168.242.0/24'
        list allowed_ips 'fd42:192:168:251::/64'
        list allowed_ips 'fd42:192:168:241::/64'
        list allowed_ips 'fd42:192:168:242::/64'
        list allowed_ips '2404:e80:92da:251::/64'
        list allowed_ips '2404:e80:92da:241::/64'
        list allowed_ips '2404:e80:92da:242::/64'

config wireguard_trustedwg
        option description 'Emily'\''s ThinkPad P14s'
        option public_key 'redacted'
        option private_key 'redacted'
        option preshared_key 'redacted'
        list allowed_ips '192.168.251.204/32'
        list allowed_ips 'fd42:192:168:251::204/128'
        list allowed_ips '2404:e80:92da:251::204/128'
        list allowed_ips '192.168.251.0/24'
        list allowed_ips '192.168.241.0/24'
        list allowed_ips '192.168.242.0/24'
        list allowed_ips 'fd42:192:168:251::/64'
        list allowed_ips 'fd42:192:168:241::/64'
        list allowed_ips 'fd42:192:168:242::/64'
        list allowed_ips '2404:e80:92da:251::/64'
        list allowed_ips '2404:e80:92da:241::/64'
        list allowed_ips '2404:e80:92da:242::/64'

config wireguard_trustedwg
        option description 'Emily'\''s ThinkPad T450s'
        option public_key 'redacted'
        option private_key 'redacted'
        option preshared_key 'redacted'
        list allowed_ips '192.168.251.206/32'
        list allowed_ips 'fd42:192:168:251::206/128'
        list allowed_ips '2404:e80:92da:251::206/128'
        list allowed_ips '192.168.251.0/24'
        list allowed_ips '192.168.241.0/24'
        list allowed_ips '192.168.242.0/24'
        list allowed_ips 'fd42:192:168:251::/64'
        list allowed_ips 'fd42:192:168:241::/64'
        list allowed_ips 'fd42:192:168:242::/64'
        list allowed_ips '2404:e80:92da:251::/64'
        list allowed_ips '2404:e80:92da:241::/64'
        list allowed_ips '2404:e80:92da:242::/64'

config wireguard_trustedwg
        option description 'Emily'\''s 2023 PC'
        option public_key 'redacted'
        option private_key 'redacted'
        option preshared_key 'redacted'
        list allowed_ips '192.168.251.208/32'
        list allowed_ips 'fd42:192:168:251::208/128'
        list allowed_ips '2404:e80:92da:251::208/128'
        list allowed_ips '192.168.251.0/24'
        list allowed_ips '192.168.241.0/24'
        list allowed_ips '192.168.242.0/24'
        list allowed_ips 'fd42:192:168:251::/64'
        list allowed_ips 'fd42:192:168:241::/64'
        list allowed_ips 'fd42:192:168:242::/64'
        list allowed_ips '2404:e80:92da:251::/64'
        list allowed_ips '2404:e80:92da:241::/64'
        list allowed_ips '2404:e80:92da:242::/64'

config wireguard_trustedwg
        option description 'Emily'\''s 2019 PC'
        option public_key 'redacted'
        option private_key 'redacted'
        option preshared_key 'redacted'
        list allowed_ips '192.168.251.210/32'
        list allowed_ips 'fd42:192:168:251::210/128'
        list allowed_ips '2404:e80:92da:251::210/128'
        list allowed_ips '192.168.251.0/24'
        list allowed_ips '192.168.241.0/24'
        list allowed_ips '192.168.242.0/24'
        list allowed_ips 'fd42:192:168:251::/64'
        list allowed_ips 'fd42:192:168:241::/64'
        list allowed_ips 'fd42:192:168:242::/64'
        list allowed_ips '2404:e80:92da:251::/64'
        list allowed_ips '2404:e80:92da:241::/64'
        list allowed_ips '2404:e80:92da:242::/64'

config interface 'iotnet'
        option proto 'static'
        option device 'eth2.30'
        list ipaddr '192.168.244.1/24'
        option ip6gw 'fe80::4262:31ff:fe0b:c99c'
        option delegate '0'
        list ip6addr 'fd42:192:168:244::1/64'
        option metric '34'
        list ip6class 'local'

/etc/config/firewall:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_rate '1000/s'
        option synflood_burst '1000'
        option drop_invalid '1'

config zone
        option name 'trustednet'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'trustednet'
        list network 'trustedwg'

config zone
        option name 'servernet'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'servernet'

config zone
        option name 'guestnet'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'guestnet'

config zone
        option name 'iotnet'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        list network 'iotnet'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        list network 'wan1v6'
        list network 'wan1v4'
        list network 'wan2v4'

config forwarding
        option src 'trustednet'
        option dest 'wan'

config rule
        option name 'Allow IoT network DNS input'
        option src 'iotnet'
        option dest_port '53'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        option limit '100/second'

config rule
        option name 'Allow IoT network NTP input'
        option src 'iotnet'
        option dest_port '123'
        option target 'ACCEPT'
        list proto 'udp'
        option limit '100/second'

config rule
        option name 'Allow IoT network DHCP input'
        option src 'iotnet'
        option dest_port '67 68 546 547'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        option limit '100/second'

config rule
        option name 'Allow IoT network ICMPv4 input'
        option src 'iotnet'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option limit '100/second'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'fragmentation-needed'

config rule
        option name 'Allow IoT network ICMPv6 input'
        option src 'iotnet'
        option proto 'icmp'
        option limit '100/second'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'fragmentation-needed'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'

config rule
        option name 'Allow guest network DNS input'
        option src 'guestnet'
        option dest_port '53'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        option limit '100/second'

config rule
        option name 'Allow guest network NTP input'
        option src 'guestnet'
        option dest_port '123'
        option target 'ACCEPT'
        list proto 'udp'
        option limit '100/second'

config rule
        option name 'Allow guest network DHCP input'
        option src 'guestnet'
        option dest_port '67 68 546 547'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        option limit '100/second'

config rule
        option name 'Allow guest network ICMPv4 input'
        option src 'guestnet'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option limit '100/second'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'fragmentation-needed'

config rule
        option name 'Allow guest network ICMPv6 input'
        option src 'guestnet'
        option proto 'icmp'
        option limit '100/second'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'fragmentation-needed'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'

config rule
        option name 'Drop server network HTTP input'
        option src 'servernet'
        option dest_port '80 443'
        option target 'DROP'
        list proto 'tcp'
        list proto 'udp'

config rule
        option name 'Drop server network SSH input'
        option src 'servernet'
        option dest_port '22'
        option target 'DROP'
        list proto 'tcp'

config rule
        option name 'Allow server network DNS input'
        option src 'servernet'
        option dest_port '53'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        option limit '1000/second'
        option enabled '0'

config rule
        option name 'Allow server network NTP input'
        option src 'servernet'
        option dest_port '123'
        option target 'ACCEPT'
        list proto 'udp'
        option limit '100/second'
        option enabled '0'

config rule
        option name 'Allow server network DHCP input'
        option src 'servernet'
        option dest_port '67 68 546 547'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        option limit '100/second'
        option enabled '0'

config rule
        option name 'Allow server network ICMPv4 input'
        option src 'servernet'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option limit '100/second'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'fragmentation-needed'
        option enabled '0'

config rule
        option name 'Allow server network ICMPv6 input'
        option src 'servernet'
        option proto 'icmp'
        option limit '100/second'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'fragmentation-needed'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'
        option enabled '0'

config rule
        option name 'Allow trusted network AtF10 access'
        option src 'servernet'
        option dest 'trustednet'
        option src_port '26103 26104'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option enabled '0'

config rule
        option name 'Allow trusted network Samba access'
        option src 'servernet'
        option dest 'trustednet'
        option src_port '445'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option enabled '0'

config rule
        option name 'Allow BedrockConnect access (IPv6)'
        option family 'ipv6'
        option src 'wan'
        option dest 'servernet'
        option dest_port '19132'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        list dest_ip '2404:e80:93aa:242::7f6'

config rule
        option src 'wan'
        option dest 'servernet'
        option name 'Allow ER access (IPv6)'
        option family 'ipv6'
        list proto 'tcp'
        option dest_port '26101'
        option target 'ACCEPT'
        list dest_ip '2404:e80:93aa:242::7f6'

config rule
        option src 'wan'
        option dest 'servernet'
        option name 'Allow ER access (IPv6)'
        option family 'ipv6'
        option dest_port '26102'
        option target 'ACCEPT'
        list proto 'udp'
        list dest_ip '2404:e80:93aa:242::7f6'

config rule
        option src 'wan'
        option dest 'servernet'
        option name 'Allow ER access (IPv6)'
        option family 'ipv6'
        option dest_port '26104'
        option target 'ACCEPT'
        list dest_ip '2404:e80:93aa:242::7f6'

config rule
        option name 'Allow AtF10 access (IPv6)'
        option family 'ipv6'
        option src 'wan'
        option dest 'servernet'
        option dest_port '26103'
        option target 'ACCEPT'
        list proto 'tcp'
        list dest_ip '2404:e80:93aa:242::7f6'

config rule
        option src '*'
        option dest 'servernet'
        option name 'Allow Sea Test access (IPv6)'
        option family 'ipv6'
        list proto 'tcp'
        option dest_port '26111'
        option target 'ACCEPT'
        list dest_ip 'fd42:192:168:242::7f6'
        list dest_ip '2404:e80:93aa:242::7f6'

config rule
        option name 'Allow WireGuard access (IPv4)'
        list proto 'udp'
        option src 'trustednet'
        option dest_port '26100'
        option target 'ACCEPT'

config rule
        option name 'Allow WireGuard access (IPv4)'
        list proto 'udp'
        option src 'wan'
        option dest_port '26100'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow ICMPv4 input'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option limit '100/second'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'fragmentation-needed'

config rule
        option name 'Allow ICMPv6 input'
        option src 'wan'
        option proto 'icmp'
        option limit '100/second'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'fragmentation-needed'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'

config rule
        option name 'Allow ICMPv6 forwarding'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        option limit '1000/second'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'fragmentation-needed'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'

config rule
        option name 'Allow DHCPv4 input'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option limit '100/second'

config rule
        option name 'Allow DHCPv6 input'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option limit '100/second'

config rule
        option name 'Allow IGMP input'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option limit '100/second'

config rule
        option name 'Allow MLD input'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv6'
        option target 'ACCEPT'
        list src_ip 'fe80::/10'
        list icmp_type 'multicast-listener-query'
        list icmp_type 'multicast-listener-report'
        list icmp_type 'multicast-listener-done'
        option limit '100/second'

config rule
        option name 'Allow IPSec-ESP'
        list proto 'esp'
        option src 'wan'
        option dest 'guestnet'
        option target 'ACCEPT'

config rule
        option name 'Allow IPSec-ESP'
        option src 'wan'
        option dest 'trustednet'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow ISAKMP'
        list proto 'udp'
        option src 'wan'
        option dest 'guestnet'
        option dest_port '500'
        option target 'ACCEPT'

config rule
        option name 'Allow ISAKMP'
        option src 'wan'
        option dest 'trustednet'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'trustednet'
        option dest 'servernet'

config forwarding
        option src 'servernet'
        option dest 'wan'

config forwarding
        option src 'guestnet'
        option dest 'wan'

config redirect
        option dest 'servernet'
        option target 'DNAT'
        option name 'Allow BedrockConnect access (IPv4)'
        option family 'ipv4'
        list proto 'tcp'
        list proto 'udp'
        option src 'wan'
        option src_dport '19132'
        option dest_ip '192.168.242.2'
        option dest_port '19132'
        list reflection_zone 'guestnet'
        list reflection_zone 'trustednet'

config redirect
        option dest 'servernet'
        option target 'DNAT'
        option name 'Allow ER access (IPv4)'
        option family 'ipv4'
        option src 'wan'
        option src_dport '26101'
        option dest_ip '192.168.242.2'
        option dest_port '26101'
        list reflection_zone 'guestnet'
        list reflection_zone 'trustednet'
        list proto 'tcp'

config redirect
        option dest 'servernet'
        option target 'DNAT'
        option name 'Allow ER access (IPv4)'
        option family 'ipv4'
        list proto 'udp'
        option src 'wan'
        option src_dport '26102'
        option dest_ip '192.168.242.2'
        option dest_port '26102'
        list reflection_zone 'guestnet'
        list reflection_zone 'trustednet'

config redirect
        option dest 'servernet'
        option target 'DNAT'
        option name 'Allow ER access (IPv4)'
        option family 'ipv4'
        option src 'wan'
        option src_dport '26104'
        option dest_ip '192.168.242.2'
        option dest_port '26104'
        list reflection_zone 'guestnet'
        list reflection_zone 'trustednet'

config redirect
        option dest 'servernet'
        option target 'DNAT'
        option name 'Allow AtF10 access (IPv4)'
        option family 'ipv4'
        option src 'wan'
        option src_dport '26103'
        option dest_ip '192.168.242.2'
        option dest_port '26103'
        list reflection_zone 'guestnet'
        list reflection_zone 'trustednet'
        list proto 'tcp'

config include 'opennds'
        option type 'script'
        option path '/usr/lib/opennds/restart.sh'

config redirect
        option dest 'servernet'
        option target 'DNAT'
        option name 'Allow Sea Test access (IPv4)'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_dport '26111'
        option dest_ip '192.168.242.2'
        option dest_port '26111'
        list reflection_zone 'guestnet'
        list reflection_zone 'trustednet'

config redirect
        option dest 'iotnet'
        option target 'DNAT'
        option name 'Default redirect outbound NTP traffic back to router (IPv6)'
        option family 'ipv6'
        list proto 'udp'
        option src 'iotnet'
        option src_ip '!fe80::4262:31ff:fe0b:c99c'
        option src_dport '123'
        option dest_ip 'fe80::4262:31ff:fe0b:c99c'
        option dest_port '123'
        option reflection '0'

config redirect
        option dest 'guestnet'
        option target 'DNAT'
        option name 'Default redirect outbound NTP traffic back to router (IPv6)'
        option family 'ipv6'
        list proto 'udp'
        option src 'guestnet'
        option src_ip '!fe80::4262:31ff:fe0b:c99c'
        option src_dport '123'
        option dest_ip 'fe80::4262:31ff:fe0b:c99c'
        option dest_port '123'
        option reflection '0'

config redirect
        option dest 'trustednet'
        option target 'DNAT'
        option name 'Default redirect outbound NTP traffic back to router (IPv6)'
        option family 'ipv6'
        list proto 'udp'
        option src 'trustednet'
        option src_ip '!fe80::4262:31ff:fe0b:c99c'
        option src_dport '123'
        option dest_ip 'fe80::4262:31ff:fe0b:c99c'
        option dest_port '123'
        option reflection '0'

config redirect
        option dest 'iotnet'
        option target 'DNAT'
        option name 'Default redirect outbound NTP traffic back to router (IPv4)'
        option family 'ipv4'
        list proto 'udp'
        option src 'iotnet'
        option src_ip '!192.168.244.1'
        option src_dport '123'
        option dest_ip '192.168.244.1'
        option dest_port '123'
        option reflection '0'
        option src_dip '!192.168.244.1'

config redirect
        option dest 'guestnet'
        option target 'DNAT'
        option name 'Default redirect outbound NTP traffic back to router (IPv4)'
        option family 'ipv4'
        list proto 'udp'
        option src 'guestnet'
        option src_ip '!192.168.243.1'
        option src_dport '123'
        option dest_ip '192.168.243.1'
        option dest_port '123'
        option reflection '0'
        option src_dip '!192.168.243.1'

config redirect
        option dest 'trustednet'
        option target 'DNAT'
        option name 'Default redirect outbound NTP traffic back to router (IPv4)'
        option family 'ipv4'
        list proto 'udp'
        option src 'trustednet'
        option src_ip '!192.168.241.1'
        option src_dport '123'
        option dest_ip '192.168.241.1'
        option dest_port '123'
        option reflection '0'
        option src_dip '!192.168.241.1'

config redirect
        option dest 'iotnet'
        option target 'DNAT'
        option name 'Default redirect outbound DNS traffic back to router (IPv6)'
        option family 'ipv6'
        list proto 'udp'
        option src 'iotnet'
        option src_ip '!fe80::4262:31ff:fe0b:c99c'
        option src_dport '53'
        option dest_ip 'fe80::4262:31ff:fe0b:c99c'
        option dest_port '53'
        option reflection '0'

config redirect
        option dest 'guestnet'
        option target 'DNAT'
        option name 'Default redirect outbound DNS traffic back to router (IPv6)'
        option family 'ipv6'
        list proto 'udp'
        option src 'guestnet'
        option src_ip '!fe80::4262:31ff:fe0b:c99c'
        option src_dport '53'
        option dest_ip 'fe80::4262:31ff:fe0b:c99c'
        option dest_port '53'
        option reflection '0'

config redirect
        option dest 'trustednet'
        option target 'DNAT'
        option name 'Default redirect outbound DNS traffic back to router (IPv6)'
        option family 'ipv6'
        list proto 'udp'
        option src 'trustednet'
        option src_ip '!fe80::4262:31ff:fe0b:c99c'
        option src_dport '53'
        option dest_ip 'fe80::4262:31ff:fe0b:c99c'
        option dest_port '53'
        option reflection '0'

config redirect
        option dest 'iotnet'
        option target 'DNAT'
        option name 'Default redirect outbound DNS traffic back to router (IPv4)'
        option family 'ipv4'
        list proto 'udp'
        option src 'iotnet'
        option src_ip '!192.168.244.1'
        option src_dport '53'
        option dest_ip '192.168.244.1'
        option dest_port '53'
        option reflection '0'
        option src_dip '!192.168.244.1'

config redirect
        option dest 'guestnet'
        option target 'DNAT'
        option name 'Default redirect outbound DNS traffic back to router (IPv4)'
        option family 'ipv4'
        list proto 'udp'
        option src 'guestnet'
        option src_ip '!192.168.243.1'
        option src_dport '53'
        option dest_ip '192.168.243.1'
        option dest_port '53'
        option reflection '0'
        option src_dip '!192.168.243.1'

config redirect
        option dest 'trustednet'
        option target 'DNAT'
        option name 'Default redirect outbound DNS traffic back to router (IPv4)'
        option family 'ipv4'
        list proto 'udp'
        option src 'trustednet'
        option src_ip '!192.168.241.1'
        option src_dport '53'
        option dest_ip '192.168.241.1'
        option dest_port '53'
        option reflection '0'
        option src_dip '!192.168.241.1'

config forwarding
        option src 'trustednet'
        option dest 'iotnet'

config forwarding
        option src 'iotnet'
        option dest 'wan'

Sorry you're dealing with this! It does sound like a confusing and frustrating situation.

A couple questions have come to mind.

You mentioned a firewall on your server:

1. Is it enabled for IPv6? (assuming yes, but want to make sure)
2. Assuming it is enabled for IPv6, have you tried disabling the server firewall and testing?

Other thoughts:

1. What, in terms of network devices, do you have between your OpenWrt box and the server?
2. From your server, are you able to ping other IPv6 hosts without any loss? Internet hosts? LAN hosts?
3. Your ISP is running DHCPv6-PD, yeah? If so, are your hosts getting SLAAC addressing?
4. Have you tried pinging your server via IPv6 LL from another host on your 'servernet' segment? Any loss?
5. What about pinging via the IPv6 ULA address?

Sorry for all the questions. Just trying to brainstorm this with you and those are thoughts popping into mind. Hopefully we can figure this out quickly!

Another debug tool comes to mind... Run ubus call network.interface dump and pick through the ipv6 sections, esp. ipv6-prefix, see if anything jumps out.

Did you verified after the reinstall of Debian all network settings?

Like if forwarding is enabled then RA are ignored by default. Also, you don't have docker installed or other fancy tools which might mess with your firewall ?

Debian still seems to use iptables. Yesterday I tried completely disabling that, along with my firewall frontend of choice (ufw). And that didn't seem to help.

And yeah, my server was, originally, receiving addresses from what appeared to be SLAAC, as well as DHCPv6. I think IPv6 privacy extensions may have still been enabled around then, too, but not 100% sure on that now.

And until yesterday, the only thing between my server was a 16-port, 1GBaseT network switch (TP-Link TL-SG116E). That switch is my aggregate/core switch for the house. As a troubleshooting measure, I also tried moving my server VLAN from eth2.10 on the main LAN interface, to a spare, GigE network port on the router eth3. That didn't fix the issue, either.

From my server, I could ping hosts out onto the Internet. And the router was pingable, too, including on its own ULA address. I never got around to testing fe80:: link-local addresses in-depth though, mainly because my server is in its own VLAN, with its own multicast and broadcast domains and the like. And at present, the only devices in that VLAN are the router, and the server itself (future expansion pending).

And yes, my ISP provides IPv6 using DHCPv6-PD. They give me a /48, which is a lot more than what I see some other people receiving from other ISPs. Granted, my ISP is also more business-focused than other comparable ISPs, and that is likely a factor in their subnet size choice for customers.

When I was trying to ping the server, I tested that using both my ULA (fd42:192:168::/48) block, as well as my public IPv6 block. And both had the same issues in terms of reachability.

One thread that's come back up in my memory has been this one of someone with bizarre DNS issues on a Debian host on their network. I've actually experienced similar to this before. Partly in my case, my past issue there was due to something in Ubuntu Server's networking stack being completely and absolutely broken and buggy beyond belief *cough* systemd-resolvd *cough*; plus I had a separate entire issue of IPv6 DNS queries not being answered by my router, for whatever reason (I could never figure this one out, so ended up unticking the local DNS server settings in my IPv6 config for all my VLANs).

On my old Debian 11 install, I was using /etc/network/interfaces to set static leases, instead of on the router side (ideally). I think I ultimately stuck with that configuration at the time, because there was conflicting info on how to disable stuff like SLAAC (as at the time I wanted only one public IPv6 address, and one private one (not counting link-local addresses)

When I was still running Ubuntu Server, I didn't get things working to a statisfactory state until I set up the netplan package. From there, I specified a config like this:

network:
  version: 2
  renderer: NetworkManager
  ethernets:
    enp2s0:
      dhcp4: false
      dhcp6: false
      accept-ra: false
      addresses:
        - 192.168.242.2/24
        - fd42:192:168:242::7f6/64
        - 2404:e80:93aa:242::7f6/64
      routes:
        - to: default
          via: 192.168.242.1
        - to: default
          via: fe80::4262:31ff:fe0b:c99c
      nameservers:
          search: [1ws.au.meer]
          addresses: [192.168.242.1]

And once that was done, everything seemed to work great. Sadly, I don't believe I have my old etc/network/interfaces from my old Debian install, but it looked similar to this configuration:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

auto enp2s0
iface enp2s0 inet dhcp
iface enp2s0 inet6 dhcp

# iface enp2s0 inet static
#         address 192.168.242.2/24
#         netmask 24
#         gateway 192.168.242.1
#         dns-nameservers 192.168.242.1

# iface enp2s0 inet6 static
#         address fd42:192:168:242::7f6
#         netmask 64
#         gateway fe80::4262:31ff:fe0b:c99c
#         autoconf 0
#         accept_ra 0

# iface enp2s0 inet6 static
#         address 2404:e80:93aa:242::7f6
#         netmask 64
#         gateway fe80::4262:31ff:fe0b:c99c
#         autoconf 0
#         accept_ra 0

The commented lines for each subnet at the bottom, were very similar, if not almost identical to how I had it set up on my old Debian 11 install. So double-checking everything, and testing and all, you'd think I'd be all up and running. But no. That config wasn't helping me at all. Ultimately, in the end, what fixed my issue, was commenting all of those static address lines out, and then specifying DHCPv4 and DHCPv6 for the network interface. I only really did that just as a test, but when it worked, I was extremely shocked.

At this point, I can't tell if something relating to IPv6 is just plain broken by default in some Linux distros (like the whole systemd-resolvd mess I mentioned above), or if I'm completely missing something? Either way, even though everything seems to be working now, the fact that I don't know what or why things were do broken before, is still bothering me to some extent...

Ninja edit: I'm also perplexed because, as part of my troubleshooting, I also tried my old netplan configuration under my new Debian install, and that completely fell flat too, even though it worked great under Ubuntu?