Help me fix my firewall setup to use HE tunnelbroker (and deepen my linux network knowledge)

Hello everyone!

I'm currently in the process of setting up OpenWrt to use the Hurricane Electric tunnelbroker. I had a working setup some years ago, but I cannot get to work again.

I followed all the common installation and troubleshooting guides but no luck so far.
Here's what I tried:

• reboots, etc.
• decreasing MTU
• removing packages and installing everything again
• checking route tables and adding default route
• creating different firewall zones and checking if something there helps

What works:

• Hurricane Electric delegates IPv6 subnets, that are then delegated to the subnets
• router and devices have an ipv6 address
• in luci I can see that the device transmits packets but is not receiving any

I suspect something odd happened with the firewall (I installed and tested tailscale a while ago which required installing some iptables compatibility packages that might have messed with it) but honestly I don't know how to pinpoint the problem further.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

• Also have you installed 6in4 package (and luci-proto-ipv6 if you use the web GUI)?

Thanks a lot for the quick response!

Yes both packages are installed, I did the setup only via the GUI. It worked immediately when I tried it the first time around two years ago.

ubus call system board results in:

root@OpenWrt:~# ubus call system board
{
	"kernel": "6.6.73",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT3200ACM",
	"board_name": "linksys,wrt3200acm",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.0",
		"revision": "r28427-6df0e3d02a",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
		"builddate": "1738624177"
	}
}

Output of cat /etc/config/network (where i removed the wireguard interfaces, I don't think these should be relevant)

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7b:bf4f:d2a0::/48'
	option packet_steering '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.144.144.1'
	option ip6assign '64'

config device
	option name 'wan'
	option macaddr '26:f5:a2:c4:2f:40'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	option norelease '1'

config interface 'tailscale'
	option proto 'none'
	option device 'tailscale0'

config interface 'smarthome'
	option proto 'static'
	option ipaddr '10.155.155.1'
	option netmask '255.255.255.0'
	option device 'br-guest'
	option ip6assign '64'

config device 'guest_dev'
	option type 'bridge'
	option name 'br-guest'

config device
	option type 'veth'
	option name 'testVirt'
	option macaddr '5C:3C:60:38:3F:1A'
	option mtu '1500'
	option txqueuelen '1000'

config interface 'henet'
	option proto '6in4'
	option peeraddr '216.66.86.114'
	option ip6addr '2001:470:6c:bd3::2/64'
	option tunnelid '...'
	option username '...'
	option password '...'
	option auto '0'
	option mtu '1280'
	list ip6prefix '...'
	list ip6prefix '...'

Output of cat /etc/config/firewall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option synflood_protect '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list icmp_type 'echo-request'
	option limit '10/second'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'

config zone
	option name 'wg0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wg0'

config rule
	option name 'Allow Wireguard'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '51820-51822'

config forwarding
	option src 'wg0'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'wg0'

config rule
	option name 'Allow ICMP forward'
	list proto 'icmp'
	list icmp_type 'fragmentation-needed'
	list icmp_type 'packet-too-big'
	option dest 'lan'
	option target 'ACCEPT'
	option limit '10/second'

config rule
	option name 'Allow Tailscale'
	list proto 'udp'
	option src 'wan'
	option dest_port '41641'
	option target 'ACCEPT'

config forwarding
	option dest 'lan'

config forwarding
	option src 'lan'

config zone
	option name 'tailscale'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list device 'tailscale0'
	option masq '1'
	list network 'tailscale'

config forwarding
	option src 'tailscale'
	option dest 'lan'

config forwarding
	option src 'tailscale'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'tailscale'

config zone
	option name 'smarthome'
	option output 'ACCEPT'
	list device 'wlan1-1'
	option forward 'ACCEPT'
	option input 'ACCEPT'
	list network 'smarthome'

config forwarding
	option src 'lan'
	option dest 'smarthome'

config forwarding
	option src 'smarthome'
	option dest 'wan'

config rule
	option name 'Allow DHCP Renew'
	list proto 'udp'
	option src 'smarthome'
	option src_port '68'
	option target 'ACCEPT'

config rule
	option name 'Allow DNS'
	option src 'smarthome'
	option src_port '53'
	option target 'ACCEPT'
	option limit '10/second'
	option limit_burst '50'

config rule
	list proto 'icmp'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	option src 'smarthome'
	option target 'ACCEPT'
	option limit '10/second'
	option name 'Allow Ping'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
	option src 'wg0'
	option dest 'wan'

config rule
	option name 'Allow Wireguard'
	list proto 'udp'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'

config zone
	option name 'henet'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'henet'

config forwarding
	option src 'henet'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'henet'

config forwarding
	option src 'wan'
	option dest 'henet'

Forwarding works from zone to zone. You should put the 'henet' interface in the 'wan' zone, then check all the forwardings.

Updated, still not working

To me, the forwardings should be fine? But i only have basic understanding how its supposed to work.

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option synflood_protect '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'wan'
	list network 'wan6'
	list network 'henet'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list icmp_type 'echo-request'
	option limit '10/second'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'

config zone
	option name 'wg0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wg0'

config rule
	option name 'Allow Wireguard'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '51820-51822'

config forwarding
	option src 'wg0'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'wg0'

config rule
	option name 'Allow ICMP forward'
	list proto 'icmp'
	list icmp_type 'fragmentation-needed'
	list icmp_type 'packet-too-big'
	option dest 'lan'
	option target 'ACCEPT'
	option limit '10/second'

config forwarding
	option dest 'lan'

config forwarding
	option src 'lan'

config zone
	option name 'tailscale'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list device 'tailscale0'
	option masq '1'
	list network 'tailscale'

config forwarding
	option src 'tailscale'
	option dest 'lan'

config forwarding
	option src 'tailscale'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'tailscale'

config zone
	option name 'smarthome'
	option output 'ACCEPT'
	list device 'wlan1-1'
	option forward 'ACCEPT'
	option input 'ACCEPT'
	list network 'smarthome'

config forwarding
	option src 'lan'
	option dest 'smarthome'

config forwarding
	option src 'smarthome'
	option dest 'wan'

config rule
	option name 'Allow DHCP Renew'
	list proto 'udp'
	option src 'smarthome'
	option src_port '68'
	option target 'ACCEPT'

config rule
	option name 'Allow DNS'
	option src 'smarthome'
	option src_port '53'
	option target 'ACCEPT'
	option limit '10/second'
	option limit_burst '50'

config rule
	list proto 'icmp'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	option src 'smarthome'
	option target 'ACCEPT'
	option limit '10/second'
	option name 'Allow Ping'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
	option src 'wg0'
	option dest 'wan'

Have you tried with wireguard / tailscale disabled / removed? That WAN6 interface, is active?

Your router's wan interface has to have a non-NAT public WAN IPv4, and he.net needs to know in advance what that IP is-- either by registering it statically on their site or using their DDNS.

Since the v6 addresses and prefixes are configured statically in your router, the fact that they distribute to LANs does not mean anything about whether the tunnel is working.

@eduperez has a good point, since this is for when your ISP does not support IPv6, you should disable / remove the wan6 interface.

Tailscale is removed and not running (even though I think its part of the Openwrt image now, because it was running when I did the attended-sysupgrade)

The router has a public, static (1) ipv4, that is reachable. My ISP doesn't support ipv6, so the wan6 interface is not used (but I guess from openwrt perspective it's active?)
Anyway, I deleted it, but it didn't help.

Maybe my best bet is to do a reset?

(1) its not guaranteed to be static by my ISP, but it hasnt changed in months

One new situation has developed (not sure how)

When I enable the tunnel, openwrt now defaults to ipv6 and cannot connect anymore (because the tunnel is not working)
When Ipv4 is enforced, it still works. Connected clients seem to do fine and continue using ipv4

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip6tables-save -c; nft list ruleset; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

output:

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; ip6tables-save -c; nft list ruleset; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/reso
lv.*/*
{
	"kernel": "6.6.73",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT3200ACM",
	"board_name": "linksys,wrt3200acm",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.0",
		"revision": "r28427-6df0e3d02a",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
		"builddate": "1738624177"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7b:bf4f:d2a0::/48'
	option packet_steering '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.144.144.1'
	option ip6assign '64'

config device
	option name 'wan'
	option macaddr '****'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '***'
	option listen_port '51820'
	list addresses '100.64.0.0/24'
	list addresses 'fe80:abcd:cafe::1/64'

config wireguard_wg0
	option preshared_key '***'
	option description 'mbp'
	option public_key '***'
	option private_key '***'
	list allowed_ips '100.64.0.80/32'
	list allowed_ips '10.144.144.0/24'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

.... more entries for wg0

config interface 'tailscale'
	option proto 'none'
	option device 'tailscale0'

config interface 'smarthome'
	option proto 'static'
	option ipaddr '10.155.155.1'
	option netmask '255.255.255.0'
	option device 'br-guest'
	option ip6assign '64'

config device 'guest_dev'
	option type 'bridge'
	option name 'br-guest'

config interface 'henet'
	option proto '6in4'
	option peeraddr '<HENET-PEER-IP>'
	option ip6addr '<HENET-IP6>'
	option tunnelid '***'
	option username '***'
	option password '***'
	option auto '0'
	option mtu '1480'
	list ip6prefix '<HENET-IP6-PREFIX>::/64'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option band '5g'
	option cell_density '0'
	option country 'AT'
	option htmode 'VHT40'
	option channel '36'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option country 'AT'
	option channel 'auto'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'
	option channel 'auto'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option macaddr 'AA:AA:AA:AA:AA:AA'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid '***'
	option network 'lan'
	option key '***'
	option encryption 'psk2'
	option macaddr 'AA:AA:AA:AA:AA:AA'
	option wds '1'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid '***'
	option key '***'
	option network 'lan'
	option encryption 'psk2'
	option wds '1'
	option disabled '1'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option encryption 'psk-mixed'
	option wmm '0'
	option key '***'
	option ssid '***'
	option network 'smarthome'

config wifi-iface 'guest'
	option mode 'ap'
	option ssid 'guest'
	option encryption 'none'

config wifi-iface 'wifinet5'
	option device 'radio0'
	option mode 'mesh'
	option encryption 'sae'
	option mesh_id 'homenet-mesh'
	option mesh_fwding '1'
	option mesh_rssi_threshold '0'
	option key '***'
	option network 'lan'
	option disabled '1'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option local '/homenet.xyz/'
	option domain 'homenet.xyz'
	option cachesize '1000'
	option min_cache_ttl '300'
	option confdir '/tmp/dnsmasq.d'
	list server '9.9.9.9'
	list server '149.112.112.112'
	list server '2620:fe::fe'
	list server '2620:fe::9'
	option port '53'
	list notinterface 'HE'
	list notinterface 'wan'
	list notinterface 'wan6'
	option logdhcp '1'
	option enable_tftp '1'
	option tftp_root '/mnt/tftpboot'
	list interface 'lan'
	list interface 'smarthome'
	list interface 'tailscale'
	list interface 'wg0'
	list interface 'wg6'

config dhcp 'lan'
	option interface 'lan'
	option start '50'
	option limit '200'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,10.144.144.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config ipset
	list name '100.64.0.0/24'
	list domain 'wg0.homenet.xyz'
	option table_family 'inet'

config ipset
	list name '10.144.144.0/24'
	list domain 'homenet.xyz'
	option table_family 'inet'

config host
	option dns '1'
	option mac 'AA:AA:AA:AA:AA:AA'
	option ip '10.144.144.4'
	option leasetime '24h'
	option name 'NAS01'
	option duid '000300010011326bdf19'
	option hostid '4'

config host
	option name 'BKTimeCapsule'
	option dns '1'
	option mac 'AA:AA:AA:AA:AA:AA'
	option ip '10.144.144.5'
	option leasetime '24h'
	option hostid '5'

config boot
	option servername 'nas01.homenet.xyz'
	option filename 'pxelinux.0'
	option serveraddress '10.144.144.4'
	option networkid 'br-lan'
	list dhcp_option 'option:root-path,10.144.144.4:/volume1/tftpboot'

config dhcp 'smarthome'
	option interface 'smarthome'
	option start '100'
	option limit '150'
	option leasetime '12h'

config host
	option name 'OpenWrtExtender'
	option ip '10.144.144.2'
	option leasetime '24h'
	option duid '00030001e89f80ad340f'
	option hostid '02'
	list mac 'AA:AA:AA:AA:AA:AA'
	option dns '1'

config host
	option ip '10.144.144.8'
	option name 'ben-desktop'
	list mac 'AA:AA:AA:AA:AA:AA'

package firewall

config defaults
	option synflood_protect '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'wan'
	list network 'henet'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list icmp_type 'echo-request'
	option limit '10/second'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'

config zone
	option name 'wg0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wg0'

config rule
	option name 'Allow Wireguard'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '51820-51822'

config forwarding
	option src 'wg0'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'wg0'

config rule
	option name 'Allow ICMP forward'
	list proto 'icmp'
	list icmp_type 'fragmentation-needed'
	list icmp_type 'packet-too-big'
	option dest 'lan'
	option target 'ACCEPT'
	option limit '10/second'

config forwarding
	option dest 'lan'

config forwarding
	option src 'lan'

config zone
	option name 'tailscale'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list device 'tailscale0'
	option masq '1'
	list network 'tailscale'

config forwarding
	option src 'tailscale'
	option dest 'lan'

config forwarding
	option src 'tailscale'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'tailscale'

config zone
	option name 'smarthome'
	option output 'ACCEPT'
	list device 'wlan1-1'
	option forward 'ACCEPT'
	option input 'ACCEPT'
	list network 'smarthome'

config forwarding
	option src 'lan'
	option dest 'smarthome'

config forwarding
	option src 'smarthome'
	option dest 'wan'

config rule
	option name 'Allow DHCP Renew'
	list proto 'udp'
	option src 'smarthome'
	option src_port '68'
	option target 'ACCEPT'

config rule
	option name 'Allow DNS'
	option src 'smarthome'
	option src_port '53'
	option target 'ACCEPT'
	option limit '10/second'
	option limit_burst '50'

config rule
	list proto 'icmp'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	option src 'smarthome'
	option target 'ACCEPT'
	option limit '10/second'
	option name 'Allow Ping'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
	option src 'wg0'
	option dest 'wan'

config rule
	option src 'wan'
	option name 'Allow 6in4'
	list proto 'ipv6'
	option target 'ACCEPT'
	option family 'ipv4'
	option direction 'in'
	option device 'wan'
	option enabled '0'

head: /etc/firewall.user: No such file or directory
-ash: ip6tables-save: not found
table inet fw4 {
	chain input {
		type filter hook input priority filter; policy accept;
		iif "lo" accept comment "!fw4: Accept traffic from loopback"
		ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
		tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
		iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
		iifname "wg0" jump input_wg0 comment "!fw4: Handle wg0 IPv4/IPv6 input traffic"
		iifname "tailscale0" jump input_tailscale comment "!fw4: Handle tailscale IPv4/IPv6 input traffic"
		iifname { "wlan1-1", "br-guest" } jump input_smarthome comment "!fw4: Handle smarthome IPv4/IPv6 input traffic"
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
		iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
		iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
		iifname "wg0" jump forward_wg0 comment "!fw4: Handle wg0 IPv4/IPv6 forward traffic"
		iifname "tailscale0" jump forward_tailscale comment "!fw4: Handle tailscale IPv4/IPv6 forward traffic"
		iifname { "wlan1-1", "br-guest" } jump forward_smarthome comment "!fw4: Handle smarthome IPv4/IPv6 forward traffic"
		jump upnp_forward comment "Hook into miniupnpd forwarding chain"
	}

	chain output {
		type filter hook output priority filter; policy accept;
		oif "lo" accept comment "!fw4: Accept traffic towards loopback"
		ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
		oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
		oifname "wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
		oifname "wg0" jump output_wg0 comment "!fw4: Handle wg0 IPv4/IPv6 output traffic"
		oifname "tailscale0" jump output_tailscale comment "!fw4: Handle tailscale IPv4/IPv6 output traffic"
		oifname { "wlan1-1", "br-guest" } jump output_smarthome comment "!fw4: Handle smarthome IPv4/IPv6 output traffic"
	}

	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
		iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
		iifname "wg0" jump helper_wg0 comment "!fw4: Handle wg0 IPv4/IPv6 helper assignment"
		iifname { "wlan1-1", "br-guest" } jump helper_smarthome comment "!fw4: Handle smarthome IPv4/IPv6 helper assignment"
	}

	chain handle_reject {
		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
		reject comment "!fw4: Reject any other traffic"
	}

	chain syn_flood {
		limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
		drop comment "!fw4: Drop excess packets"
	}

	chain input_lan {
		udp dport 5353 counter packets 4409 bytes 1393238 accept comment "!fw4: ubus:umdns[instance1] rule 0"
		jump accept_from_lan
	}

	chain output_lan {
		icmp type . icmp code { destination-unreachable . 4 } limit rate 10/second burst 5 packets counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow ICMP forward"
		icmpv6 type . icmpv6 code { packet-too-big . 0 } limit rate 10/second burst 5 packets counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow ICMP forward"
		jump accept_to_lan
	}

	chain forward_lan {
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
		jump accept_to_wg0 comment "!fw4: Accept lan to wg0 forwarding"
		jump accept_to_tailscale comment "!fw4: Accept lan to tailscale forwarding"
		jump accept_to_smarthome comment "!fw4: Accept lan to smarthome forwarding"
		jump accept_to_lan
	}

	chain helper_lan {
	}

	chain accept_from_lan {
		iifname "br-lan" counter packets 5004 bytes 489077 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain accept_to_lan {
		oifname "br-lan" counter packets 3147 bytes 413754 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain input_wan {
		meta nfproto ipv4 udp dport 68 counter packets 182 bytes 62680 accept comment "!fw4: Allow-DHCP-Renew"
		icmp type echo-request limit rate 10/second burst 5 packets counter packets 348 bytes 28656 accept comment "!fw4: Allow-Ping"
		meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
		meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
		ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . 0, mld-listener-report . 0, mld-listener-done . 0, mld2-listener-report . 0 } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second burst 5 packets counter packets 35 bytes 1960 accept comment "!fw4: Allow-ICMPv6-Input"
		icmpv6 type . icmpv6 code { packet-too-big . 0, parameter-problem . 0, nd-neighbor-solicit . 0, nd-neighbor-advert . 0, parameter-problem . 1 } limit rate 1000/second burst 5 packets counter packets 1143 bytes 82296 accept comment "!fw4: Allow-ICMPv6-Input"
		udp dport 51820-51822 counter packets 2 bytes 352 accept comment "!fw4: Allow Wireguard"
		jump reject_from_wan
	}

	chain output_wan {
		jump accept_to_wan
	}

	chain forward_wan {
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		icmpv6 type . icmpv6 code { packet-too-big . 0, parameter-problem . 0, parameter-problem . 1 } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
		udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
		jump reject_to_wan
	}

	chain accept_to_wan {
		meta nfproto ipv4 oifname "wan" ct state invalid counter packets 75 bytes 3798 drop comment "!fw4: Prevent NAT leakage"
		oifname "wan" counter packets 10070 bytes 3532306 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
	}

	chain reject_from_wan {
		iifname "wan" counter packets 844 bytes 47449 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain reject_to_wan {
		oifname "wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain input_wg0 {
		jump accept_from_wg0
	}

	chain output_wg0 {
		jump accept_to_wg0
	}

	chain forward_wg0 {
		jump accept_to_lan comment "!fw4: Accept wg0 to lan forwarding"
		jump accept_to_wan comment "!fw4: Accept wg0 to wan forwarding"
		jump accept_to_wg0
	}

	chain helper_wg0 {
	}

	chain accept_from_wg0 {
		iifname "wg0" counter packets 18 bytes 1178 accept comment "!fw4: accept wg0 IPv4/IPv6 traffic"
	}

	chain accept_to_wg0 {
		oifname "wg0" counter packets 0 bytes 0 accept comment "!fw4: accept wg0 IPv4/IPv6 traffic"
	}

	chain input_tailscale {
		jump accept_from_tailscale
	}

	chain output_tailscale {
		jump accept_to_tailscale
	}

	chain forward_tailscale {
		jump accept_to_lan comment "!fw4: Accept tailscale to lan forwarding"
		jump accept_to_wan comment "!fw4: Accept tailscale to wan forwarding"
		jump accept_to_tailscale
	}

	chain accept_from_tailscale {
		iifname "tailscale0" counter packets 0 bytes 0 accept comment "!fw4: accept tailscale IPv4/IPv6 traffic"
	}

	chain accept_to_tailscale {
		meta nfproto ipv4 oifname "tailscale0" ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage"
		oifname "tailscale0" counter packets 0 bytes 0 accept comment "!fw4: accept tailscale IPv4/IPv6 traffic"
	}

	chain input_smarthome {
		udp sport 68 counter packets 4 bytes 1380 accept comment "!fw4: Allow DHCP Renew"
		tcp sport 53 limit rate 10/second burst 50 packets counter packets 0 bytes 0 accept comment "!fw4: Allow DNS"
		udp sport 53 limit rate 10/second burst 50 packets counter packets 0 bytes 0 accept comment "!fw4: Allow DNS"
		icmp type { echo-reply, echo-request } limit rate 10/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow Ping"
		icmpv6 type { echo-request, echo-reply } limit rate 10/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow Ping"
		jump accept_from_smarthome
	}

	chain output_smarthome {
		jump accept_to_smarthome
	}

	chain forward_smarthome {
		jump accept_to_wan comment "!fw4: Accept smarthome to wan forwarding"
		jump accept_to_smarthome
	}

	chain helper_smarthome {
	}

	chain accept_from_smarthome {
		iifname { "wlan1-1", "br-guest" } counter packets 4 bytes 254 accept comment "!fw4: accept smarthome IPv4/IPv6 traffic"
	}

	chain accept_to_smarthome {
		oifname { "wlan1-1", "br-guest" } counter packets 2 bytes 656 accept comment "!fw4: accept smarthome IPv4/IPv6 traffic"
	}

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
		jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
		oifname "tailscale0" jump srcnat_tailscale comment "!fw4: Handle tailscale IPv4/IPv6 srcnat traffic"
		jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
	}

	chain srcnat_wan {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
	}

	chain srcnat_tailscale {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 tailscale traffic"
	}

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
	}

	chain raw_output {
		type filter hook output priority raw; policy accept;
	}

	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
		oifname "tailscale0" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone tailscale IPv4/IPv6 egress MTU fixing"
	}

	chain mangle_input {
		type filter hook input priority mangle; policy accept;
	}

	chain mangle_output {
		type route hook output priority mangle; policy accept;
	}

	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
		iifname "tailscale0" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone tailscale IPv4/IPv6 ingress MTU fixing"
	}

	chain upnp_forward {
	}

	chain upnp_prerouting {
	}

	chain upnp_postrouting {
	}
}
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet <WAN-IP>/24 brd <WAN-PREFIX>.255 scope global wan
       valid_lft forever preferred_lft forever
20: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.144.144.1/24 brd 10.144.144.255 scope global br-lan
       valid_lft forever preferred_lft forever
21: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.155.155.1/24 brd 10.155.155.255 scope global br-guest
       valid_lft forever preferred_lft forever
22: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 100.64.0.0/24 brd 100.64.0.255 scope global wg0
       valid_lft forever preferred_lft forever
default via <WAN-PREFIX>.1 dev wan proto static src <WAN-IP>
10.144.144.0/24 dev br-lan proto kernel scope link src 10.144.144.1
10.155.155.0/24 dev br-guest proto kernel scope link src 10.155.155.1
<WAN-PREFIX>.0/24 dev wan proto kernel scope link src <WAN-IP>
100.64.0.0/24 dev wg0 proto kernel scope link src 100.64.0.0
<HENET-PEER-IP> via <WAN-PREFIX>.1 dev wan proto static
local 10.144.144.1 dev br-lan table local proto kernel scope host src 10.144.144.1
broadcast 10.144.144.255 dev br-lan table local proto kernel scope link src 10.144.144.1
local 10.155.155.1 dev br-guest table local proto kernel scope host src 10.155.155.1
broadcast 10.155.155.255 dev br-guest table local proto kernel scope link src 10.155.155.1
local <WAN-IP> dev wan table local proto kernel scope host src <WAN-IP>
broadcast <WAN-PREFIX>.255 dev wan table local proto kernel scope link src <WAN-IP>
local 100.64.0.0 dev wg0 table local proto kernel scope host src 100.64.0.0
broadcast 100.64.0.255 dev wg0 table local proto kernel scope link src 100.64.0.0
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host proto kernel_lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 state UP qlen 1024
    inet6 fe80::26f5:a2ff:fec4:2f40/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::24f5:a2ff:fec4:2f40/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
20: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 <HENET-IP6-PREFIX>::1/64 scope global deprecated dynamic
       valid_lft 196sec preferred_lft 0sec
    inet6 fd7b:bf4f:d2a0::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::26f5:a2ff:fec4:2f40/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
21: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd7b:bf4f:d2a0:1::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::26f5:a2ff:fec4:2f41/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
22: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 state UNKNOWN qlen 1000
    inet6 fe80:abcd:cafe::1/64 scope link
       valid_lft forever preferred_lft forever
<HENET-IP6-PREFIX>::/64 dev br-lan proto kernel metric 256 expires 195sec pref medium
fd7b:bf4f:d2a0::/64 dev br-lan proto static metric 1024 pref medium
fd7b:bf4f:d2a0:1::/64 dev br-guest proto static metric 1024 pref medium
unreachable fd7b:bf4f:d2a0::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev br-guest proto kernel metric 256 pref medium
fe80:abcd:cafe::/64 dev wg0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast <HENET-IP6-PREFIX>:: dev br-lan table local proto kernel metric 0 pref medium
local <HENET-IP6-PREFIX>::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fd7b:bf4f:d2a0:: dev br-lan table local proto kernel metric 0 pref medium
local fd7b:bf4f:d2a0::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fd7b:bf4f:d2a0:1:: dev br-guest table local proto kernel metric 0 pref medium
local fd7b:bf4f:d2a0:1::1 dev br-guest table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-guest table local proto kernel metric 0 pref medium
local fe80::24f5:a2ff:fec4:2f40 dev wan table local proto kernel metric 0 pref medium
local fe80::26f5:a2ff:fec4:2f40 dev eth0 table local proto kernel metric 0 pref medium
local fe80::26f5:a2ff:fec4:2f40 dev br-lan table local proto kernel metric 0 pref medium
local fe80::26f5:a2ff:fec4:2f41 dev br-guest table local proto kernel metric 0 pref medium
anycast fe80:abcd:cafe:: dev wg0 table local proto kernel metric 0 pref medium
local fe80:abcd:cafe::1 dev wg0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-guest table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wg0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wan table local proto kernel metric 256 pref medium
0:	from all lookup local
32766:	from all lookup main
lrwxrwxrwx    1 root     root            16 Feb  4 00:09 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            55 Jun  6 18:54 /tmp/resolv.conf
-rw-r--r--    1 root     root            16 Jun  6 18:53 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            16 Jun  6 18:53 resolv.conf.auto
==> /etc/resolv.conf <==
search homenet.xyz
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search homenet.xyz
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan

@benk

• Have you verified on TunnelBroker dot NET that your WAN IP matches the one listed for your tunnel?
• For dynamic setting of the tunnel, make sure ping is allowed to this address (if you wish to further firewall, HE provides the SRC address of the pings in their documentation)

The tunnelbroker settings are definitely correct. WAN IP matches and is publicly available, I also tried deleting and recreating the tunnel, and doing the setup via the openwrt script that is provided from he.

Dynamic settings should also be correct (but if they dont work I wouldnt mind, because my ip is mostly static anyway)

Does IPv6 work on the router? Can you "ping -6 www.google.com", for example?

No, not working neither on the router nor on any host.

What does "not working" mean, exactly.

Its timeout errors, DNS resolution works and it seems like it is sending packets but I never receive responses.
The TX counter of the he-net interface increase though.

I also tried to add a nftables trace to see the traffic to the ipv6 address from google that I was pinging but no traffic was traced/shown with nft monitor trace

(I set it as nft add rule inet fw4 trace_chain ip6 daddr <GOOGLE-IP-6> meta nftrace set 1, maybe that was incorrect)

When you ping a v6 address do you see that produces encapsulated v4 packets leaving your WAN toward henet?

I tried it yesterday and recorded packets on the WAN interface which have the Tunnelbroker IPv4 address set as destination and those were properly encapsulated (from what i can tell).

I then tried the same to see if I have any incoming traffic where the tunnelbroker ipv4 address is set as source address, but found nothing. Is it possible that the firewall discards these packets before the appear in tcpdump.
I'm also starting to wonder, if my ISP started blocking non TCP/UDP traffic since I tried it last time.

The command i used was:
tcpdump -i wan dst|src <tunnel-broker-ip>

Just use:

tcpdump -i wan host <tunnel-broker-ip>