How to correctly configure guest Vlan so ipv6 works

Hi, I have OpenWrt 23.05.2. I have successfully (i think) configured it so I have working ipv6 on Lan interface.

I have introduced a guest vlan (2) and am a bit confused what config needs changing for the firewall so that IPv6 works from the vlan.

With Zones IPv6 doesnt work if the guest zone is set to reject/accept/reject as documented, I do get delegated address but not able to use IPv6 on the internet. If I set the zone to accept/accept/reject then I do get working IPv6 on the internet

Is my configuration safe and correct or is there something that needs changing.

root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.packet_steering='1'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan2' 'lan3' 'lan4' 'lan5'
network.@device[1]=device
network.@device[1].name='lan2'
network.@device[1].macaddr='dc:hidden:b2'
network.@device[2]=device
network.@device[2].name='lan3'
network.@device[2].macaddr='dc:hidden:b2'
network.@device[3]=device
network.@device[3].name='lan4'
network.@device[3].macaddr='dc:hidden:b2'
network.@device[4]=device
network.@device[4].name='lan5'
network.@device[4].macaddr='dc:hidden:b2'
network.lan=interface
network.lan.device='br-lan.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='64'
network.lan.ip6hint='1'
network.lan.ip6ifaceid='::1'
network.lan.delegate='0'
network.@device[5]=device
network.@device[5].name='wan'
network.@device[5].macaddr='hidden'
network.wan=interface
network.wan.device='wan'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='1.1.1.3' '1.0.0.3'
network.wan6=interface
network.wan6.device='wan'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.wan6.peerdns='0'
network.wan6.dns='2606:4700:4700::1113' '2606:4700:4700::1003'
network.@bridge-vlan[0]=bridge-vlan
network.@bridge-vlan[0].device='br-lan'
network.@bridge-vlan[0].vlan='1'
network.@bridge-vlan[0].ports='lan2:u*' 'lan3:u*' 'lan4:u*' 'lan5:u*'
network.@bridge-vlan[1]=bridge-vlan
network.@bridge-vlan[1].device='br-lan'
network.@bridge-vlan[1].vlan='2'
network.@bridge-vlan[1].ports='lan2:t' 'lan3:t' 'lan4:t' 'lan5:t'
network.@device[6]=device
network.@device[6].type='8021q'
network.@device[6].ifname='br-lan'
network.@device[6].vid='2'
network.@device[6].name='br-lan.2'
network.@device[7]=device
network.@device[7].type='8021q'
network.@device[7].ifname='br-lan'
network.@device[7].vid='1'
network.@device[7].name='br-lan.1'
network.guest=interface
network.guest.proto='static'
network.guest.device='br-lan.2'
network.guest.ipaddr='192.168.2.1'
network.guest.netmask='255.255.255.0'
network.guest.ip6assign='64'
network.guest.ip6hint='2'
network.guest.ip6ifaceid='::1'
network.vpn=interface
network.vpn.proto='wireguard'
network.vpn.private_key='hidden'
network.vpn.listen_port='51820'
network.vpn.addresses='192.168.5.1/24'
network.vpn.delegate='0'
network.vpn.ip6assign='64'
network.vpn.ip6hint='5'
network.vpn.ip6ifaceid='::1'
network.@wireguard_vpn[0]=wireguard_vpn
network.@wireguard_vpn[0].description='mobile'
network.@wireguard_vpn[0].public_key='hidden'
network.@wireguard_vpn[0].private_key='hidden'
network.@wireguard_vpn[0].persistent_keepalive='25'
network.@wireguard_vpn[0].allowed_ips='2a0e:hidden::5/128' '192.168.5.5/32'

root@OpenWrt:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].flow_offloading='1'
firewall.@defaults[0].flow_offloading_hw='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan' 'vpn'
firewall.@zone[1]=zone
firewall.@zone[1].name='guest'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].network='guest'
firewall.@zone[2]=zone
firewall.@zone[2].name='wan'
firewall.@zone[2].network='wan' 'wan6'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='guest'
firewall.@forwarding[1].dest='wan'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='Caddy https'
firewall.@redirect[0].family='ipv4'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='443'
firewall.@redirect[0].dest_ip='192.168.1.10'
firewall.@redirect[0].dest_port='443'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-Wireguard'
firewall.@rule[9].proto='udp'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='51820'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[10]=rule
firewall.@rule[10].name='Allow-DNS-Guest'
firewall.@rule[10].proto='udp'
firewall.@rule[10].src='guest'
firewall.@rule[10].dest_port='53'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[11]=rule
firewall.@rule[11].name='Allow-DHCP-Guest'
firewall.@rule[11].proto='udp'
firewall.@rule[11].src='guest'
firewall.@rule[11].src_port='68'
firewall.@rule[11].dest_port='67'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[12]=rule
firewall.@rule[12].name='Allow-Caddyv6-443'
firewall.@rule[12].family='ipv6'
firewall.@rule[12].dest_ip='::1:0:0:0:10/::f:ffff:ffff:ffff:ffff'
firewall.@rule[12].dest_port='443'
firewall.@rule[12].target='ACCEPT'
firewall.@rule[12].src='wan'
firewall.@rule[12].dest='lan'

dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/home.arpa/'
dhcp.@dnsmasq[0].domain='home.arpa'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].cachesize='1000'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.@dnsmasq[0].sequential_ip='1'
dhcp.@dnsmasq[0].server='127.0.0.1#5053' '127.0.0.1#5054'
dhcp.@dnsmasq[0].doh_backup_noresolv='-1'
dhcp.@dnsmasq[0].noresolv='1'
dhcp.@dnsmasq[0].doh_backup_server='1.1.1.3' '1.0.0.3'
dhcp.@dnsmasq[0].doh_server='127.0.0.1#5053' '127.0.0.1#5054'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='100'
dhcp.lan.leasetime='1d'
dhcp.lan.dhcpv4='server'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_flags='managed-config' 'other-config'
dhcp.lan.ra_useleasetime='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.guest=dhcp
dhcp.guest.interface='guest'
dhcp.guest.start='100'
dhcp.guest.limit='25'
dhcp.guest.leasetime='12h'
dhcp.guest.ra='server'
dhcp.guest.ra_flags='managed-config' 'other-config'
dhcp.guest.dhcpv6='server'
dhcp.guest.ra_useleasetime='1'

Solved it by reading the documentation more carefully.

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/extras

Specifically :-

Allow incoming ICMP and ICMPv6 traffic. Change the rule IDs if necessary. The goal here is to alter the default OpenWRT firewall rules allowing specific ICMP and ICMPv6 types from WAN to instead allow from all source zones. The rules are originally called “Allow-Ping” and “Allow-ICMPv6-Input”.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.