Hi, I have OpenWrt 23.05.2. I have successfully (i think) configured it so I have working ipv6 on Lan interface.
I have introduced a guest vlan (2) and am a bit confused what config needs changing for the firewall so that IPv6 works from the vlan.
With Zones IPv6 doesnt work if the guest zone is set to reject/accept/reject as documented, I do get delegated address but not able to use IPv6 on the internet. If I set the zone to accept/accept/reject then I do get working IPv6 on the internet
Is my configuration safe and correct or is there something that needs changing.
root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.packet_steering='1'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan2' 'lan3' 'lan4' 'lan5'
network.@device[1]=device
network.@device[1].name='lan2'
network.@device[1].macaddr='dc:hidden:b2'
network.@device[2]=device
network.@device[2].name='lan3'
network.@device[2].macaddr='dc:hidden:b2'
network.@device[3]=device
network.@device[3].name='lan4'
network.@device[3].macaddr='dc:hidden:b2'
network.@device[4]=device
network.@device[4].name='lan5'
network.@device[4].macaddr='dc:hidden:b2'
network.lan=interface
network.lan.device='br-lan.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='64'
network.lan.ip6hint='1'
network.lan.ip6ifaceid='::1'
network.lan.delegate='0'
network.@device[5]=device
network.@device[5].name='wan'
network.@device[5].macaddr='hidden'
network.wan=interface
network.wan.device='wan'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='1.1.1.3' '1.0.0.3'
network.wan6=interface
network.wan6.device='wan'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.wan6.peerdns='0'
network.wan6.dns='2606:4700:4700::1113' '2606:4700:4700::1003'
network.@bridge-vlan[0]=bridge-vlan
network.@bridge-vlan[0].device='br-lan'
network.@bridge-vlan[0].vlan='1'
network.@bridge-vlan[0].ports='lan2:u*' 'lan3:u*' 'lan4:u*' 'lan5:u*'
network.@bridge-vlan[1]=bridge-vlan
network.@bridge-vlan[1].device='br-lan'
network.@bridge-vlan[1].vlan='2'
network.@bridge-vlan[1].ports='lan2:t' 'lan3:t' 'lan4:t' 'lan5:t'
network.@device[6]=device
network.@device[6].type='8021q'
network.@device[6].ifname='br-lan'
network.@device[6].vid='2'
network.@device[6].name='br-lan.2'
network.@device[7]=device
network.@device[7].type='8021q'
network.@device[7].ifname='br-lan'
network.@device[7].vid='1'
network.@device[7].name='br-lan.1'
network.guest=interface
network.guest.proto='static'
network.guest.device='br-lan.2'
network.guest.ipaddr='192.168.2.1'
network.guest.netmask='255.255.255.0'
network.guest.ip6assign='64'
network.guest.ip6hint='2'
network.guest.ip6ifaceid='::1'
network.vpn=interface
network.vpn.proto='wireguard'
network.vpn.private_key='hidden'
network.vpn.listen_port='51820'
network.vpn.addresses='192.168.5.1/24'
network.vpn.delegate='0'
network.vpn.ip6assign='64'
network.vpn.ip6hint='5'
network.vpn.ip6ifaceid='::1'
network.@wireguard_vpn[0]=wireguard_vpn
network.@wireguard_vpn[0].description='mobile'
network.@wireguard_vpn[0].public_key='hidden'
network.@wireguard_vpn[0].private_key='hidden'
network.@wireguard_vpn[0].persistent_keepalive='25'
network.@wireguard_vpn[0].allowed_ips='2a0e:hidden::5/128' '192.168.5.5/32'
root@OpenWrt:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].flow_offloading='1'
firewall.@defaults[0].flow_offloading_hw='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan' 'vpn'
firewall.@zone[1]=zone
firewall.@zone[1].name='guest'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].network='guest'
firewall.@zone[2]=zone
firewall.@zone[2].name='wan'
firewall.@zone[2].network='wan' 'wan6'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='guest'
firewall.@forwarding[1].dest='wan'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='Caddy https'
firewall.@redirect[0].family='ipv4'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='443'
firewall.@redirect[0].dest_ip='192.168.1.10'
firewall.@redirect[0].dest_port='443'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-Wireguard'
firewall.@rule[9].proto='udp'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='51820'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[10]=rule
firewall.@rule[10].name='Allow-DNS-Guest'
firewall.@rule[10].proto='udp'
firewall.@rule[10].src='guest'
firewall.@rule[10].dest_port='53'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[11]=rule
firewall.@rule[11].name='Allow-DHCP-Guest'
firewall.@rule[11].proto='udp'
firewall.@rule[11].src='guest'
firewall.@rule[11].src_port='68'
firewall.@rule[11].dest_port='67'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[12]=rule
firewall.@rule[12].name='Allow-Caddyv6-443'
firewall.@rule[12].family='ipv6'
firewall.@rule[12].dest_ip='::1:0:0:0:10/::f:ffff:ffff:ffff:ffff'
firewall.@rule[12].dest_port='443'
firewall.@rule[12].target='ACCEPT'
firewall.@rule[12].src='wan'
firewall.@rule[12].dest='lan'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/home.arpa/'
dhcp.@dnsmasq[0].domain='home.arpa'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].cachesize='1000'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.@dnsmasq[0].sequential_ip='1'
dhcp.@dnsmasq[0].server='127.0.0.1#5053' '127.0.0.1#5054'
dhcp.@dnsmasq[0].doh_backup_noresolv='-1'
dhcp.@dnsmasq[0].noresolv='1'
dhcp.@dnsmasq[0].doh_backup_server='1.1.1.3' '1.0.0.3'
dhcp.@dnsmasq[0].doh_server='127.0.0.1#5053' '127.0.0.1#5054'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='100'
dhcp.lan.leasetime='1d'
dhcp.lan.dhcpv4='server'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_flags='managed-config' 'other-config'
dhcp.lan.ra_useleasetime='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.guest=dhcp
dhcp.guest.interface='guest'
dhcp.guest.start='100'
dhcp.guest.limit='25'
dhcp.guest.leasetime='12h'
dhcp.guest.ra='server'
dhcp.guest.ra_flags='managed-config' 'other-config'
dhcp.guest.dhcpv6='server'
dhcp.guest.ra_useleasetime='1'