I get a /56 from my ISP (Verizon), I am trying to break it into /64s on 3 VLAN interfaces However IPv6 only seems to work on one of the three VLAN interfaces. On the other 2 interfaces, router solicitation messages come in but are not responded to. I'm wondering if it has something to do with the fact that all vlans on a physical interface share a link local address.
Has anyone gotten this working? Any ideas what I'm missing?
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru
Thanks. I think I figured the problem out. I was doing some firewall rules changes and I think I was inadvertently blocking ICMP to the router. Adding the rule "Restricted Allow ICMP" seems to fix the issue
{
"kernel": "5.10.146",
"hostname": "NanoPi-R4S",
"system": "ARMv8 Processor rev 4",
"model": "FriendlyElec NanoPi R4S",
"board_name": "friendlyarm,nanopi-r4s",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "22.03.2",
"revision": "r19803-9a599fee93",
"target": "rockchip/armv8",
"description": "OpenWrt 22.03.2 r19803-9a599fee93"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
config device
option name 'eth1'
option macaddr '****'
config interface 'lan'
option proto 'static'
option device 'eth1.1'
option ipaddr '10.0.0.1'
option netmask '255.255.0.0'
option ip6assign '64'
option ip6weight '2'
config device
option name 'eth0'
option macaddr '****'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config device
option type '8021q'
option ifname 'eth1'
option vid '1'
option name 'eth1.1'
config device
option type '8021q'
option ifname 'eth1'
option vid '10'
option name 'eth1.10'
config device
option type '8021q'
option ifname 'eth1'
option vid '20'
option name 'eth1.20'
config interface 'IOT'
option proto 'static'
option device 'eth1.20'
option ipaddr '10.20.0.1'
option netmask '255.255.0.0'
option ip6assign '64'
option ip6weight '1'
config interface 'GUEST'
option proto 'static'
option device 'eth1.10'
option ipaddr '10.10.0.1'
option netmask '255.255.0.0'
option ip6weight '0'
option ip6assign '64'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option cachesize '10000'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'rt3200-ap'
option dns '1'
option ip '10.0.0.220'
option mac '*****'
config host
option name 'netgear-trunk'
option dns '1'
option ip '10.0.0.146'
option mac '*****'
config domain
option name 'netgear-trunk'
option ip '10.0.0.146'
config domain
option name 'rt3200-ap'
option ip '10.0.0.220'
config domain
option name 'openwrt'
option ip '10.0.0.1'
config dhcp 'IOT'
option interface 'IOT'
option start '100'
option limit '150'
option leasetime '12h'
option ra 'server'
option dhcpv6 'server'
config dhcp 'GUEST'
option interface 'GUEST'
option start '100'
option limit '150'
option leasetime '12h'
option ra 'server'
option dhcpv6 'server'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Restricted DHCPv4'
list proto 'udp'
option src 'Restricted'
option target 'ACCEPT'
option family 'ipv4'
option dest_port '67-68'
config rule
option name 'Restricted DHCPv6'
option family 'ipv6'
list proto 'udp'
option src 'Restricted'
option dest_port '546'
option target 'ACCEPT'
config rule
list proto 'icmp'
option src 'Restricted'
option target 'ACCEPT'
option name 'Restricted Allow ICMP'
config rule
option name 'Restricted DNS'
list proto 'udp'
option src 'Restricted'
option dest_port '53'
option target 'ACCEPT'
config rule
option src 'Restricted'
option target 'REJECT'
option name 'Restricted Block Router'
config rule
option name 'Restricted No LAN Access'
option src 'Restricted'
option dest 'lan'
option target 'REJECT'
config zone
option name 'Restricted'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'IOT'
list network 'GUEST'
config forwarding
option dest 'wan'
config forwarding
option dest 'wan'
config forwarding
option src 'Restricted'
option dest 'wan'
head: /etc/firewall.user: No such file or directory
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::5cdc:c9ff:fe4c:a709/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::5cdc:c9ff:fe4c:a70a/64 scope link
valid_lft forever preferred_lft forever
22: ifb4eth0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 32
inet6 fe80::5442:c6ff:fed4:b9f7/64 scope link
valid_lft forever preferred_lft forever
27: eth1.10@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2600:4040:743a:4902::1/64 scope global dynamic noprefixroute
valid_lft 5231sec preferred_lft 5231sec
inet6 fe80::5cdc:c9ff:fe4c:a70a/64 scope link
valid_lft forever preferred_lft forever
28: eth1.20@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2600:4040:743a:4901::1/64 scope global dynamic noprefixroute
valid_lft 5231sec preferred_lft 5231sec
inet6 fe80::5cdc:c9ff:fe4c:a70a/64 scope link
valid_lft forever preferred_lft forever
29: eth1.1@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2600:4040:743a:4900::1/64 scope global dynamic noprefixroute
valid_lft 5231sec preferred_lft 5231sec
inet6 fe80::5cdc:c9ff:fe4c:a70a/64 scope link
valid_lft forever preferred_lft forever
default from 2600:4040:743a:4900::/56 via fe80::327c:5eff:fe92:7401 dev eth0 metric 512
2600:4040:743a:4900::/64 dev eth1.1 metric 1024
2600:4040:743a:4901::/64 dev eth1.20 metric 1024
2600:4040:743a:4902::/64 dev eth1.10 metric 1024
unreachable 2600:4040:743a:4900::/56 dev lo metric 2147483647
fe80::/64 dev eth0 metric 256
fe80::/64 dev ifb4eth0 metric 256
fe80::/64 dev eth1 metric 256
fe80::/64 dev eth1.1 metric 256
fe80::/64 dev eth1.10 metric 256
fe80::/64 dev eth1.20 metric 256
local ::1 dev lo table local metric 0
anycast 2600:4040:743a:4900:: dev eth1.1 table local metric 0
local 2600:4040:743a:4900::1 dev eth1.1 table local metric 0
anycast 2600:4040:743a:4901:: dev eth1.20 table local metric 0
local 2600:4040:743a:4901::1 dev eth1.20 table local metric 0
anycast 2600:4040:743a:4902:: dev eth1.10 table local metric 0
local 2600:4040:743a:4902::1 dev eth1.10 table local metric 0
anycast fe80:: dev eth0 table local metric 0
anycast fe80:: dev ifb4eth0 table local metric 0
anycast fe80:: dev eth1.10 table local metric 0
anycast fe80:: dev eth1 table local metric 0
anycast fe80:: dev eth1.20 table local metric 0
anycast fe80:: dev eth1.1 table local metric 0
local fe80::5442:c6ff:fed4:b9f7 dev ifb4eth0 table local metric 0
local fe80::5cdc:c9ff:fe4c:a709 dev eth0 table local metric 0
local fe80::5cdc:c9ff:fe4c:a70a dev eth1.10 table local metric 0
local fe80::5cdc:c9ff:fe4c:a70a dev eth1 table local metric 0
local fe80::5cdc:c9ff:fe4c:a70a dev eth1.20 table local metric 0
local fe80::5cdc:c9ff:fe4c:a70a dev eth1.1 table local metric 0
multicast ff00::/8 dev eth0 table local metric 256
multicast ff00::/8 dev ifb4eth0 table local metric 256
multicast ff00::/8 dev eth1.10 table local metric 256
multicast ff00::/8 dev eth1.20 table local metric 256
multicast ff00::/8 dev eth1.1 table local metric 256
multicast ff00::/8 dev eth1 table local metric 256
0: from all lookup local
32766: from all lookup main
4200000000: from 2600:4040:743a:4902::1/64 iif eth1.10 lookup unspec unreachable
4200000000: from 2600:4040:743a:4901::1/64 iif eth1.20 lookup unspec unreachable
4200000000: from 2600:4040:743a:4900::1/64 iif eth1.1 lookup unspec unreachable
That's right, if the default action on the interface is to drop/reject, then you need a rule like Allow-ICMPv6-Input ingress to the zone and Allow-ICMPv6-Forward from the restricted to wan zone.
Because the ipv6 works end to end, so the hosts in the lan must be able to receive certain icmp packets from the internet. And of course they need to communicate with OpenWrt.