I'm setting up an OpenWrt router on a WRT1900ACSv2 and things work fine, except if I enable ipv6 assignment length of 64 it now causes all Android devices to sign on and then after a few seconds sign off... over and over. disabling ipv6 assign causes things to work.
the main LAN is fine with a /64 assigned to it.
any ideas, I have very limited testing ability as it's now remote. hopefully my wireguard VPN is working...
So, dump the configs, runtime included, and find the difference:
uci show network; uci show firewall; uci show dhcp; uci show wireless
ip -6 a; ip -6 r; ip -6 ru; ip6tables-save
ifstatus lan; ifstatus guest
Try to restart the network, firewall, odhcpd, wifi if you are sure the configs are fine.
good plan, it will have to wait until I get VPN access from home... will let you know what I find, the weird thing is it works fine with ipv4 only... can you think of any activity I should be looking for that would cause this? the firewall blocks access to the router but allows DHCP, dhcpv6, and DNS. also I expanded the rules for NDP to allow forwarding of icmpv6 from any zone not just wan.
One of the ways to exclude the firewall is to stop it temporary.
Although it is not a panacea and you should be careful in case you rely on the masquerading or use some kind of policy-based routing with traffic marking to not lock yourself.
Another simple way to get access to your network is TeamViewer and similar software.
However I don't like to use it as I don't completely trust proprietary stuff.
You can ask to reboot the router in case this is just an occasional failure and your access is limited.
yeah it's 100% consistent, as soon as I enable ipv6 the guest Network becomes unusable... disable and it becomes fine.
I tried setting up the firewall to allow input and forwarding in the same way as the LAN but it seemed like no dice... weird. I kind of wonder if it's something funky about the modem not liking the ip6 prefix but I don't think so, it's a Comcast install and modem is in funky "bridge mode" which is half assed, and it gives out a /60...
the guest Network is unencrypted... another way it's different... wonder if that exercises some interaction...
for now I'll most likely just leave guest ipv4 only, the users are totally tech unsavvy elderly couple. the whole point was to set up VPN tunnel to my home network so as to get VNC access and be able to help with questions like "my email doesn't work anymore", but making changes remotely risks lockout from 3000 miles away... yikes
I think the whole problem is with firewall, did you tried to do a packet capture when problem happens!
also if you can try to remap ports for guest ipv6, like changing dns and dhcp ports!
, that's why it's better to use remote access as a backup, like anydesk or team viewer.
in case you screwed up something let the other person setup a wifi tethering via phone.
users are 80+ years old, cant use flip phone for text messaging much less wifi tether... so it's risky to do anything like that.
I agree it's likely a firewall issue but couldn't figure out. didn't have tcpdump or wireguard available while I was there, once I have VPN I could maybe install tcpdump remotely... limited time on site, and spent most of it resetting the modem, disabling it's wifi, and switching it to bridge mode. every modem reboot seems to take 10 mins to get reconnected... truly lousy device... by the time I figured out it was ipv6 I didn't have time to debug why.
Ok, further info...
in /etc/config/network, lan works, and guest doesn't. Essentially the only difference is the presence or absence of option ip6assign '64' which works on LAN and doesn't work on GUEST, but when not set on GUEST the GUEST network works fine. Right now, with ipv4 only the guest network works fine.
I conclude that there's a firewall issue in forwarding ip6 from guest to WAN or resolving DNS via ip6 on guest or something similar. In the presence of ip6 the devices on that network prefer it, and so they fail to stay connected, particularly because android devices disconnect if they can't access their online check: http://connectivitycheck.gstatic.com/generate_204
Here is the relevant portions of firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'guest'
option network 'guest'
option output 'ACCEPT'
option conntrack '1'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'guest'
config rule
option enabled '1'
option target 'ACCEPT'
option proto 'udp'
option name 'guestservices'
option src 'guest'
option dest_port '67 53 547'
config rule
option name 'Allow-MLD'
option proto 'icmp'
option src_ip 'fe80::/10'
option family 'ipv6'
option target 'ACCEPT'
option src '*'
config rule
option name 'Allow-ICMPv6-Input'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option icmp_type 'echo-reply destination-unreachable echo-request router-adver
tisement router-solicitation time-exceeded'
option src '*'
config rule
option name 'Allow-ICMPv6-Forward'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option icmp_type 'echo-reply destination-unreachable echo-request time-exceede
d'
option src '*'
option dest '*'
So basically the difference for the guest zone is it doesn't accept input or forwarding, except it has a rule for input of udp for DHCP and DNS, and it allows forwarding to wan zone.
The rules regarding ICMPv6 are set up to accept src and dst * rather than just src zone wan which seems to be the default.
Any thoughts on what's here that might cause problems for ipv6?
@dlakelan this issue is not like yours, am I right?
Anyhow, since you have a problem with guest having IPV6 and that works ok in my setup, perhaps you can find something interesting there.