IPv6 connectivity stopped to work in LAN, ok on router

COMMIT
# Completed on Tue May  5 13:46:34 2020
# Generated by iptables-save v1.8.3 on Tue May  5 13:46:34 2020
*mangle
:PREROUTING ACCEPT [49192563:39629695280]
:INPUT ACCEPT [614704:147506253]
:FORWARD ACCEPT [48540392:39475540272]
:OUTPUT ACCEPT [675805:122677320]
:POSTROUTING ACCEPT [49105029:39591814275]
:VPR_FORWARD - [0:0]
:VPR_INPUT - [0:0]
:VPR_OUTPUT - [0:0]
:VPR_PREROUTING - [0:0]
[49206092:39639671445] -A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
[615301:147583771] -A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
[48553309:39485428400] -A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
[122636:6803616] -A FORWARD -o br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o 6in4-wan6 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o tun2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpn_usa MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[676498:122874235] -A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
[0:0] -A VPR_PREROUTING -s 192.168.180.0/24 -m comment --comment VPN_USA -j MARK --set-xmark 0x40000/0xff0000
COMMIT
# Completed on Tue May  5 13:46:34 2020
# Generated by iptables-save v1.8.3 on Tue May  5 13:46:34 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_lan_vpn_usa_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_vpn_usa_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_lan_vpn_usa_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_vpn_usa_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_lan_vpn_usa_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_vpn_usa_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_lan_vpn_usa_dest_ACCEPT - [0:0]
:zone_lan_vpn_usa_forward - [0:0]
:zone_lan_vpn_usa_input - [0:0]
:zone_lan_vpn_usa_output - [0:0]
:zone_lan_vpn_usa_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_vpn_usa_dest_ACCEPT - [0:0]
:zone_vpn_usa_dest_REJECT - [0:0]
:zone_vpn_usa_forward - [0:0]
:zone_vpn_usa_input - [0:0]
:zone_vpn_usa_output - [0:0]
:zone_vpn_usa_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[7137:797903] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[607576:146708818] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[306706:119587950] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[15539:794372] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[1083:57604] -A INPUT -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Allow-OpenVPN-Inbound" -j ACCEPT
[267607:23802567] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[32069:3255671] -A INPUT -i br-wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
[0:0] -A INPUT -i tun1 -m comment --comment "!fw3" -j zone_vpn_input
[88:3830] -A INPUT -i tun2 -m comment --comment "!fw3" -j zone_vpn_usa_input
[0:0] -A INPUT -i eth0.10 -m comment --comment "!fw3" -j zone_lan_vpn_usa_input
[48540399:39475547364] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[47727932:39406214675] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[257901:19189139] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[554566:50143550] -A FORWARD -i br-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
[0:0] -A FORWARD -i tun1 -m comment --comment "!fw3" -j zone_vpn_forward
[0:0] -A FORWARD -i tun2 -m comment --comment "!fw3" -j zone_vpn_usa_forward
[0:0] -A FORWARD -i eth0.10 -m comment --comment "!fw3" -j zone_lan_vpn_usa_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[7137:797903] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[668678:121884327] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[527258:76131483] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[89547:42336094] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[51873:3416750] -A OUTPUT -o br-wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
[0:0] -A OUTPUT -o tun1 -m comment --comment "!fw3" -j zone_vpn_output
[0:0] -A OUTPUT -o tun2 -m comment --comment "!fw3" -j zone_vpn_usa_output
[0:0] -A OUTPUT -o eth0.10 -m comment --comment "!fw3" -j zone_lan_vpn_usa_output
[0:0] -A MINIUPNPD -d 192.168.182.25/32 -p udp -m udp --dport 10100 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.182.25/32 -p udp -m udp --dport 10101 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.182.25/32 -p udp -m udp --dport 10102 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.182.25/32 -p udp -m udp --dport 10103 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.182.105/32 -p tcp -m tcp --dport 22222 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.182.187/32 -p udp -m udp --dport 9308 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.182.91/32 -p tcp -m tcp --dport 8621 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.182.192/32 -p tcp -m tcp --dport 51513 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.182.192/32 -p udp -m udp --dport 6881 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.182.192/32 -p tcp -m tcp --dport 6881 -j ACCEPT
[13596:604323] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[16961:2589906] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[15516:793176] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[23:1196] -A syn_flood -m comment --comment "!fw3" -j DROP
[644497:92509596] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[257901:19189139] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source A0:9D:C1:72:B3:85 -m comment --comment "!fw3: IPCAM Cucina no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p udp -m mac --mac-source A0:9D:C1:72:B3:85 -m comment --comment "!fw3: IPCAM Cucina no Internet" -j zone_wan_dest_DROP
[47399:2843940] -A zone_lan_forward -p tcp -m mac --mac-source 48:02:2A:0B:E1:16 -m comment --comment "!fw3: IPCAM Sala no Internet" -j zone_wan_dest_DROP
[59408:3382392] -A zone_lan_forward -p udp -m mac --mac-source 48:02:2A:0B:E1:16 -m comment --comment "!fw3: IPCAM Sala no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source A0:9D:C1:72:EC:F4 -m comment --comment "!fw3: IPCAM Taverna no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p udp -m mac --mac-source A0:9D:C1:72:EC:F4 -m comment --comment "!fw3: IPCAM Taverna no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source E0:B9:4D:D4:A3:B5 -m comment --comment "!fw3: IPCAM Letto no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p udp -m mac --mac-source E0:B9:4D:D4:A3:B5 -m comment --comment "!fw3: IPCAM Letto no Internet" -j zone_wan_dest_DROP
[151094:12962807] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
[151094:12962807] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[384:29952] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[267607:23802567] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[267607:23802567] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[89547:42336094] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[89547:42336094] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[267606:23802515] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_vpn_usa_dest_ACCEPT -o eth0.10 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_vpn_usa_forward -m comment --comment "!fw3: Custom lan_vpn_usa forwarding rule chain" -j forwarding_lan_vpn_usa_rule
[0:0] -A zone_lan_vpn_usa_forward -m comment --comment "!fw3: Zone lan_vpn_usa to vpn_usa forwarding policy" -j zone_vpn_usa_dest_ACCEPT
[0:0] -A zone_lan_vpn_usa_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_vpn_usa_forward -m comment --comment "!fw3" -j zone_lan_vpn_usa_dest_ACCEPT
[0:0] -A zone_lan_vpn_usa_input -m comment --comment "!fw3: Custom lan_vpn_usa input rule chain" -j input_lan_vpn_usa_rule
[0:0] -A zone_lan_vpn_usa_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_lan_vpn_usa_input -m comment --comment "!fw3" -j zone_lan_vpn_usa_src_ACCEPT
[0:0] -A zone_lan_vpn_usa_output -m comment --comment "!fw3: Custom lan_vpn_usa output rule chain" -j output_lan_vpn_usa_rule
[0:0] -A zone_lan_vpn_usa_output -m comment --comment "!fw3" -j zone_lan_vpn_usa_dest_ACCEPT
[0:0] -A zone_lan_vpn_usa_src_ACCEPT -i eth0.10 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_dest_ACCEPT -o tun1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
[0:0] -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
[0:0] -A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
[0:0] -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_src_ACCEPT -i tun1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_usa_dest_ACCEPT -o tun2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_vpn_usa_dest_ACCEPT -o tun2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_usa_dest_REJECT -o tun2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_vpn_usa_forward -m comment --comment "!fw3: Custom vpn_usa forwarding rule chain" -j forwarding_vpn_usa_rule
[0:0] -A zone_vpn_usa_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpn_usa_forward -m comment --comment "!fw3" -j zone_vpn_usa_dest_REJECT
[88:3830] -A zone_vpn_usa_input -m comment --comment "!fw3: Custom vpn_usa input rule chain" -j input_vpn_usa_rule
[0:0] -A zone_vpn_usa_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[88:3830] -A zone_vpn_usa_input -m comment --comment "!fw3" -j zone_vpn_usa_src_REJECT
[0:0] -A zone_vpn_usa_output -m comment --comment "!fw3: Custom vpn_usa output rule chain" -j output_vpn_usa_rule
[0:0] -A zone_vpn_usa_output -m comment --comment "!fw3" -j zone_vpn_usa_dest_ACCEPT
[88:3830] -A zone_vpn_usa_src_REJECT -i tun2 -m comment --comment "!fw3" -j reject
[4511:226463] -A zone_wan_dest_ACCEPT -o br-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[198072:16123142] -A zone_wan_dest_ACCEPT -o br-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o 6in4-wan6 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o 6in4-wan6 -m comment --comment "!fw3" -j ACCEPT
[106807:6226332] -A zone_wan_dest_DROP -o br-wan -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_DROP -o 6in4-wan6 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_REJECT -o br-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o 6in4-wan6 -m comment --comment "!fw3" -j reject
[554566:50143550] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[554566:50143550] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[32069:3255671] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[707:25452] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[893:39820] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[30469:3190399] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[51873:3416750] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[51873:3416750] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[30469:3190399] -A zone_wan_src_REJECT -i br-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i 6in4-wan6 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue May  5 13:46:34 2020
# Generated by ip6tables-save v1.8.3 on Tue May  5 13:46:34 2020
*mangle
:PREROUTING ACCEPT [293562:113384129]
:INPUT ACCEPT [18612:1570367]
:FORWARD ACCEPT [251363:107557637]
:OUTPUT ACCEPT [248955:116628686]
:POSTROUTING ACCEPT [500309:224185475]
[0:0] -A FORWARD -o br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[111881:8933028] -A FORWARD -o 6in4-wan6 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o tun2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpn_usa MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue May  5 13:46:34 2020
# Generated by ip6tables-save v1.8.3 on Tue May  5 13:46:34 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_lan_vpn_usa_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_vpn_usa_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_lan_vpn_usa_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_vpn_usa_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_lan_vpn_usa_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_vpn_usa_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_lan_vpn_usa_dest_ACCEPT - [0:0]
:zone_lan_vpn_usa_forward - [0:0]
:zone_lan_vpn_usa_input - [0:0]
:zone_lan_vpn_usa_output - [0:0]
:zone_lan_vpn_usa_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_vpn_usa_dest_ACCEPT - [0:0]
:zone_vpn_usa_dest_REJECT - [0:0]
:zone_vpn_usa_forward - [0:0]
:zone_vpn_usa_input - [0:0]
:zone_vpn_usa_output - [0:0]
:zone_vpn_usa_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[368:45622] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[18244:1524745] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[6432:424676] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:160] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Allow-OpenVPN-Inbound" -j ACCEPT

[11788:1098917] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i br-wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
[0:0] -A INPUT -i tun1 -m comment --comment "!fw3" -j zone_vpn_input
[24:1152] -A INPUT -i tun2 -m comment --comment "!fw3" -j zone_vpn_usa_input
[0:0] -A INPUT -i eth0.10 -m comment --comment "!fw3" -j zone_lan_vpn_usa_input
[251363:107557637] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[230561:105287230] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[19488:2133786] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i br-wan -m comment --comment "!fw3" -j zone_wan_forward
[1314:136621] -A FORWARD -i 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
[0:0] -A FORWARD -i tun1 -m comment --comment "!fw3" -j zone_vpn_forward
[0:0] -A FORWARD -i tun2 -m comment --comment "!fw3" -j zone_vpn_usa_forward
[0:0] -A FORWARD -i eth0.10 -m comment --comment "!fw3" -j zone_lan_vpn_usa_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[368:45622] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[248587:116583064] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[6375:385406] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[240910:116106666] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[1086:72232] -A OUTPUT -o br-wan -m comment --comment "!fw3" -j zone_wan_output
[216:18760] -A OUTPUT -o 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
[0:0] -A OUTPUT -o tun1 -m comment --comment "!fw3" -j zone_vpn_output
[0:0] -A OUTPUT -o tun2 -m comment --comment "!fw3" -j zone_vpn_usa_output
[0:0] -A OUTPUT -o eth0.10 -m comment --comment "!fw3" -j zone_lan_vpn_usa_output
[5:608] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[24:1152] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[2:160] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[240917:116107271] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[19488:2133786] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source A0:9D:C1:72:B3:85 -m comment --comment "!fw3: IPCAM Cucina no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p udp -m mac --mac-source A0:9D:C1:72:B3:85 -m comment --comment "!fw3: IPCAM Cucina no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source 48:02:2A:0B:E1:16 -m comment --comment "!fw3: IPCAM Sala no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p udp -m mac --mac-source 48:02:2A:0B:E1:16 -m comment --comment "!fw3: IPCAM Sala no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source A0:9D:C1:72:EC:F4 -m comment --comment "!fw3: IPCAM Taverna no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p udp -m mac --mac-source A0:9D:C1:72:EC:F4 -m comment --comment "!fw3: IPCAM Taverna no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source E0:B9:4D:D4:A3:B5 -m comment --comment "!fw3: IPCAM Letto no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p udp -m mac --mac-source E0:B9:4D:D4:A3:B5 -m comment --comment "!fw3: IPCAM Letto no Internet" -j zone_wan_dest_DROP
[19488:2133786] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
[19488:2133786] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[11788:1098917] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[11788:1098917] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[240910:116106666] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[240910:116106666] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[11788:1098917] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_vpn_usa_dest_ACCEPT -o eth0.10 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_vpn_usa_forward -m comment --comment "!fw3: Custom lan_vpn_usa forwarding rule chain" -j forwarding_lan_vpn_usa_rule
[0:0] -A zone_lan_vpn_usa_forward -m comment --comment "!fw3: Zone lan_vpn_usa to vpn_usa forwarding policy" -j zone_vpn_usa_dest_ACCEPT
[0:0] -A zone_lan_vpn_usa_forward -m comment --comment "!fw3" -j zone_lan_vpn_usa_dest_ACCEPT
[0:0] -A zone_lan_vpn_usa_input -m comment --comment "!fw3: Custom lan_vpn_usa input rule chain" -j input_lan_vpn_usa_rule
[0:0] -A zone_lan_vpn_usa_input -m comment --comment "!fw3" -j zone_lan_vpn_usa_src_ACCEPT
[0:0] -A zone_lan_vpn_usa_output -m comment --comment "!fw3: Custom lan_vpn_usa output rule chain" -j output_lan_vpn_usa_rule
[0:0] -A zone_lan_vpn_usa_output -m comment --comment "!fw3" -j zone_lan_vpn_usa_dest_ACCEPT
[0:0] -A zone_lan_vpn_usa_src_ACCEPT -i eth0.10 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_dest_ACCEPT -o tun1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
[0:0] -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
[0:0] -A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
[0:0] -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_src_ACCEPT -i tun1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_usa_dest_ACCEPT -o tun2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_vpn_usa_dest_ACCEPT -o tun2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_usa_dest_REJECT -o tun2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_vpn_usa_forward -m comment --comment "!fw3: Custom vpn_usa forwarding rule chain" -j forwarding_vpn_usa_rule
[0:0] -A zone_vpn_usa_forward -m comment --comment "!fw3" -j zone_vpn_usa_dest_REJECT
[24:1152] -A zone_vpn_usa_input -m comment --comment "!fw3: Custom vpn_usa input rule chain" -j input_vpn_usa_rule
[24:1152] -A zone_vpn_usa_input -m comment --comment "!fw3" -j zone_vpn_usa_src_REJECT
[0:0] -A zone_vpn_usa_output -m comment --comment "!fw3: Custom vpn_usa output rule chain" -j output_vpn_usa_rule
[0:0] -A zone_vpn_usa_output -m comment --comment "!fw3" -j zone_vpn_usa_dest_ACCEPT
[24:1152] -A zone_vpn_usa_src_REJECT -i tun2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_ACCEPT -o br-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1086:72232] -A zone_wan_dest_ACCEPT -o br-wan -m comment --comment "!fw3" -j ACCEPT
[4:240] -A zone_wan_dest_ACCEPT -o 6in4-wan6 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[19700:2152306] -A zone_wan_dest_ACCEPT -o 6in4-wan6 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_DROP -o br-wan -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_DROP -o 6in4-wan6 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_REJECT -o br-wan -m comment --comment "!fw3" -j reject
[5:608] -A zone_wan_dest_REJECT -o 6in4-wan6 -m comment --comment "!fw3" -j reject
[1314:136621] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[1302:135408] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[12:1213] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to lan forwarding policy" -j zone_lan_dest_ACCEPT
[5:608] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
[5:608] -A zone_wan_forward -j MINIUPNPD
[5:608] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --sport 547 --dport 547 -m comment --comment "!fw3: Allow DHCPv6 Relay" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[1302:90992] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[1302:90992] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i br-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i 6in4-wan6 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue May  5 13:46:34 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.182.1/24 brd 192.168.182.255 scope global br-lan
       valid_lft forever preferred_lft forever
10: br-wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.188.24/24 brd 192.168.188.255 scope global br-wan
       valid_lft forever preferred_lft forever
12: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.180.1/24 brd 192.168.180.255 scope global eth0.10
       valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
14: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.9.0.1 peer 10.9.0.2/32 scope global tun1
       valid_lft forever preferred_lft forever
16: tun2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.200.0.42 peer 10.200.0.41/32 scope global tun2
       valid_lft forever preferred_lft forever
default via 192.168.188.1 dev br-wan table 201
81.208.50.214 via 192.168.188.1 dev br-wan table 201 proto static
192.168.180.0/24 dev eth0.10 table 201 proto static scope link metric 10
192.168.188.0/24 dev br-wan table 201 proto kernel scope link src 192.168.188.24
default via 10.8.0.1 dev tun0 table 202
81.208.50.214 via 192.168.188.1 dev br-wan table 202 proto static
192.168.180.0/24 dev eth0.10 table 202 proto static scope link metric 10
192.168.188.0/24 dev br-wan table 202 proto kernel scope link src 192.168.188.24
default via 10.9.0.1 dev tun1 table 203
81.208.50.214 via 192.168.188.1 dev br-wan table 203 proto static
192.168.180.0/24 dev eth0.10 table 203 proto static scope link metric 10
192.168.188.0/24 dev br-wan table 203 proto kernel scope link src 192.168.188.24
default via 10.200.0.42 dev tun2 table 204
81.208.50.214 via 192.168.188.1 dev br-wan table 204 proto static
192.168.180.0/24 dev eth0.10 table 204 proto static scope link metric 10
192.168.188.0/24 dev br-wan table 204 proto kernel scope link src 192.168.188.24
default via 192.168.188.1 dev br-wan proto static src 192.168.188.24
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
10.9.0.0/24 via 10.9.0.2 dev tun1
10.9.0.2 dev tun1 proto kernel scope link src 10.9.0.1
10.10.0.0/24 via 192.168.182.192 dev br-lan proto static
10.11.0.0/24 via 192.168.182.192 dev br-lan proto static
10.12.0.0/24 via 192.168.182.10 dev br-lan proto static
10.13.0.0/24 via 192.168.182.10 dev br-lan proto static
10.14.0.0/24 via 192.168.182.11 dev br-lan proto static
10.15.0.0/24 via 192.168.182.11 dev br-lan proto static
10.200.0.41 dev tun2 proto kernel scope link src 10.200.0.42
81.208.50.214 via 192.168.188.1 dev br-wan proto static
192.168.56.0/24 via 192.168.182.192 dev br-lan proto static
192.168.180.0/24 dev eth0.10 proto static scope link metric 10
192.168.182.0/24 dev br-lan proto kernel scope link src 192.168.182.1
192.168.183.0/24 via 192.168.182.135 dev br-lan proto static
192.168.188.0/24 dev br-wan proto kernel scope link src 192.168.188.24
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1
local 10.9.0.1 dev tun1 table local proto kernel scope host src 10.9.0.1
local 10.200.0.42 dev tun2 table local proto kernel scope host src 10.200.0.42
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.180.0 dev eth0.10 table local proto kernel scope link src 192.168.180.1
local 192.168.180.1 dev eth0.10 table local proto kernel scope host src 192.168.180.1
broadcast 192.168.180.255 dev eth0.10 table local proto kernel scope link src 192.168.180.1
broadcast 192.168.182.0 dev br-lan table local proto kernel scope link src 192.168.182.1
local 192.168.182.1 dev br-lan table local proto kernel scope host src 192.168.182.1
broadcast 192.168.182.255 dev br-lan table local proto kernel scope link src 192.168.182.1
broadcast 192.168.188.0 dev br-wan table local proto kernel scope link src 192.168.188.24
local 192.168.188.24 dev br-wan table local proto kernel scope host src 192.168.188.24
broadcast 192.168.188.255 dev br-wan table local proto kernel scope link src 192.168.188.24
0:      from all lookup local
32729:  from all fwmark 0x40000 lookup 204
32730:  from all fwmark 0x30000 lookup 203
32731:  from all fwmark 0x20000 lookup 202
32732:  from all fwmark 0x10000 lookup 201
32766:  from all lookup main
32767:  from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::1:c8ff:feec:fc1c/64 scope link
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:xxx:yyyy:d3e3::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fdb5:24dd:30d::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::1:c8ff:feec:fc1c/64 scope link
       valid_lft forever preferred_lft forever
10: br-wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::1:c8ff:feec:fc1c/64 scope link
       valid_lft forever preferred_lft forever
12: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::1:c8ff:feec:fc1c/64 scope link
       valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 100
    inet6 fe80::ccc7:b54f:f031:1cab/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
14: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 100
    inet6 fe80::3727:7ab3:c808:a293/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
15: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::2605:fff:fedd:3b60/64 scope link
       valid_lft forever preferred_lft forever
16: tun2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 100
    inet6 fe80::f533:3ab6:ea18:1b40/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
17: 6in4-wan6@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 state UNKNOWN qlen 1000
    inet6 2001:xxx:yyyy:d3e3::2/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::c0a8:bc18/64 scope link
       valid_lft forever preferred_lft forever
default from 2001:xxx:yyyy:d3e3::/64 dev 6in4-wan6 proto static metric 1024 pref medium
2001:xxx:yyyy:d3e3:3902:8aa6:54f1:e97 dev br-lan proto static metric 1024 pref medium
2001:xxx:yyyy:d3e3::/64 dev 6in4-wan6 proto kernel metric 256 pref medium
2001:xxx:yyyy:d3e3::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2001:xxx:yyyy:d3e3::/64 dev lo proto static metric 2147483647 error 4294967183 pref medium
fdb5:24dd:30d::5a1 dev br-lan proto static metric 1024 pref medium
fdb5:24dd:30d::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdb5:24dd:30d::/48 dev lo proto static metric 2147483647 error 4294967183 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev tun1 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.10 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev br-wan proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev tun2 proto kernel metric 256 pref medium
fe80::/64 dev 6in4-wan6 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast 2001:xxx:yyyy:d3e3:: dev 6in4-wan6 table local proto kernel metric 0 pref medium
anycast 2001:xxx:yyyy:d3e3:: dev br-lan table local proto kernel metric 0 pref medium
local 2001:xxx:yyyy:d3e3::1 dev br-lan table local proto kernel metric 0 pref medium
local 2001:xxx:yyyy:d3e3::2 dev 6in4-wan6 table local proto kernel metric 0 pref medium
anycast fdb5:24dd:30d:: dev br-lan table local proto kernel metric 0 pref medium
local fdb5:24dd:30d::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev tun0 table local proto kernel metric 0 pref medium
anycast fe80:: dev tun1 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.10 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-wan table local proto kernel metric 0 pref medium
anycast fe80:: dev tun2 table local proto kernel metric 0 pref medium
anycast fe80:: dev 6in4-wan6 table local proto kernel metric 0 pref medium
local fe80::c0a8:bc18 dev 6in4-wan6 table local proto kernel metric 0 pref medium
local fe80::1:c8ff:feec:fc1c dev eth0.10 table local proto kernel metric 0 pref medium
local fe80::1:c8ff:feec:fc1c dev eth0 table local proto kernel metric 0 pref medium
local fe80::1:c8ff:feec:fc1c dev br-lan table local proto kernel metric 0 pref medium
local fe80::1:c8ff:feec:fc1c dev br-wan table local proto kernel metric 0 pref medium
local fe80::2605:fff:fedd:3b60 dev wlan0 table local proto kernel metric 0 pref medium
local fe80::3727:7ab3:c808:a293 dev tun1 table local proto kernel metric 0 pref medium
local fe80::ccc7:b54f:f031:1cab dev tun0 table local proto kernel metric 0 pref medium
local fe80::f533:3ab6:ea18:1b40 dev tun2 table local proto kernel metric 0 pref medium
ff00::/8 dev br-lan table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
ff00::/8 dev tun1 table local metric 256 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev eth0.10 table local metric 256 pref medium
ff00::/8 dev br-wan table local metric 256 pref medium
ff00::/8 dev wlan0 table local metric 256 pref medium
ff00::/8 dev tun2 table local metric 256 pref medium
ff00::/8 dev 6in4-wan6 table local metric 256 pref medium
0:      from all lookup local
32766:  from all lookup main
4200000000:     from 2001:xxx:yyyy:d3e3::1/64 iif br-lan unreachable
4200000001:     from all iif lo failed_policy
4200000008:     from all iif br-lan failed_policy
4200000010:     from all iif br-wan failed_policy
4200000012:     from all iif eth0.10 failed_policy
4200000013:     from all iif tun0 failed_policy
4200000014:     from all iif tun1 failed_policy
4200000016:     from all iif tun2 failed_policy
4200000017:     from all iif 6in4-wan6 failed_policy
lrwxrwxrwx    1 root     root            16 Feb  7 10:23 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 May  4 14:28 /tmp/resolv.conf
-rw-r--r--    1 root     root           174 May  4 13:12 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface lan
nameserver 8.8.8.8
nameserver 8.8.4.4
# Interface wan
nameserver 192.168.188.1
search fritz.box
# Interface LAN_VPN_USA
nameserver 8.8.8.8
nameserver 4.4.4.4
root@MenionRouter:~#

Are you sure about this? The delegated prefix cannot be the same as the uplink to your ISP. Look for example the henet configuration.

        option ip6addr '2001:xxx:yyyy:d3e3::2/64'
        list ip6prefix '2001:xxx:yyyy:d3e3::/64'

I also don't see the point of wan interface being a bridge. And this usually causes problems, so remove it if there is no reason.

Are you running some relay or server? It is not clear. In lan you have server for RAs DHCPv6, NDP is hybrid, then wan is configured for relay.

config dhcp 'lan'
...
        option ndp 'hybrid'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'
        option master '1'

You have some weird forwardings in the firewall, like wan->lan, wan->vpn. I hope these are for troubleshooting only.

Other than that I can see that there are some routing tables, is it mwan3 or VPN PBR?
But the main issue is re-using the same prefix in wan and lan.

Well my ISP gives a /64 prefix, so this is the result of the configuration following the instructions. Neverthless I have exactly the same problem with the hurricane tunnel that gives a /48

I forgot to mention that the upstream IPv4 on WAN is my ISP router. So I am actually running behind the NAT of the ISP router (having the OpenWRT in DMZ). I bridge WAN because I use a dedicated VLAN to bring the ISP LAN subnet to particular clients that may need it.

mmmm I have completely forgot this. What I am actually trying to do is to have the LAN interface to act as dhcpv6 server and delegate prefix based on the information of wan6.

Which one exaclty? they should be "normal" VPN and WAN rules

Yes I use VPN PBR

What shall I configure then, considering the on the 6in4 tunnel i get /64 prefix?

What it is really confusing me is why this setup was working for lile 4 years across two major Openwrt release and suddenly stopped to work.

There must be something on the reouter I believe, because the LAN devices can ping each other, while any ping from router to LAN (or incoming packet from WAN6) are sent back to the tunnel like it was unable to resolve NDP or something.

And the most weird thing is that a windows 10 laptop, in my lan, can works sometime (usually at the first boot) and loose the ipv6 connectivity if i bring down/up wifi (check this picture I have just taken)

This is all confusing. Two things:

Fix:

EDIT: I realized the LAN config is not posted- that was incorrect

This will work if you ask HE for a /48. Otherwise, simply assign the /64 to the LAN interface.

Regarding ping, have you looked at your WAN firewall zone!

:bulb:

(I must also be confused because I thought the OP was using 6in4.)

If they are allocating just a /64 for the wan6, then you cannot delegate it to the lan. What you can do is relay from lan.

We'll have to look at it individually, if you want to stick with that.

Since there is no other interface in the bridge, there is no usage of the bridge. If other clients need to connect directly to the ISP router this isn't the right way. Better connect them on the ISP router.

Then this configuration is not correct. But even if you configure it as delegated, it won't work, because the ISP router will try to contact the hosts directly, because they are in the same subnet.

config forwarding
        option dest 'vpn'
        option src 'wan'

config forwarding
        option dest 'lan'
        option src 'wan'

Use the last example of relay.
Or check here to use hybrid for both relay and delegation.

Trendy, are you certain that you're assisting with a 6-in-4 setup?

If the OP is assigned a /64 from a tunnel broker, they just addresses the wan6 interface with the tunnel IP provided by the broker; then either:

  • assign the /64 as a in option ip6prefix on the wan6 - then add option ip6class 'wan6' on LAN config; or
  • simply configure it as a IPv6 static assignment on LAN

Actually there are, it is eth0.3 (VLAN3). And it is working for the scope I have (I cannot physically connect device to ISP router)

So, tried with:

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option start '50'
        option limit '200'
        list dns '2001:4860:4860::8888'
        list dns '2001:4860:4860::8844'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'

config dhcp 'wan'
        option interface 'wan'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'
        option master '1'

Now the device do not get any IPv6 address at all. Honestly I do not fully follow this configuration, my ISP does not have any DHCPv6, it just assign prefix over tunnel

@lleachii

Shall I keep the wan6 setting as they are, run RA and DHCPv6 server on lan and just add option ip6class 'wan6' in LAN config?

OP has 2 6in4 interfaces in the network configuration. henet, from HE and wan6 from his ISP. henet is fine from what I can see. The wan6 is using the same /64 for uplink and delegated prefix. This cannot work without relay.

This is only one interface. I don't see where are the other interfaces that you need to bridge on the device.

Did you also remove the list ip6prefix '2001:xxx:yyyy:d3e3::/64' from wan6?
I also noticed that you don't allow inbound protocol 41 (the 6in4) on wan. Check here the last example configurations.

You are right, WAN is bridged because I used it for a while together with a wireless.
Proto 41 I do not think is an issue because IPv6 can work on router, so upstream is ok
Generally speaking: can you see why this configuration stopped to work?

Done, no IP is gotten in LAN.

To be honest I am surprised this even worked. Not the henet, that looks fine to me. But the other one can't have worked. Actually I find it rather stupid to use 6in4 to the ISP premises, let alone to allocate only a /64.
Can you ask your ISP out of curiosity, how are you supposed to allocate a single /64 in lan and wan?

But what I do not understand is this: on wan we get the endpoint at the end of the tunnel acting as default gateway. It works because from router I can reach internet

LAN get the prefix /64 and provide SLAAC and DHCPv6 and it works and it advertise router

What it does not work is connectivity between router and LAN because the router decide to send /64 traffic on the tunnel instead resolving MAC with NDP and send packets in LAN.

This is the problem, which is inexplicable to me

It is not that difficult. You wouldn't be able to operate a router that would have 192.168.1.2/24 on wan interface and 192.168.1.1/24 on lan interface.

Ok

So any idea why relay setup does not work at all?

Post one more time the config to see how it looks like now.

uci export network; uci export dhcp; uci export firewall; ifstatus wan; ifstatus wan6; ifstatus lan

@trendy

root@MenionRouter:/etc/config# uci export network; uci export dhcp; uci export f
irewall; ifstatus wan; ifstatus wan6; ifstatus lan
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb5:24dd:030d::/48'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.182.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option _orig_ifname 'eth0'
        option _orig_bridge 'false'
        option ifname 'eth0.2'
        option type 'bridge'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan'
        option proto 'dhcp'
        option ifname 'eth0.3'
        option type 'bridge'

config interface 'vpn0'
        option ifname 'tun0'
        option proto 'none'
        option auto '1'

config interface 'vpn1'
        option ifname 'tun1'
        option proto 'none'
        option auto '1'

config route
        option interface 'lan'
        option target '10.10.0.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.192'

config route
        option interface 'lan'
        option target '10.11.0.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.192'

config route
        option interface 'lan'
        option target '10.12.0.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.10'

config route
        option interface 'lan'
        option target '10.13.0.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.10'

config route
        option interface 'lan'
        option target '10.14.0.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.11'

config route
        option interface 'lan'
        option target '10.15.0.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.11'

config interface 'wan6'
        option proto '6in4'
        option peeraddr '81.208.50.214'
        option ip6addr '2001:xxx:yyyy:d3e3::2/64'

config interface 'henet'
        option proto '6in4'
        option peeraddr '216.66.80.98'
        option ip6addr '2001:ttt:25:yyy::2/64'
        option tunnelid '355738'
        option username 'xxxxxx'
        option password 'xxxxxxxxxx'
        list ip6prefix '2001:ttt:qqqq::/48'
        option auto '0'

config interface 'nat64'
        option proto 'tayga'
        option ipv4_addr '192.0.2.1'
        option ipv6_addr '2001:ttt:qqqq:0201::1'
        option prefix '2001:ttt:qqqq:ffff::/96'
        option dynamic_pool '192.0.2.0/24'
        option accept_ra '0'
        option send_rs '0'
        option auto '0'

config route
        option interface 'lan'
        option target '192.168.183.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.135'

config route
        option interface 'lan'
        option target '192.168.56.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.192'

config interface 'VPN_USA'
        option proto 'none'
        option ifname 'tun2'

config interface 'LAN_VPN_USA'
        option proto 'static'
        option ifname 'eth0.10'
        option netmask '255.255.255.0'
        option dns '8.8.8.8 4.4.4.4'
        option metric '10'
        option ipaddr '192.168.180.1'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '0'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '0'
        option enable_tftp '1'
        list server '8.8.8.8'
        list server '8.8.4.4'
        option serversfile '/tmp/adb_list.overall'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option start '50'
        option limit '200'
        list dns '2001:4860:4860::8888'
        list dns '2001:4860:4860::8844'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'

config dhcp 'wan'
        option interface 'wan'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'
        option master '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain
        option name 'menionbananapi'
        option ip '192.168.182.192'



package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan nat64'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 henet'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '547'
        option name 'Allow DHCPv6 Relay'
        option family 'ipv6'
        option src_port '547'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '10001'
        option dest_ip '192.168.182.18'
        option dest_port '10001'
        option name 'Allarme'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '1028'
        option dest_port '1028'
        option name 'Webcam Cameretta'
        option dest_ip '192.168.182.216'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '1030'
        option dest_port '1030'
        option name 'Webcam Taverna'
        option dest_ip '192.168.182.239'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '1027'
        option dest_ip '192.168.182.22'
        option dest_port '1027'
        option name 'Webcam Camera'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '5144'
        option dest_ip '192.168.182.192'
        option dest_port '5144'
        option name 'aMule TCP'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '5134'
        option dest_ip '192.168.182.192'
        option dest_port '5134'
        option name 'aMule UDP'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '6881'
        option dest_ip '192.168.182.192'
        option dest_port '6881'
        option name 'Torrent first'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '6882'
        option dest_ip '192.168.182.192'
        option dest_port '6882'
        option name 'Torrent second'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '1032'
        option dest_ip '192.168.182.25'
        option name 'WebCam Sala 720p'
        option dest_port '1032'
        option enabled '0'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'tcp'
        option dest_port '443'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'vpn0 vpn1'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option name 'OpenVPN TCP'
        option src_dport '443'
        option dest_ip '192.168.182.1'
        option dest_port '8094'

config rule
        option name 'Allow-OpenVPN-UDP-InBound'
        option target 'ACCEPT'
        option src '*'
        option proto 'udp'
        option dest_port '1195'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '1195'
        option dest_ip '192.168.182.1'
        option dest_port '1195'
        option name 'OpenVPN UDP'

config forwarding
        option dest 'lan'
        option src 'vpn'

config forwarding
        option dest 'wan'
        option src 'vpn'

config forwarding
        option dest 'lan'
        option src 'wan'

config forwarding
        option dest 'vpn'
        option src 'wan'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '5201'
        option dest_ip '192.168.182.1'
        option dest_port '5201'
        option name 'Iperf3'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '6981'
        option dest_ip '192.168.182.192'
        option dest_port '6981'
        option name 'qBitTorrent'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '1029'
        option dest_ip '192.168.182.23'
        option dest_port '1029'
        option name 'Webcam Cucina'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.182.192'
        option name 'OpenVPN backup TCP'
        option src_dport '8194'
        option dest_port '8194'
config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '8195'
        option dest_ip '192.168.182.192'
        option dest_port '8195'
        option name 'OpenVPN backup UDP'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.182.10'
        option dest_port '8294'
        option name 'OpenVPN TCP P0'
        option src_dport '8294'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '8295'
        option dest_ip '192.168.182.10'
        option dest_port '8295'
        option name 'OpenVPN UDP P0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '8394'
        option dest_ip '192.168.182.11'
        option dest_port '8394'
        option name 'OpenVPN TCP P1'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '8395'
        option dest_ip '192.168.182.11'
        option dest_port '8395'
        option name 'OpenVPN UDP P1'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '34567'
        option dest_ip '192.168.182.26'
        option dest_port '34567'
        option name 'Webcam cucina2'
        option enabled '0'

config rule
        option src 'lan'
        option name 'Drop IPv6 flooding UPnP'
        option target 'DROP'
        option family 'ipv6'
        option proto 'udp'
        option dest_port '1900'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option dest_ip '192.168.182.21'
        option name 'Webcam Camera2'
        option src_dport '1040'
        option dest_port '1040'
        option enabled '0'

config forwarding
        option dest 'vpn'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'lan'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.182.192'
        option dest_port '4200'
        option name 'Shellinabox'
        option src_dport '443'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '192.168.182.1'
        option dest_port '9999'
        option name 'squid'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '88'
        option dest_ip '192.168.182.168'
        option dest_port '88'
        option name 'Xbox 1'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '500'
        option dest_ip '192.168.182.168'
        option dest_port '500'
        option name 'Xbox 2'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '3544'
        option dest_ip '192.168.182.168'
        option dest_port '3544'
        option name 'Xbox 3'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '4500'
        option dest_ip '192.168.182.168'
        option dest_port '4500'
        option name 'Xbox 4'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_ip '192.168.182.168'
        option dest_port '53'
        option name 'Xbox 5'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '192.168.182.168'
        option dest_port '80'
        option name 'Xbox 6'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '50182'
        option dest_ip '192.168.182.168'
        option dest_port '50182'
        option name 'Xbox 7'
        option enabled '0'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp udp'
        option dest_port '50182'
        option name 'Xbox One'
        option family 'ipv6'
        option dest 'lan'
        option enabled '0'

config rule
        option proto 'tcp udp'
        option src 'lan'
        option src_mac 'A0:9D:C1:72:B3:85'
        option target 'DROP'
        option name 'IPCAM Cucina no Internet'
        option dest 'wan'

config rule
        option proto 'tcp udp'
        option name 'IPCAM Sala no Internet'
        option src 'lan'
        option src_mac '48:02:2A:0B:E1:16'
        option dest 'wan'
        option target 'DROP'

config rule
        option proto 'tcp udp'
        option name 'IPCAM Taverna no Internet'
        option src 'lan'
        option src_mac 'A0:9D:C1:72:EC:F4'
        option dest 'wan'
        option target 'DROP'

config rule
        option proto 'tcp udp'
        option name 'IPCAM Letto no Internet'
        option src 'lan'
        option src_mac 'E0:B9:4D:D4:A3:B5'
        option dest 'wan'
        option target 'DROP'

config rule
        option src 'wan'
        option proto 'udp'
        option name 'Block 3074'
        option dest 'lan'
        option target 'REJECT'
        option enabled '0'

config zone
        option output 'ACCEPT'
        option network 'VPN_USA'
        option name 'vpn_usa'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'lan_vpn_usa'
        option network 'LAN_VPN_USA'
        option forward 'ACCEPT'

config forwarding
        option dest 'vpn_usa'
        option src 'lan_vpn_usa'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config rule
        option name 'STUN'
        option proto 'udp'
        option src 'wan'
        option target 'ACCEPT'
        option dest_port '5349'
        option enabled '0'

{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 58385,
        "l3_device": "br-wan",
        "proto": "dhcp",
        "device": "br-wan",
        "updated": [
                "addresses",
                "routes",
                "data"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "192.168.188.24",
                        "mask": 24
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "0.0.0.0",
                        "mask": 0,
                        "nexthop": "192.168.188.1",
                        "source": "192.168.188.24/32"
                }
        ],
        "dns-server": [
                "192.168.188.1"
        ],
        "dns-search": [
                "fritz.box"
        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {
                "leasetime": 864000,
                "ntpserver": "192.168.188.1"
        }
}
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 58385,
        "l3_device": "6in4-wan6",
        "proto": "6in4",
        "updated": [
                "addresses",
                "routes"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "2001:xxx:yyyy:d3e3::2",
                        "mask": 64
                }
        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "::",
                        "source": "2001:xxx:yyyy:d3e3::2/64"
                }
        ],
        "dns-server": [

        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {

        }
}
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 58389,
        "l3_device": "br-lan",
        "proto": "static",
        "device": "br-lan",
        "updated": [
                "addresses",
                "routes"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "192.168.182.1",
                        "mask": 24
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [
                {
                        "address": "fdb5:24dd:30d::",
                        "mask": 64,
                        "local-address": {
                                "address": "fdb5:24dd:30d::1",
                                "mask": 64
                        }
                }
        ],
        "route": [
                {
                        "target": "10.10.0.0",
                        "mask": 24,
                        "nexthop": "192.168.182.192",
                        "source": "0.0.0.0/0"
                },
                {
                        "target": "10.11.0.0",
                        "mask": 24,
                        "nexthop": "192.168.182.192",
                        "source": "0.0.0.0/0"
                },
                {
                        "target": "10.12.0.0",
                        "mask": 24,
                        "nexthop": "192.168.182.10",
                        "source": "0.0.0.0/0"
                },
                {
                        "target": "10.13.0.0",
                        "mask": 24,
                        "nexthop": "192.168.182.10",
                        "source": "0.0.0.0/0"
                },
                {
                        "target": "10.14.0.0",
                        "mask": 24,
                        "nexthop": "192.168.182.11",
                        "source": "0.0.0.0/0"
                },
                {
                        "target": "10.15.0.0",
                        "mask": 24,
                        "nexthop": "192.168.182.11",
                        "source": "0.0.0.0/0"
                },
                {
                        "target": "192.168.56.0",
                        "mask": 24,
                        "nexthop": "192.168.182.192",
                        "source": "0.0.0.0/0"
                },
                {
                        "target": "192.168.183.0",
                        "mask": 24,
                        "nexthop": "192.168.182.135",
                        "source": "0.0.0.0/0"
                }
        ],
        "dns-server": [
                "8.8.8.8",
                "8.8.4.4"
        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {

        }
}
root@MenionRouter:/etc/config#

Remove these from lan and assign them to wan. Or don't assign them at all, since you have them in dhcp config.

Mask the username and password of henet.

If the LAN hosts are not able to acquire any GUA IPv6 from your ISP, then the other thing I can think of is NAT66.
However you should call your ISP and shame-talk them for allocating just a /64, which is only applicable for one device.

I don't understand honestly (my limitation) why /64 routable network cannot make it work for more than one device. If I use my ISP router with IPv6 enable, all the device in the network gets the IPv6 address and IPv6 works. And it is just opening a 6in4 tunnel as I am doing on my OpenWRT. In the and also Hurricane by default gives /64 network

Coming back to the relay. It never worked for me. When I had a working IPv6, I tried to set a relay setup on a router acting as relayd bridge over WiFi. And never worked.

I suspect that the entire IPv6 relay has some problem to work, did you ever been able to have it working at all?