IPv6 config – Router cannot ping IPv6 addresses, but clients can

Hi everyone,

I am running 18.06.2 on a TP-Link Archer C5 v1. In the course of setting up WireGuard on my router, I have run into what appears to be an issue with its IPv6 configuration. The context is that my ISP has native IPv6 (which I have been using successfully for some time), but CGNAT IPv4, so connections to WireGuard need to be over IPv6. However, I cannot ping my router's IPv6 address from outside my network and cannot ping IPv6 addresses from the router itself. Oddly, devices on my network can ping IPv6 addresses fine and can ping the router itself over IPv6 (although the router cannot ping them back over IPv6).

I am unsure whether this is a routing or firewall issue and have limited experience with both. My configuration details are below.

Grateful for any assistance.

/etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde9:8a3b:44e0::/48'

config interface 'lan'
	option ifname 'eth1'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.10.1'
	option dns '8.8.8.8 8.8.4.4'
	option stp '1'

config interface 'wan'
	option ifname 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0'
	option proto 'dhcpv6'
	option defaultroute 1

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 2 3 4 5'

/etc/config/dhcp:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option serversfile '/tmp/adb_list.overall'
	option nonwildcard '0'
	option local '[*****]'
	option domain '[*****]'
	list server '8.8.8.8'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

/etc/config/firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'lan'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

Output of 'if status wan6':

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 2551,
	"l3_device": "eth0",
	"proto": "dhcpv6",
	"device": "eth0",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "2a01:[****]",
			"mask": 128,
			"preferred": 69447,
			"valid": 83847
		}
	],
	"ipv6-prefix": [
		{
			"address": "2a01:[****]",
			"mask": 56,
			"preferred": 69447,
			"valid": 83847,
			"class": "wan6",
			"assigned": {
				"lan": {
					"address": "2a01:[****]",
					"mask": 60
				}
			}
		}
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::4efa:caff:fef5:9f1b",
			"metric": 512,
			"valid": 1798,
			"source": "2a01:[****]\/56"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::4efa:caff:fef5:9f1b",
			"metric": 512,
			"valid": 1798,
			"source": "2a01:[****]\/128"
		}
	],
	"dns-server": [
		
	],
	"dns-search": [
		"hyperoptic.com"
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		]
	},
	"data": {
		"passthru": "001800100a68797065726f7074696303636f6d00"
	}
}

Result of 'ping6 ipv6[.]google[.]com' from the router:

PING ipv6[.]google[.]com (2a00:1450:4009:807::200e): 56 data bytes
^C
--- ipv6[.]google[.]com ping statistics ---
19 packets transmitted, 0 packets received, 100% packet loss

Result of 'ping6 ipv6[.]google[.]com' from a client:

PING6(56=40+8+8 bytes) 2a01:[****] --> 2a00:1450:4009:815::200e
16 bytes from 2a00:1450:4009:815::200e, icmp_seq=0 hlim=248 time=1.971 ms
16 bytes from 2a00:1450:4009:815::200e, icmp_seq=1 hlim=248 time=1.941 ms
16 bytes from 2a00:1450:4009:815::200e, icmp_seq=2 hlim=248 time=2.193 ms
16 bytes from 2a00:1450:4009:815::200e, icmp_seq=3 hlim=248 time=2.021 ms
16 bytes from 2a00:1450:4009:815::200e, icmp_seq=4 hlim=248 time=2.054 ms
^C
--- ipv6[.]l[.]google[.]com ping6 statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.941/2.036/2.193/0.088 ms

Result of visiting ipv6-test.com from a network client:

ipv6test.png1193×850 86.8 KB

Not necessarily, you can open the IPv4 firewall on the far-end device instead - and do keep-alives.

I don't see Wireguard configs anywhere.

Try:

ping ipv6.google.com -I <IPv6_address_of_test_Interface>

If the ipv6 address assigned to the wan6 interface doesn't work then you could try disabling it by setting "Request IPv6-address" to disabled. Then you won't receive any dhcpv6 address but still a prefix via dhcpv6-pd. BTW you don't need a global ipv6 address on wan6, you can receive traffic to any global IPv6 address assigned to an interface on the router. You could also assign an address to @loopback if you want an additional ipv6 address.)

Hi lleachii and mikma,

Many thanks for your responses.

Unfortunately I do not control the firewall on the remote-end, and also want to be able to connect while roaming, so I believe that my only option is to get this working over IPv6.

I have taken the WireGuard configs out until I can solve this problem. WireGuard was working perfectly within my network using IPv4 and IPv6, but when I took the same client outside my network it did not work. The far-end has IPv6 access via a HE.net tunnel.

Thanks. I have tried this, but the same result unfortunately. My suspicion is that I need to create a route for IPv6 traffic from the router to the wan, but I do not have a strong enough understanding of routing.

Could you explain the last part in a little more detail? Could I assign a different global IPv6 address to the WireGuard interface and point the far-end to that directly?

Thanks for your help.

Are you referring to the outside of the tunnel? Wireguard automatically uses all addresses that are available. It isn't possible to bind Wireguard to a single address by design. Which means you can use any IP address of the peer as the peer endpoint address as long as it's routed to the peer, and allowed in firewall(s).

IPv6 routing seems to be working since the LAN devices are able to use IPv6.

Do you mean that the LAN address doesn't work in OpenWrt?
ping 2a00:1450:400f:806::200e -I <IPv6_address_of_LAN_Interface>

You already have it:

So, it's most likely firewall on one of the transit routers.
Try to check with mtr.

This turns out to be the solution. Once I disabled the IPv6 address of the wan6 interface, the router became able to ping IPv6 addresses. It appears others have been affected by this issue with my ISP (Hyperoptic in the UK) - e.g. Opkg update fails due to IPV6 running and https://forum.netgate.com/topic/135917/ipv6-setup-with-hyperoptic-uk-isp/10

I was then able to get WireGuard working by pointing peers to the IPv6 address of the router's lan interface.

Thanks to everyone who responded.

Hi
I raised the original topic mentioned in this thread and disabling the IPV6 for DHCP on the WAN interface does solve the problem-and all your IPV6 devices inside your network can still obtain globally-routable IPV6 address's (through the prefix-not that I am a IPV6 expert but I know a bit more now than I did a few weeks ago, due to some courses I am taking.
However, I have disabled IPV6 completely as it still concerns me that these devices are now open to the world via ICMP (which is an essential part of IPV6 and disabling it breaks IPV6)-yes, the SPI part of the firewall does forbid explicit access to said devices (ssh,iperf3 etc) but there is something unnerving about how my wife's iPhone can now be pinged by anyone! I need to learn more and make sure something doesn't come onto my home network that end up being IPV6 ready but has some sort of exploit in it.

cheers
cabs

You can block echo requests (ping) coming from the Internet if you want. Pings aren't essential to allow in neither ipv4 nor ipv6 but allowing them makes troubleshooting easier. There is also a rate limit of 1000 icmpv6 packets per second in the default rule.

Hi
I thought I tried this-and it broke the internal devices ability to work-but I will try again

cheers
cabs

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.