Hi everyone,
I am running 18.06.2 on a TP-Link Archer C5 v1. In the course of setting up WireGuard on my router, I have run into what appears to be an issue with its IPv6 configuration. The context is that my ISP has native IPv6 (which I have been using successfully for some time), but CGNAT IPv4, so connections to WireGuard need to be over IPv6. However, I cannot ping my router's IPv6 address from outside my network and cannot ping IPv6 addresses from the router itself. Oddly, devices on my network can ping IPv6 addresses fine and can ping the router itself over IPv6 (although the router cannot ping them back over IPv6).
I am unsure whether this is a routing or firewall issue and have limited experience with both. My configuration details are below.
Grateful for any assistance.
/etc/config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fde9:8a3b:44e0::/48'
config interface 'lan'
option ifname 'eth1'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.1'
option dns '8.8.8.8 8.8.4.4'
option stp '1'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
option defaultroute 1
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 2 3 4 5'
/etc/config/dhcp:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
option serversfile '/tmp/adb_list.overall'
option nonwildcard '0'
option local '[*****]'
option domain '[*****]'
list server '8.8.8.8'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
/etc/config/firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
Output of 'if status wan6':
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 2551,
"l3_device": "eth0",
"proto": "dhcpv6",
"device": "eth0",
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
],
"ipv6-address": [
{
"address": "2a01:[****]",
"mask": 128,
"preferred": 69447,
"valid": 83847
}
],
"ipv6-prefix": [
{
"address": "2a01:[****]",
"mask": 56,
"preferred": 69447,
"valid": 83847,
"class": "wan6",
"assigned": {
"lan": {
"address": "2a01:[****]",
"mask": 60
}
}
}
],
"ipv6-prefix-assignment": [
],
"route": [
{
"target": "::",
"mask": 0,
"nexthop": "fe80::4efa:caff:fef5:9f1b",
"metric": 512,
"valid": 1798,
"source": "2a01:[****]\/56"
},
{
"target": "::",
"mask": 0,
"nexthop": "fe80::4efa:caff:fef5:9f1b",
"metric": 512,
"valid": 1798,
"source": "2a01:[****]\/128"
}
],
"dns-server": [
],
"dns-search": [
"hyperoptic.com"
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
]
},
"data": {
"passthru": "001800100a68797065726f7074696303636f6d00"
}
}
Result of 'ping6 ipv6[.]google[.]com' from the router:
PING ipv6[.]google[.]com (2a00:1450:4009:807::200e): 56 data bytes
^C
--- ipv6[.]google[.]com ping statistics ---
19 packets transmitted, 0 packets received, 100% packet loss
Result of 'ping6 ipv6[.]google[.]com' from a client:
PING6(56=40+8+8 bytes) 2a01:[****] --> 2a00:1450:4009:815::200e
16 bytes from 2a00:1450:4009:815::200e, icmp_seq=0 hlim=248 time=1.971 ms
16 bytes from 2a00:1450:4009:815::200e, icmp_seq=1 hlim=248 time=1.941 ms
16 bytes from 2a00:1450:4009:815::200e, icmp_seq=2 hlim=248 time=2.193 ms
16 bytes from 2a00:1450:4009:815::200e, icmp_seq=3 hlim=248 time=2.021 ms
16 bytes from 2a00:1450:4009:815::200e, icmp_seq=4 hlim=248 time=2.054 ms
^C
--- ipv6[.]l[.]google[.]com ping6 statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.941/2.036/2.193/0.088 ms
Result of visiting ipv6-test.com from a network client: