IPv6 Configuration issue (ISP responds to DHCPv6)

Installing and Using OpenWrt Network and Wireless Configuration
1

I'm having some troubles getting IPv6 to work correctly. I do seem to correctly get a IP from the ISP, but the interface never seems to come up in OpenWRT, and is never assigned an IP.

Any suggestions in how to debug this? Did I configure something incorrectly?

root@UBNT-ERX:/# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fddd:e174:99cc::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr '...'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '....'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

Looking for logs from odhcp6c

Tue Feb  9 17:23:41 2021 daemon.err odhcp6c[4584]: Failed to send RS (Address not available)

Looks like I get a correct response from the upstream ISP:

root@UBNT-ERX:/# tcpdump -vvv -i eth0.2 ip6
17:55:52.192025 IP6 (flowlabel 0xf3ce0, hlim 255, next-header ICMPv6 (58) payload length: 8) fe80::7683:c2ff:fe0e:b4cc > ip6-allrouters: [icmp6 sum ok] ICMP6, router solicitation, length 8
17:55:52.699882 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 64) fe80::1 > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 64
	hop limit 64, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
	  source link-address option (1), length 8 (1): 24:16:6d:be:a2:eb
	    0x0000:  2416 6dbe a2eb
	  mtu option (5), length 8 (1):  1500
	    0x0000:  0000 0000 05dc
	  prefix info option (3), length 32 (4): 2001:xxx:xxxx::/64, Flags [onlink], valid time 300s, pref. time 300s
	    0x0000:  4080 0000 012c 0000 012c 0000 0000 2001
	    0x0010:  09b1 408b 0000 0000 0000 0000 0000

Seems like solicit requests just keep being sent, the ISP response with an advertisement occasionally, but not always.

root@UBNT-ERX:/# ifconfig -a
br-lan    Link encap:Ethernet  HWaddr ....
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::7683:c2ff:fe0e:b4cb/64 Scope:Link
          inet6 addr: fddd:e174:99cc::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:153200 errors:0 dropped:15 overruns:0 frame:0
          TX packets:126625 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:64189019 (61.2 MiB)  TX bytes:116604368 (111.2 MiB)

eth0      Link encap:Ethernet  HWaddr ....
          inet6 addr: fe80::7683:c2ff:fe0e:b4cb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:26570290 errors:6 dropped:623 overruns:0 frame:0
          TX packets:26608552 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:22782755416 (21.2 GiB)  TX bytes:22905965700 (21.3 GiB)
          Interrupt:20

eth0.1    Link encap:Ethernet  HWaddr .....
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:153200 errors:0 dropped:0 overruns:0 frame:0
          TX packets:126625 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:64189019 (61.2 MiB)  TX bytes:116604368 (111.2 MiB)

eth0.2    Link encap:Ethernet  HWaddr ...
          inet addr:....  Bcast:....  Mask:255.255.255.240
          inet6 addr: fe80::7683:c2ff:fe0e:b4cc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:118943 errors:0 dropped:493 overruns:0 frame:0
          TX packets:144753 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:100763134 (96.0 MiB)  TX bytes:65186380 (62.1 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:11552 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11552 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1122927 (1.0 MiB)  TX bytes:1122927 (1.0 MiB)
2

Have you touched the default firewall rules? Are you running banIP by any chance?

1 Like
3

Not running banIP.

I have not changed the firewall rules either, although I find it a bit strange I get the following response when trying to do a simple ping over ipv6:

root@UBNT-ERX:~# ping6 google.com
PING google.com (2a00:1450:400f:80a::200e): 56 data bytes
ping6: sendto: Permission denied

root@UBNT-ERX:/tmp# ip6tables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             /* !fw3 */
input_rule  all      anywhere             anywhere             /* !fw3: Custom input rule chain */
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood  tcp      anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
zone_lan_input  all      anywhere             anywhere             /* !fw3 */
zone_wan_input  all      anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP)
target     prot opt source               destination
forwarding_rule  all      anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward  all      anywhere             anywhere             /* !fw3 */
zone_wan_forward  all      anywhere             anywhere             /* !fw3 */
reject     all      anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             /* !fw3 */
output_rule  all      anywhere             anywhere             /* !fw3: Custom output rule chain */
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output  all      anywhere             anywhere             /* !fw3 */
zone_wan_output  all      anywhere             anywhere             /* !fw3 */

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination

Chain input_lan_rule (1 references)
target     prot opt source               destination

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_wan_rule (1 references)
target     prot opt source               destination

Chain output_lan_rule (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination

Chain output_wan_rule (1 references)
target     prot opt source               destination

Chain reject (3 references)
target     prot opt source               destination
REJECT     tcp      anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
REJECT     all      anywhere             anywhere             /* !fw3 */ reject-with icmp6-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination
RETURN     tcp      anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
DROP       all      anywhere             anywhere             /* !fw3 */

Chain zone_lan_dest_ACCEPT (4 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
target     prot opt source               destination
forwarding_lan_rule  all      anywhere             anywhere             /* !fw3: Custom lan forwarding rule chain */
zone_wan_dest_ACCEPT  all      anywhere             anywhere             /* !fw3: Zone lan to wan forwarding policy */
zone_lan_dest_ACCEPT  all      anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
target     prot opt source               destination
input_lan_rule  all      anywhere             anywhere             /* !fw3: Custom lan input rule chain */
zone_lan_src_ACCEPT  all      anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
target     prot opt source               destination
output_lan_rule  all      anywhere             anywhere             /* !fw3: Custom lan output rule chain */
zone_lan_dest_ACCEPT  all      anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (2 references)
target     prot opt source               destination
DROP       all      anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all      anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
target     prot opt source               destination
reject     all      anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (1 references)
target     prot opt source               destination
forwarding_wan_rule  all      anywhere             anywhere             /* !fw3: Custom wan forwarding rule chain */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-request limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-reply limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp destination-unreachable limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp packet-too-big limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp time-exceeded limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp bad-header limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp unknown-header-type limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
zone_lan_dest_ACCEPT  esp      anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
zone_lan_dest_ACCEPT  udp      anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
zone_wan_dest_REJECT  all      anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (1 references)
target     prot opt source               destination
input_wan_rule  all      anywhere             anywhere             /* !fw3: Custom wan input rule chain */
ACCEPT     udp      fc00::/6             fc00::/6             udp dpt:dhcpv6-client /* !fw3: Allow-DHCPv6 */
ACCEPT     ipv6-icmp    fe80::/10            anywhere             ipv6-icmptype 130 code 0 /* !fw3: Allow-MLD */
ACCEPT     ipv6-icmp    fe80::/10            anywhere             ipv6-icmptype 131 code 0 /* !fw3: Allow-MLD */
ACCEPT     ipv6-icmp    fe80::/10            anywhere             ipv6-icmptype 132 code 0 /* !fw3: Allow-MLD */
ACCEPT     ipv6-icmp    fe80::/10            anywhere             ipv6-icmptype 143 code 0 /* !fw3: Allow-MLD */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-request limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-reply limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp destination-unreachable limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp packet-too-big limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp time-exceeded limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp bad-header limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp unknown-header-type limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp router-solicitation limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp neighbour-solicitation limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp router-advertisement limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp neighbour-advertisement limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
zone_wan_src_REJECT  all      anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (1 references)
target     prot opt source               destination
output_wan_rule  all      anywhere             anywhere             /* !fw3: Custom wan output rule chain */
zone_wan_dest_ACCEPT  all      anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
target     prot opt source               destination
reject     all      anywhere             anywhere             /* !fw3 *
4

Better use the ip6tables-save -c

Not strange, there is no IPv6 so it cannot ping it.
What is strange is that after your router gets (?) the RA, it should send a dhcp6 solicit, however it is not evident from your previous capture. So the router either blocked or ignored for some reason the RA.

1 Like
5

Ah, I thought the solicit was sent prior to the RA usually, but I probably got that wrong. Here's a longer capture:

root@UBNT-ERX:/lib/netifd# tcpdump -vvv -i eth0.2 ip6
tcpdump: listening on eth0.2, link-type EN10MB (Ethernet), capture size 262144 bytes
21:56:06.831951 IP6 (flowlabel 0xb954c, hlim 1, next-header UDP (17) payload length: 111) fe80::7683:c2ff:fe0e:b4cc.546 > ff02::1:2.547: [bad udp cksum 0xea65 -> 0xde59!] dhcp6 solicit (xid=a9e927 (elapsed-time 65535) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_94 opt_95 opt_96 opt_82) (client-ID hwaddr type 1 ...) (reconfigure-accept) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0) (IA_PD IAID:1 T1:0 T2:0))
21:56:07.870347 IP6 (flowlabel 0xf3ce0, hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::7683:c2ff:fe0e:b4cc > ip6-allrouters: [icmp6 sum ok] ICMP6, router solicitation, length 16
	  source link-address option (1), length 8 (1): ...
	    0x0000:  7483 c20e b4cc
21:56:08.391931 IP6 (flowlabel 0xb954c, hlim 1, next-header UDP (17) payload length: 111) fe80::7683:c2ff:fe0e:b4cc.546 > ff02::1:2.547: [bad udp cksum 0xea65 -> 0x67e3!] dhcp6 solicit (xid=ad5f9a (elapsed-time 0) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_94 opt_95 opt_96 opt_82) (client-ID hwaddr type 1 ...) (reconfigure-accept) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0) (IA_PD IAID:1 T1:0 T2:0))
21:56:08.400947 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 64) fe80::1 > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 64
	hop limit 64, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
	  source link-address option (1), length 8 (1): 24:16:6d:be:a2:eb
	    0x0000:  2416 6dbe a2eb
	  mtu option (5), length 8 (1):  1500
	    0x0000:  0000 0000 05dc
	  prefix info option (3), length 32 (4): 2001:xxx:xxxx::/64, Flags [onlink], valid time 300s, pref. time 300s
	    0x0000:  4080 0000 012c 0000 012c 0000 0000 2001
	    0x0010:  09b1 408b 0000 0000 0000 0000 0000
21:56:09.471995 IP6 (flowlabel 0xb954c, hlim 1, next-header UDP (17) payload length: 111) fe80::7683:c2ff:fe0e:b4cc.546 > ff02::1:2.547: [bad udp cksum 0xea65 -> 0x6777!] dhcp6 solicit (xid=ad5f9a (elapsed-time 108) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_94 opt_95 opt_96 opt_82) (client-ID hwaddr type 1 ...) (reconfigure-accept) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0) (IA_PD IAID:1 T1:0 T2:0))
21:56:11.471936 IP6 (flowlabel 0xb954c, hlim 1, next-header UDP (17) payload length: 111) fe80::7683:c2ff:fe0e:b4cc.546 > ff02::1:2.547: [bad udp cksum 0xea65 -> 0x66af!] dhcp6 solicit (xid=ad5f9a (elapsed-time 308) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_94 opt_95 opt_96 opt_82) (client-ID hwaddr type 1 ...) (reconfigure-accept) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0) (IA_PD IAID:1 T1:0 T2:0))
21:56:15.471933 IP6 (flowlabel 0xb954c, hlim 1, next-header UDP (17) payload length: 111) fe80::7683:c2ff:fe0e:b4cc.546 > ff02::1:2.547: [bad udp cksum 0xea65 -> 0x651f!] dhcp6 solicit (xid=ad5f9a (elapsed-time 708) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_94 opt_95 opt_96 opt_82) (client-ID hwaddr type 1 ...) (reconfigure-accept) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0) (IA_PD IAID:1 T1:0 T2:0))
21:56:24.111957 IP6 (flowlabel 0xb954c, hlim 1, next-header UDP (17) payload length: 111) fe80::7683:c2ff:fe0e:b4cc.546 > ff02::1:2.547: [bad udp cksum 0xea65 -> 0x61bf!] dhcp6 solicit (xid=ad5f9a (elapsed-time 1572) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_94 opt_95 opt_96 opt_82) (client-ID hwaddr type 1 ...) (reconfigure-accept) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0) (IA_PD IAID:1 T1:0 T2:0))
21:56:40.111929 IP6 (flowlabel 0xb954c, hlim 1, next-header UDP (17) payload length: 111) fe80::7683:c2ff:fe0e:b4cc.546 > ff02::1:2.547: [bad udp cksum 0xea65 -> 0x5b7f!] dhcp6 solicit (xid=ad5f9a (elapsed-time 3172) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_94 opt_95 opt_96 opt_82) (client-ID hwaddr type 1 ...) (reconfigure-accept) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0) (IA_PD IAID:1 T1:0 T2:0))
21:57:11.471938 IP6 (flowlabel 0xb954c, hlim 1, next-header UDP (17) payload length: 111) fe80::7683:c2ff:fe0e:b4cc.546 > ff02::1:2.547: [bad udp cksum 0xea65 -> 0x4f3f!] dhcp6 solicit (xid=ad5f9a (elapsed-time 6308) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_94 opt_95 opt_96 opt_82) (client-ID hwaddr type 1 ...) (reconfigure-accept) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0) (IA_PD IAID:1 T1:0 T2:0))

iptables:

# Generated by ip6tables-save v1.8.3 on Tue Feb  9 22:00:53 2021
*mangle
:PREROUTING ACCEPT [3268:301674]
:INPUT ACCEPT [2820:240078]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3099:415512]
:POSTROUTING ACCEPT [3102:415672]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Feb  9 22:00:53 2021
# Generated by ip6tables-save v1.8.3 on Tue Feb  9 22:00:53 2021
*filter
:INPUT ACCEPT [4:240]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[65:13443] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[2755:226635] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[109:9551] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[13:1040] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[2579:211036] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[67:6048] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[65:13443] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[3034:402069] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1889:302099] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[983:77828] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[162:22142] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[13:1040] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[983:77828] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2579:211036] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[2579:211036] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[983:77828] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[983:77828] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2575:210796] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[162:22142] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[67:6048] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[3:160] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[12:864] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[40:4160] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[12:864] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[162:22142] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[162:22142] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Feb  9 22:00:53 2021
6

There doesn't seem to be any dhcp6 advertise to the numerous dhcp solicits.
Check with your ISP if there is an issue from their side or whether you are missing something.

1 Like
7

Thanks for all the input, much appreciated!

I tried the router I got the the ISP directly, and that also didn't work, so I've contacted them. Probably some problem at their end.

Just for interest, in the TCP dump, I thought the "router solicitation" and "router advertisement" packets came form the ISP, but perhaps those are all outgoing requests? fe80::7683:c2ff:fe0e:b4cc > ip6-allrouters: that IP is at least the IP I get from ifconfig on eth0.2 interface, and fe80::1 > ip6-allnodes perhaps also indicates it's an outgoing connect?

The IP I do get in the router advertisement, prefix info option (3), length 32 (4): 2001:xxx:xxxx::/64, does belong to the ISP though if I do lookup.

8

By default Linux routers don't listen to RAs. Specifically, if the ipv6 sysctl for ip_forwarding is set, then you have to set accept_ra = 2 on the interface for it to listen to the RAs.

Normally a router does a Prefix Delegation request through DHCPv6 and a compliant good working ISP should by default return a delegated /56 prefix unless you specifically ask for a /48 in which it should return a /48. In practice ISPs are generally *****ed up in their IPv6 handling, and either don't know what they're doing, or are attempting to intentionally perpetuate IP scarcity by handing out only /64 prefixes which are the smallest possible compliant prefix and is quite simply a broken config. Some ISPs even hand out a single /128 address.

2 Likes
9

The RA is coming from the ISP, however the ISP is not replying to the DHCP solicits, which is a different protocol.

1 Like
10

Thanks for the help guys!

Turns out the ISP had messed up their config - they corrected it and I now get a /56 and everything seems to work well!

2 Likes
11

WOOT an ISP that has its stuff together

12

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.