IPv6 essential firewall rules (V)LAN to (V)LAN

hedzwillroll · April 5, 2026, 3:30pm

TL:DR DNS server on VLAN Infra, client on VLAN LAN. Why do IPv6 dns and IPv6 ping not work when using ULA unless making LAN firewall 'Input' ACCEPT)?

Hi,

I am in the middle of setting up IPv6 on my home router. I have a /56 PD from my ISP and am setting up DHCPv6 and RA, with SLAAC enabled for some VLANs and not others.

My VLANs are configured REJECT,ACCEPT,REJECT in the firewall, so previously when it was an IPv4 only network, I have rules for each VLAN to allow UDP port 67 to the router for DHCP and TCP/UDP port 53 to a DNS server on one of the VLANs for DNS.

Since adding IPv6 ULA and PD, I have added UDP port 547 to the DHCP rules, so clients can get a DHCPv6 address from the router, but I can't get DNS to work. I have added the DNS server's IPv6 address to the firewall rule, but the result of nslookup -type=AAAA bing.com *dns_IPv6_address* results in Server UnKnown. I also couldn't ping the DNS server by it's IPv6 address using ping -6 dns, so I added rules to allow ICMP from VLAN to the VLAN with the DNS server in, but that still doesn't work.
The only thing that works, is if I adjust the firewall zone of the VLAN that is trying to reach the DNS server, to be ACCEPT,ACCEPT,REJECT which I don't want to do.
All the while, IPv4 ping and nslookup work to 192.168.26.53, regardless of whether Input is set to ACCEPT or REJECT

What am I missing?
The wiki IPv6 configuration page doesn't have any firewall recommendations.

In case it helps
2 relevant VLANs are LAN (br-lan.31) and Infra (br-lan.26)
The DNS server is a pi-hole on Infra with the IPv4 address 192.168.26.53 and the IPv6 address fd18:a7e8:6f9b:26::53. The Infra firewall zone is currently set to ACCEPT,ACCEPT,ACCEPT and the LAN firewall zone is REJECT,ACCEPT,REJECT
I have a firewall rule that says Allow IPv4 and IPv6, protocol UDP from LAN to this device on ports 67 and 547, for DHCP (this works)
I have a firewall rule that says Allow IPv4 and IPv6, (protocol TCP & UDP) from LAN to Infra, IP 192.168.26.53, fd18:a7e8:69fb:26::53 on port 53, for DNS (this only works for IPv4)
I have a firewall rule that says Allow IPv4 and IPv6, protocol ICMP from `LAN' to any zone

EDIT: I enabled logging the filter table for LAN to a logfile on the nvme drive in the router and can see that ICMPv6 messages of type 134,135,136 are being rejected 'IN=br.lan.31'. These are the ICMP types for Router Advertisement, Neighbor Solicitation etc., so presumably that's why I'm having problems. But I have an accept ICMP rule?

EDIT2: Might be relevant, but I'm troubleshooting from LAN via an OpenWrt Dumb AP which is connected via a TP-Link L3 switch (all trunked/tagged). The Dumb AP doesn't have a LAN6 DHCPv6 interface and the TP switch doesn't appear to have IPv6 enabled. If this is relevant, I'm all the more confused why setting the firewall on the router to Input ACCEPT, makes any difference
MORE EDIT2: took this out of the equation by using an ethernet lead to reach VLAN LAN. VLAN Infra works just fine with the infrastructure (i.e. if my client is on Infra, I can v6 ping and v6 DNS the DNS server on Infra)

dave14305 · April 6, 2026, 12:39am

Let’s see config instead of narrative.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

hedzwillroll · April 6, 2026, 11:31am

Hi Dave, thanks for your interest.

Just want to reiterate, that setting Input to ACCEPT on any VLAN with IPv6 enabled, makes everything work (this means accept traffic from the VLAN to the router, but I have allow rules for DNS, DHCP and ICMP which don't appear to work).

root@Liberator:~# ubus call system board
{
        "kernel": "6.12.74",
        "hostname": "Liberator",
        "system": "ARMv8 Processor rev 0",
        "model": "FriendlyElec NanoPi R5S",
        "board_name": "friendlyarm,nanopi-r5s",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "25.12.2",
                "firmware_url": "https://downloads.openwrt.org/",
                "revision": "r32802-f505120278",
                "target": "rockchip/armv8",
                "description": "OpenWrt 25.12.2 r32802-f505120278",
                "builddate": "1774469393"
        }
}

root@Liberator:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        list ipaddr '127.0.0.1/8'

config globals 'globals'
        option dhcp_default_duid '0004ad06827947e3447e9537492005d333d2'
        option ula_prefix 'fd18:a7e8:6f9b::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'

config device
        option name 'eth1'
        option macaddr '1a:8a:43:**:**:**'

config device
        option name 'eth2'
        option macaddr '1a:8a:43:**:**:**'

config device
        option name 'eth0'
        option macaddr '1a:8a:43:**:**:**'

config interface 'wan'
        option device 'eth0'
        option proto 'pppoe'
        option username '*************************************'
        option password '*************************************'
        option ipv6 '1'
        option norelease '1'
        option multipath 'off'
        option peerdns '0'
        list dns '9.9.9.9'

config interface 'wan6'
        option device '@wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix '56'
        option norelease '1'
        option peerdns '0'
        option multipath 'off'
        list dns 'fd18:a7e8:6f9b:26::53'

config interface 'Infra'
        option proto 'static'
        option device 'br-lan.26'
        option ipaddr '192.168.26.1'
        option netmask '255.255.255.0'
        option multipath 'off'
        option delegate '0'
        option ip6assign '64'
        option ip6hint '26'

config bridge-vlan
        option device 'br-lan'
        option vlan '26'
        list ports 'eth1:t*'
        list ports 'eth2:t*'

config interface 'Modem'
        option proto 'static'
        option device '@wan'
        option ipaddr '192.168.2.2'
        option netmask '255.255.255.0'
        option multipath 'off'

config interface 'DMZ'
        option proto 'static'
        option device 'br-lan.24'
        option ipaddr '192.168.24.1'
        option netmask '255.255.255.0'
        option multipath 'off'
        option delegate '0'

config interface 'Guest'
        option proto 'static'
        option device 'br-lan.25'
        option ipaddr '192.168.25.1'
        option netmask '255.255.255.0'
        option multipath 'off'
        option delegate '0'
        option ip6assign '64'
        option ip6hint '25'

config interface 'Audio'
        option proto 'static'
        option device 'br-lan.27'
        option ipaddr '192.168.27.1'
        option netmask '255.255.255.0'
        option multipath 'off'
        option delegate '0'

config interface 'Video'
        option proto 'static'
        option device 'br-lan.28'
        option ipaddr '192.168.28.1'
        option netmask '255.255.255.0'
        option multipath 'off'
        option delegate '0'

config interface 'IoT'
        option proto 'static'
        option device 'br-lan.29'
        option ipaddr '192.168.29.1'
        option netmask '255.255.255.0'
        option multipath 'off'
        option delegate '0'

config interface 'CCTV'
        option proto 'static'
        option device 'br-lan.30'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'
        option multipath 'off'
        option delegate '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '24'
        list ports 'eth1:t'
        list ports 'eth2:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '25'
        list ports 'eth1:t'
        list ports 'eth2:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '27'
        list ports 'eth1:t'
        list ports 'eth2:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '28'
        list ports 'eth1:t'
        list ports 'eth2:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '29'
        list ports 'eth1:t'
        list ports 'eth2:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'eth1:t'
        list ports 'eth2:t'

config interface 'ProtAlb35Ads'
        option proto 'wireguard'
        option private_key '*************************************'
        option ip4table 'prtn_alb'
        option ip6table 'prtn_alb'
        option multipath 'off'
        list addresses '10.2.0.1/24'
        list dns '10.2.0.1'

config wireguard_ProtAlb35Ads
        option description 'Imported peer configuration'
        option public_key '*************************************'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option endpoint_host '74.118.126.4'
        option endpoint_port '51820'
        option route_allowed_ips '1'

config interface 'Glas924Ads'
        option proto 'wireguard'
        option private_key '*************************************'
        option multipath 'off'
        option ip4table 'prtn_gla'
        option ip6table 'prtn_gla'
        list dns '10.2.0.1'
        list addresses '10.2.0.1/24'

config wireguard_Glas924Ads
        option description 'Imported peer configuration'
        option public_key '*************************************'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option persistent_keepalive '25'
        option endpoint_host '185.28.254.2'
        option endpoint_port '51820'
        option route_allowed_ips '1'

config rule 'policy_localroutes'
        option lookup 'main'
        option suppress_prefixlength '1'
        option priority '1000'

config rule
        option in 'Video'
        option lookup 'prtn_alb'
        option priority '2000'

config bridge-vlan
        option device 'br-lan'
        option vlan '31'
        list ports 'eth1:t'
        list ports 'eth2:t'

config rule
        option priority '2000'
        option in 'Audio'
        option lookup 'prtn_gla'

config rule
        option priority '2000'
        option in 'IoT'
        option lookup 'prtn_gla'

config rule
        option priority '2000'
        option in 'CCTV'
        option lookup 'ionos'

config rule
        option priority '2000'
        option in 'Guest'
        option lookup 'ionos'

config interface 'IONOS'
        option proto 'wireguard'
        option private_key '*************************************'
        list addresses '10.10.10.10/24'
        option multipath 'off'
        option ip4table 'ionos'
        option ip6table 'ionos'

config wireguard_IONOS
        option description 'Pyper'
        option public_key '*************************************'
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '25'
        option endpoint_host '***.***.***.***'
        option endpoint_port '51820'
        option route_allowed_ips '1'

config interface 'HomeLAN'
        option proto 'static'
        option device 'br-lan.31'
        option ipaddr '192.168.31.1'
        option netmask '255.255.255.0'
        option multipath 'off'
        option ip6assign '64'
        option ip6hint '31'

root@Liberator:~# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory

WiFi is handled via WAX214v2 and NWA50AXPro, both using OpenWrt 24.10.5. These are connected to the router via tagged VLANs to TP-Link SG-2210P and Netgear GS110TPv3 respectively. I have spent time configuring IPv6 on all 4 of these devices in my attempt to make this work, but I think it's a bit of a red herring, as the VLAN Infra has always worked.

root@Liberator:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option leasefile '/tmp/odhcpd.leases'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piodir '/tmp/odhcpd-piodir'
        option hostsdir '/tmp/hosts'

config dhcp 'Infra'
        option interface 'Infra'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,192.168.26.53'
        option ra 'server'
        option ra_slaac '0'
        option ra_preference 'medium'
        option dhcpv6 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dns 'fd18:a7e8:6f9b:1e26::53'

config host
        list mac '34:98:B5:**:**:**'
        option ip '192.168.26.4'
        option name 'GS110TPv3'

config host
        option name 'WAX214v2'
        list mac '94:18:65:**:**:**'
        option ip '192.168.26.6'

config host
        option name 'TL-SG2210P'
        list mac '3C:52:A1:**:**:**'
        option ip '192.168.26.7'

config host
        option name 'GS308Ev4'
        list mac '54:07:7D:**:**:**'
        option ip '192.168.26.8'

config host
        option name 'NWA50AXPro'
        list mac '30:BD:13:**:**:**'
        option ip '192.168.26.9'

config host
        option name 'dns'
        list mac '00:16:3E:**:**:**'
        option ip '192.168.26.53'
        list duid '00020000ab110971c********************'
        option hostid '53'

config host
        option name 'nas'
        list mac '00:16:3E:**:**:**'
        option ip '192.168.26.250'

config host
        option name 'reverseproxy'
        list mac '00:16:3E:**:**:**'
        option ip '192.168.24.80'

config host
        option name 'lamp'
        list mac '00:16:3E:**:**:**'
        option ip '192.168.24.81'

config host
        option name 'HA'
        list mac '2C:CF:67:**:**:**'
        option ip '192.168.29.81'

config host
        option name 'TVRoomLamp'
        list mac '14:EB:B6:**:**:**'

config host
        option name 'Bedroom1Lamp'
        list mac '14:EB:B6:**:**:**'

config host
        option name 'FireHD10'
        list mac 'B4:B7:42:**:**:**'

config host
        option name 'FireTVCube'
        list mac '58:E4:88:**:**:**'

config host
        option name 'WiimUltra'
        list mac '54:78:C9:**:**:**'

config host
        option name 'BlinkDriveCamera'
        list mac 'E8:4C:4A:**:**:**'

config host
        option name 'BlinkDoorbell'
        list mac '08:91:A3:**:**:**'

config host
        option name 'BlinkSyncModule'
        list mac '58:E4:88:**:**:**'

config host
        option name 'MerossHeater'
        list mac '48:E1:E9:**:**:**'

config host
        option name 'MerossServer'
        list mac '48:E1:E9:**:**:**'

config host
        option name 'NexigoPJ40'
        list mac 'B0:AC:82:**:**:**'

config dhcp 'Audio'
        option interface 'Audio'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,192.168.26.53'

config dhcp 'CCTV'
        option interface 'CCTV'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,192.168.26.53'

config dhcp 'Guest'
        option interface 'Guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,192.168.26.53'
        option ra 'server'
        option ra_preference 'medium'
        option dhcpv6 'server'
        list dns 'fd18:a7e8:6f9b:26::53'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'IoT'
        option interface 'IoT'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,192.168.26.53'

config dhcp 'Video'
        option interface 'Video'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,192.168.26.53'

config dhcp 'DMZ'
        option interface 'DMZ'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,9.9.9.9'

config dhcp 'HomeLAN'
        option interface 'HomeLAN'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,192.168.26.53'
        option ra 'server'
        option ra_preference 'medium'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dhcpv6 'server'
        list dns 'fd18:a7e8:6f9b:26::53'

root@Liberator:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'Modem'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config zone
        option name 'DMZ'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'DMZ'

config forwarding
        option src 'DMZ'
        option dest 'wan'

config rule
        option src 'DMZ'
        option name 'Alllow-DMZ-DHCP'
        list proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option name 'reverseproxy'
        option family 'ipv4'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.24.80'

config zone
        option name 'Guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Guest'

config rule
        option src 'Guest'
        option name 'Allow-Guest-DHCP'
        list proto 'udp'
        option dest_port '67 547'
        option target 'ACCEPT'

config zone
        option name 'Infra'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Infra'

config forwarding
        option src 'Infra'
        option dest 'wan'

config zone
        option name 'Audio'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Audio'

config forwarding
        option src 'Audio'
        option dest 'ProtonVPN'

config rule
        option src 'Audio'
        option name 'Allow-Audio-DHCP'
        list proto 'udp'
        option dest_port '67 547'
        option target 'ACCEPT'

config rule
        option src 'Audio'
        option dest 'Infra'
        option name 'Nas-SMB'
        list proto 'tcp'
        list dest_ip '192.168.26.250'
        option dest_port '445'
        option target 'ACCEPT'

config rule
        option src 'Audio'
        option dest 'Infra'
        option name 'Nas-NetBIOS-Session'
        list proto 'tcp'
        list dest_ip '192.168.26.250'
        option dest_port '139'
        option target 'ACCEPT'

config rule
        option src 'Audio'
        option dest 'Infra'
        option name 'Nas-NetBIOS-Name&Datagram'
        list proto 'udp'
        list dest_ip '192.168.26.250'
        option dest_port '137-138'
        option target 'ACCEPT'

config zone
        option name 'Video'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Video'

config forwarding
        option src 'Video'
        option dest 'ProtonVPN'

config rule
        option src 'Video'
        option name 'Allow-Video-DHCP'
        list proto 'udp'
        option dest_port '67 547'
        option target 'ACCEPT'

config zone
        option name 'IoT'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IoT'

config rule
        option src 'IoT'
        option name 'Allow-IoT-DHCP'
        list proto 'udp'
        option dest_port '67 547'
        option target 'ACCEPT'

config zone
        option name 'CCTV'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'CCTV'

config rule
        option src 'CCTV'
        option name 'Allow-CCTV-DHCP'
        list proto 'udp'
        option dest_port '67 547'
        option target 'ACCEPT'

config rule
        option src 'HomeLAN'
        option name 'Allow-HomeLAN-DHCP'
        list proto 'udp'
        option dest_port '67 547'
        option target 'ACCEPT'

config zone
        option name 'ProtonVPN'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'ProtAlb35Ads'
        list network 'ProtonEdi664'
        list network 'Glas924Ads'

config forwarding
        option src 'ProtonVPN'
        option dest 'wan'

config forwarding
        option src 'IoT'
        option dest 'ProtonVPN'

config rule
        option src 'CCTV'
        option dest 'Infra'
        option name 'Allow-CCTV-DNS'
        option dest_port '53'
        option target 'ACCEPT'
        list dest_ip '192.168.26.53'
        list dest_ip 'fd18:a7e8:6f9b:26::53'

config rule
        option src 'Audio'
        option dest 'Infra'
        option name 'Allow-Audio-DNS'
        option dest_port '53'
        option target 'ACCEPT'
        list dest_ip '192.168.26.53'
        list dest_ip 'fd18:a7e8:6f9b:26::53'

config rule
        option src 'Video'
        option dest 'Infra'
        option name 'Allow-Video-DNS'
        option dest_port '53'
        option target 'ACCEPT'
        list dest_ip '192.168.26.53'
        list dest_ip 'fd18:a7e8:6f9b:26::53'

config rule
        option src 'Guest'
        option dest 'Infra'
        option name 'Allow-Guest-DNS'
        option dest_port '53'
        option target 'ACCEPT'
        list dest_ip '192.168.26.53'
        list dest_ip 'fd18:a7e8:6f9b:26::53'

config rule
        option src 'IoT'
        option dest 'Infra'
        option name 'Allow-IoT-DNS'
        option dest_port '53'
        option target 'ACCEPT'
        list dest_ip '192.168.26.53'
        list dest_ip 'fd18:a7e8:6f9b:26::53'

config rule
        option src 'HomeLAN'
        option dest 'Infra'
        option name 'Allow-HomeLAN-DNS'
        option dest_port '53'
        option target 'ACCEPT'
        list dest_ip '192.168.26.53'
        list dest_ip 'fd18:a7e8:6f9b:26::53'

config zone
        option name 'Ionos'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'IONOS'

config forwarding
        option src 'Ionos'
        option dest 'wan'

config forwarding
        option src 'CCTV'
        option dest 'Ionos'

config forwarding
        option src 'Guest'
        option dest 'Ionos'

config rule
        option src 'Guest'
        option dest '*'
        option name 'Allow-Guest-ICMP'
        list proto 'icmp'
        option target 'ACCEPT'

config rule
        option src 'Audio'
        option dest '*'
        option name 'Allow-Audio-ICMP'
        list proto 'icmp'
        option target 'ACCEPT'

config rule
        option src 'Video'
        option dest '*'
        option name 'Allow-Video-ICMP'
        list proto 'icmp'
        option target 'ACCEPT'

config rule
        option src 'IoT'
        option dest '*'
        option name 'Allow-IoT-ICMP'
        list proto 'icmp'
        option target 'ACCEPT'

config rule
        option src 'CCTV'
        option dest '*'
        option name 'Allow-CCTV-ICMP'
        list proto 'icmp'
        option target 'ACCEPT'

config rule
        option src 'DMZ'
        option dest '*'
        option name 'Allow-DMZ-ICMP'
        list proto 'icmp'
        option target 'ACCEPT'

config rule
        option src 'HomeLAN'
        option dest '*'
        option name 'Allow-HomeLAN-ICMP'
        list proto 'icmp'
        option target 'ACCEPT'

config zone
        option name 'HomeLAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'HomeLAN'

config forwarding
        option src 'HomeLAN'
        option dest 'wan'

dave14305 · April 6, 2026, 8:32pm

There’s a lot of Vlan stuff that I am no good at. Perhaps @psherman will take a look.

psherman · April 6, 2026, 9:12pm

IPv6 is not one of my strengths. Sorry - I’d love to help, but I’m not the right person here.

dl12345 · April 6, 2026, 10:21pm

I think your problem is NDP. ICMPv6 135/136, neighbour solicitation and advertisement, are the IPv6 equivalent of IPv4 ARP. They're how the client resolves the router's MAC before it can send any IPv6 packet to a different subnet.

These NDP messages are sent to the router itself, so they hit the input chain, not the forward chain. Your rule for ICMP in your /etc/config/firewall is a forward rule, not an input rule, so it doesn't cover ICMP destined for the router itself.

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

You need an input rule (no dest) for ICMPv6 from LAN, separate from your forwarding ICMP rule. This is the minimal rule:

config rule
        option name 'Allow-ICMPv6-LAN-Input'
        option src 'lan'
        option proto 'icmp'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'router-solicitation'                                                                                                        
        option family 'ipv6'
        option target 'ACCEPT'

It will work without the RS type, just with a potential delay after a device connects and before it gets its address via SLAAC. Better to put it in.

Your DNS forward rules are fine. They will work once NDP works. DHCP rules are fine too, correctly written as input rules.

hedzwillroll · April 6, 2026, 11:59pm

Thank you! I missed a key detail see below.
That first rule you observed is the default wan rule that comes out of the box by the way.

config rule
        option src 'HomeLAN'
        option dest '*'
        option name 'Allow-HomeLAN-ICMP'
        list proto 'icmp'
        option target 'ACCEPT'

I had thought that's what this would do.
In LuCI (where I created the rule), the option I chose was Destination zone: Any zone, which I see now as I'm writing this is a Forward rule (I had read it as meaning destination anywhere and it would therefore cover NDP and ping).

So I will need the above rule to allow IPv6 ping to other VLANs, but I will also need another rule for Input to the router itself for both NDP and ping.
There is no way in LuCI to create a rule with no destination. I couldn't create your minimal rule in LuCI for example, because it insists on a destination. I'm curious now what will happen if I create it in the firewall file, how it will be represented in LuCI.

dave14305 · April 7, 2026, 12:09am

You would use "Device (input)" as the Destination Zone.

hedzwillroll · April 7, 2026, 12:10am

So I just discovered

By creating the rule @dl12345 proposed verbatim, LuCI applied Destination zone Device (input)

hedzwillroll · April 7, 2026, 12:30am

Can confirm that now, having rules for both Forward and Input for each VLAN that has IPv6 enabled, causes clients in those VLANs to be able to ping -6 other clients and perform nslookup -type=AAAA queries against a DNS server in a different VLAN. Job done! I must learn to read, it would have saved me some time: Destination zone Any zone(forward)
I should add that I chose to allow all ICMP types, and for both IPv4 and IPv6 in my rules, but may revisit that.