IPv6 Issue with DSA?

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,

today I discovered another ipv6 issue with 21.02 - and my flow offloading is switched off!

I own a cable connection with dualstack. I get a /62 prefix from my provider which I forward/deploy to my clients.

My Windows PC (tested on 1 host) works also without a problem. I can as an example successful ping -6 google.com

But now I have seen, that my linux clients (test on 3 hosts) can't access ipv6 outside my lan.

I started to run tcpdump to find the issue. There I can see, that icmp echo request leave my lan side (vlan 10) and my wan side - but I see the answer only on the wan side - not the lan side.

root@gw:~# tcpdump -i br-switch.10 ip6 host 2a00:1450:4001:810::200e
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-switch.10, link-type EN10MB (Ethernet), capture size 262144 bytes
15:44:50.709631 IP6 2a02:XXXX:XXXX:179:dea6:32ff:feee:6e13 > fra16s50-in-x0e.1e100.net: ICMP6, echo request, seq 1412, length 64
15:44:51.733533 IP6 2a02:XXXX:XXXX:179:dea6:32ff:feee:6e13 > fra16s50-in-x0e.1e100.net: ICMP6, echo request, seq 1413, length 64
15:44:52.757533 IP6 2a02:XXXX:XXXX:179:dea6:32ff:feee:6e13 > fra16s50-in-x0e.1e100.net: ICMP6, echo request, seq 1414, length 64
15:44:53.781496 IP6 2a02:XXXX:XXXX:179:dea6:32ff:feee:6e13 > fra16s50-in-x0e.1e100.net: ICMP6, echo request, seq 1415, length 64
15:44:54.805434 IP6 2a02:XXXX:XXXX:179:dea6:32ff:feee:6e13 > fra16s50-in-x0e.1e100.net: ICMP6, echo request, seq 1416, length 64
^C
5 packets captured
6 packets received by filter
0 packets dropped by kernel
root@gw:~# tcpdump -i wan ip6 host 2a00:1450:4001:810::200e
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wan, link-type EN10MB (Ethernet), capture size 262144 bytes
15:45:05.045762 IP6 2a02:XXXX:XXXX:179:dea6:32ff:feee:6e13 > fra16s50-in-x0e.1e100.net: ICMP6, echo request, seq 1426, length 64
15:45:05.060081 IP6 fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:dea6:32ff:feee:6e13: ICMP6, echo reply, seq 1426, length 64
15:45:06.069761 IP6 2a02:XXXX:XXXX:179:dea6:32ff:feee:6e13 > fra16s50-in-x0e.1e100.net: ICMP6, echo request, seq 1427, length 64
15:45:06.084783 IP6 fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:dea6:32ff:feee:6e13: ICMP6, echo reply, seq 1427, length 64
15:45:07.093746 IP6 2a02:XXXX:XXXX:179:dea6:32ff:feee:6e13 > fra16s50-in-x0e.1e100.net: ICMP6, echo request, seq 1428, length 64
15:45:07.109068 IP6 fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:dea6:32ff:feee:6e13: ICMP6, echo reply, seq 1428, length 64
15:45:08.117720 IP6 2a02:XXXX:XXXX:179:dea6:32ff:feee:6e13 > fra16s50-in-x0e.1e100.net: ICMP6, echo request, seq 1429, length 64
15:45:08.135449 IP6 fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:dea6:32ff:feee:6e13: ICMP6, echo reply, seq 1429, length 64
15:45:09.141854 IP6 2a02:XXXX:XXXX:179:dea6:32ff:feee:6e13 > fra16s50-in-x0e.1e100.net: ICMP6, echo request, seq 1430, length 64
15:45:09.156648 IP6 fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:dea6:32ff:feee:6e13: ICMP6, echo reply, seq 1430, length 64
^C
10 packets captured
12 packets received by filter
0 packets dropped by kernel

I have no blocking rule in chain forwarding_rule for ip6tables and the second entry for FORWARD is
ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED

Any one else have the same problem? Or has somebody a Idea how to solve this?

My Hardware is a Xiaomi Redmi Router AC2100 which runs OpenWrt 21.02.0

root@gw:~# ip6tables-save -c
# Generated by ip6tables-save v1.8.7 on Wed Sep 22 16:08:28 2021
*raw
:PREROUTING ACCEPT [45303:12497414]
:OUTPUT ACCEPT [8898:905111]
:zone_guest_helper - [0:0]
:zone_lan_helper - [0:0]
:zone_mgmt_helper - [0:0]
[1032:93040] -A PREROUTING -i br-switch.1 -m comment --comment "!fw3: mgmt CT helper assignment" -j zone_mgmt_helper
[20098:3399783] -A PREROUTING -i br-switch.10 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[0:0] -A PREROUTING -i br-switch.30 -m comment --comment "!fw3: guest CT helper assignment" -j zone_guest_helper
[0:0] -A zone_guest_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_guest_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_guest_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_guest_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_guest_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_guest_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
[0:0] -A zone_mgmt_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_mgmt_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_mgmt_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_mgmt_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_mgmt_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_mgmt_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Wed Sep 22 16:08:28 2021
# Generated by ip6tables-save v1.8.7 on Wed Sep 22 16:08:28 2021
*mangle
:PREROUTING ACCEPT [45303:12497414]
:INPUT ACCEPT [3202:376405]
:FORWARD ACCEPT [40750:11945777]
:OUTPUT ACCEPT [8898:905111]
:POSTROUTING ACCEPT [49636:12849462]
[1485:115152] -A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[3261:256316] -A FORWARD -i wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Sep 22 16:08:28 2021
# Generated by ip6tables-save v1.8.7 on Wed Sep 22 16:08:28 2021
*filter
:INPUT ACCEPT [102:7344]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [81:5832]
:MINIUPNPD - [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_mgmt_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_windscribe_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_mgmt_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_windscribe_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_mgmt_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_windscribe_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_mgmt_dest_ACCEPT - [0:0]
:zone_mgmt_dest_REJECT - [0:0]
:zone_mgmt_forward - [0:0]
:zone_mgmt_input - [0:0]
:zone_mgmt_output - [0:0]
:zone_mgmt_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
:zone_windscribe_dest_ACCEPT - [0:0]
:zone_windscribe_dest_REJECT - [0:0]
:zone_windscribe_forward - [0:0]
:zone_windscribe_input - [0:0]
:zone_windscribe_output - [0:0]
:zone_windscribe_src_REJECT - [0:0]
[105:16230] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[3097:360175] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1130:216968] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[609:44559] -A INPUT -i br-switch.1 -m comment --comment "!fw3" -j zone_mgmt_input
[876:63773] -A INPUT -i br-switch.10 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i br-switch.30 -m comment --comment "!fw3" -j zone_guest_input
[380:27531] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i ws0 -m comment --comment "!fw3" -j zone_windscribe_input
[40750:11945777] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[39614:11776920] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -d ::200:200:200:200/::ffff:ffff:ffff:ffff -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Allow-Zentrale-HTTPS-IPv6" -j zone_lan_dest_ACCEPT
[0:0] -A FORWARD -d ::200:200:200:200/::ffff:ffff:ffff:ffff -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Allow-Zentrale-HTTP-IPv6" -j zone_lan_dest_ACCEPT
[0:0] -A FORWARD -d ::200:200:200:200/::ffff:ffff:ffff:ffff -p tcp -m tcp --dport 22 -m comment --comment "!fw3: Allow-Zentrale-SSH-IPv6" -j zone_lan_dest_ACCEPT
[0:0] -A FORWARD -m mac --mac-source e8:b1:fc:XX:XX:XX -m comment --comment "!fw3: UB-RTC" -j ACCEPT
[21:2016] -A FORWARD -i br-switch.1 -m comment --comment "!fw3" -j zone_mgmt_forward
[1074:163495] -A FORWARD -i br-switch.10 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i br-switch.30 -m comment --comment "!fw3" -j zone_guest_forward
[23:1906] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i ws0 -m comment --comment "!fw3" -j zone_windscribe_forward
[44:3922] -A FORWARD -m comment --comment "!fw3" -j reject
[105:16230] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[8793:888881] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[815:133307] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[881:113496] -A OUTPUT -o br-switch.1 -m comment --comment "!fw3" -j zone_mgmt_output
[5089:403936] -A OUTPUT -o br-switch.10 -m comment --comment "!fw3" -j zone_lan_output
[602:82832] -A OUTPUT -o br-switch.30 -m comment --comment "!fw3" -j zone_guest_output
[1325:149478] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o ws0 -m comment --comment "!fw3" -j zone_windscribe_output
[0:0] -A forwarding_mgmt_rule -d 2a01:4f8:251:321::2/128 -p tcp -m tcp --dport 443 -j zone_wan_dest_ACCEPT
[8:640] -A forwarding_rule -d 2a00:1450:4001:812::2003/128 -p tcp -m tcp --dport 80 -j zone_wan_dest_ACCEPT
[0:0] -A forwarding_rule -d 2a00:1450:4005:800::2003/128 -p tcp -m tcp --dport 80 -j zone_wan_dest_ACCEPT
[10:800] -A forwarding_rule -d 2a00:1450:4005:802::200e/128 -p tcp -m tcp --dport 80 -j zone_wan_dest_ACCEPT
[0:0] -A forwarding_rule -d 2a00:1450:4005:802::200e/128 -p tcp -m tcp --dport 80 -j zone_wan_dest_ACCEPT
[23:1906] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[21:2016] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[602:82832] -A zone_guest_dest_ACCEPT -o br-switch.30 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o br-switch.30 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT guest out: "
[0:0] -A zone_guest_dest_REJECT -o br-switch.30 -m comment --comment "!fw3" -j reject
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_guest_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_guest_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_guest_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_guest_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_guest_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_guest_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[0:0] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-DNS" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS" -j ACCEPT
[0:0] -A zone_guest_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_guest_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_guest_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_guest_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_guest_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_guest_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_guest_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_guest_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_guest_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_guest_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_guest_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_guest_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_guest_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_guest_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_guest_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_guest_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_guest_input -p tcp -m tcp --dport 484 -m comment --comment "!fw3: Allow-FritzBox-GUI" -j ACCEPT
[0:0] -A zone_guest_input -p tcp -m tcp --dport 8089 -m comment --comment "!fw3: Allow-Zentrale-HTTPS" -j ACCEPT
[0:0] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[602:82832] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[602:82832] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[0:0] -A zone_guest_src_REJECT -i br-switch.30 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT guest in: "
[0:0] -A zone_guest_src_REJECT -i br-switch.30 -m comment --comment "!fw3" -j reject
[5089:403936] -A zone_lan_dest_ACCEPT -o br-switch.10 -m comment --comment "!fw3" -j ACCEPT
[1074:163495] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[1074:163495] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to mgmt forwarding policy" -j zone_mgmt_dest_ACCEPT
[1074:163495] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to guest forwarding policy" -j zone_guest_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to windscribe forwarding policy" -j zone_windscribe_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[876:63773] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -p tcp -m tcp --dport 1026 -m comment --comment "!fw3: Block-DAWN" -j reject
[876:63773] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[5089:403936] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[5089:403936] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[876:63773] -A zone_lan_src_ACCEPT -i br-switch.10 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[881:113496] -A zone_mgmt_dest_ACCEPT -o br-switch.1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_mgmt_dest_REJECT -o br-switch.1 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT mgmt out: "
[0:0] -A zone_mgmt_dest_REJECT -o br-switch.1 -m comment --comment "!fw3" -j reject
[21:2016] -A zone_mgmt_forward -m comment --comment "!fw3: Custom mgmt forwarding rule chain" -j forwarding_mgmt_rule
[0:0] -A zone_mgmt_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_mgmt_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_mgmt_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_mgmt_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_mgmt_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_mgmt_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_mgmt_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[21:2016] -A zone_mgmt_forward -m comment --comment "!fw3: Zone mgmt to lan forwarding policy" -j zone_lan_dest_ACCEPT
[21:2016] -A zone_mgmt_forward -m comment --comment "!fw3" -j zone_mgmt_dest_REJECT
[609:44559] -A zone_mgmt_input -m comment --comment "!fw3: Custom mgmt input rule chain" -j input_mgmt_rule
[609:44559] -A zone_mgmt_input -m comment --comment "!fw3" -j zone_mgmt_src_ACCEPT
[881:113496] -A zone_mgmt_output -m comment --comment "!fw3: Custom mgmt output rule chain" -j output_mgmt_rule
[881:113496] -A zone_mgmt_output -m comment --comment "!fw3" -j zone_mgmt_dest_ACCEPT
[609:44559] -A zone_mgmt_src_ACCEPT -i br-switch.1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[49:3336] -A zone_wan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[2368:311077] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_DROP -o wan -m comment --comment "!fw3" -j DROP
[23:1906] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[23:1906] -A zone_wan_forward -j MINIUPNPD
[23:1906] -A zone_wan_forward -j MINIUPNPD
[23:1906] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_DROP
[380:27531] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[1:243] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[6:432] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[285:20520] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[88:6336] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -j MINIUPNPD
[0:0] -A zone_wan_input -j MINIUPNPD
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
[1325:149478] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[1325:149478] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_DROP -i wan -m comment --comment "!fw3" -j DROP
[0:0] -A zone_windscribe_dest_ACCEPT -o ws0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_windscribe_dest_ACCEPT -o ws0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_windscribe_dest_REJECT -o ws0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_windscribe_forward -m comment --comment "!fw3: Custom windscribe forwarding rule chain" -j forwarding_windscribe_rule
[0:0] -A zone_windscribe_forward -m comment --comment "!fw3" -j zone_windscribe_dest_REJECT
[0:0] -A zone_windscribe_input -m comment --comment "!fw3: Custom windscribe input rule chain" -j input_windscribe_rule
[0:0] -A zone_windscribe_input -m comment --comment "!fw3" -j zone_windscribe_src_REJECT
[0:0] -A zone_windscribe_output -m comment --comment "!fw3: Custom windscribe output rule chain" -j output_windscribe_rule
[0:0] -A zone_windscribe_output -m comment --comment "!fw3" -j zone_windscribe_dest_ACCEPT
[0:0] -A zone_windscribe_src_REJECT -i ws0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Sep 22 16:08:28 2021
2 
cat /proc/sys/net/netfilter/nf_conntrack_count
cat /proc/sys/net/netfilter/nf_conntrack_max
3 
root@gw:~# cat /proc/sys/net/netfilter/nf_conntrack_count
597
root@gw:~# cat /proc/sys/net/netfilter/nf_conntrack_max
16384
1 Like
4

hmm.. now I have also tested with my other notebook running linux... there ping also works.
to conclude:
2 x Raspberry Pi with Ubuntu 20.04 LTS configured with systemd-networkd - DHCPv4 / Stateless = dont work
1 x Linux "Server" with Ubuntu 20.04 LTS configured with systemd-networkd - DHCPv4 / Stateless = dont work
1 x Linux PC with Ubuntu 21.04 configured with NetworkManager = works
1 x Windows 10 PC = works

really strange... but tcpdump output looks unmistakable like a iptables problem or do you not agree?

1 Like
5

ok, one closer look - maybe this can help:

root@gw:~# tcpdump -vvi wan ip6 host 2a00:1450:4001:810::200e
tcpdump: listening on wan, link-type EN10MB (Ethernet), capture size 262144 bytes
19:08:24.382810 IP6 (flowlabel 0x1190c, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:XXXX:XXXX:179:40e4:953d:7ca:ec73 > fra16s50-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 48
19:08:24.395336 IP6 (flowlabel 0x1190c, hlim 116, next-header ICMPv6 (58) payload length: 64) fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:40e4:953d:7ca:ec73: [icmp6 sum ok] ICMP6, echo reply, seq 48
19:08:25.406631 IP6 (flowlabel 0x1190c, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:XXXX:XXXX:179:40e4:953d:7ca:ec73 > fra16s50-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 49
19:08:25.419000 IP6 (flowlabel 0x1190c, hlim 116, next-header ICMPv6 (58) payload length: 64) fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:40e4:953d:7ca:ec73: [icmp6 sum ok] ICMP6, echo reply, seq 49
19:08:26.431114 IP6 (flowlabel 0x1190c, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:XXXX:XXXX:179:40e4:953d:7ca:ec73 > fra16s50-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 50
19:08:26.441976 IP6 (flowlabel 0x1190c, hlim 116, next-header ICMPv6 (58) payload length: 64) fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:40e4:953d:7ca:ec73: [icmp6 sum ok] ICMP6, echo reply, seq 50
19:08:27.454860 IP6 (flowlabel 0x1190c, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:XXXX:XXXX:179:40e4:953d:7ca:ec73 > fra16s50-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 51
19:08:27.465966 IP6 (flowlabel 0x1190c, hlim 116, next-header ICMPv6 (58) payload length: 64) fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:40e4:953d:7ca:ec73: [icmp6 sum ok] ICMP6, echo reply, seq 51
19:08:28.478995 IP6 (flowlabel 0x1190c, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:XXXX:XXXX:179:40e4:953d:7ca:ec73 > fra16s50-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 52
19:08:28.491356 IP6 (flowlabel 0x1190c, hlim 116, next-header ICMPv6 (58) payload length: 64) fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:40e4:953d:7ca:ec73: [icmp6 sum ok] ICMP6, echo reply, seq 52
19:08:29.502885 IP6 (flowlabel 0x1190c, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:XXXX:XXXX:179:40e4:953d:7ca:ec73 > fra16s50-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 53
19:08:29.514508 IP6 (flowlabel 0x1190c, hlim 116, next-header ICMPv6 (58) payload length: 64) fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:40e4:953d:7ca:ec73: [icmp6 sum ok] ICMP6, echo reply, seq 53

19:08:40.262432 IP6 (flowlabel 0xb4ce6, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:XXXX:XXXX:179:63:63:63:63 > fra16s50-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 1
19:08:40.277536 IP6 (flowlabel 0xb4ce6, hlim 58, next-header ICMPv6 (58) payload length: 64) fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:63:63:63:63: [icmp6 sum ok] ICMP6, echo reply, seq 1
19:08:41.265258 IP6 (flowlabel 0xb4ce6, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:XXXX:XXXX:179:63:63:63:63 > fra16s50-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 2
19:08:41.280497 IP6 (flowlabel 0xb4ce6, hlim 58, next-header ICMPv6 (58) payload length: 64) fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:63:63:63:63: [icmp6 sum ok] ICMP6, echo reply, seq 2
19:08:42.265359 IP6 (flowlabel 0xb4ce6, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:XXXX:XXXX:179:63:63:63:63 > fra16s50-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 3
19:08:42.280624 IP6 (flowlabel 0xb4ce6, hlim 58, next-header ICMPv6 (58) payload length: 64) fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:63:63:63:63: [icmp6 sum ok] ICMP6, echo reply, seq 3
19:08:43.266451 IP6 (flowlabel 0xb4ce6, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:XXXX:XXXX:179:63:63:63:63 > fra16s50-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 4
19:08:43.393188 IP6 (flowlabel 0xb4ce6, hlim 58, next-header ICMPv6 (58) payload length: 64) fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:63:63:63:63: [icmp6 sum ok] ICMP6, echo reply, seq 4
19:08:44.269504 IP6 (flowlabel 0xb4ce6, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:XXXX:XXXX:179:63:63:63:63 > fra16s50-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 5
19:08:44.353705 IP6 (flowlabel 0xb4ce6, hlim 58, next-header ICMPv6 (58) payload length: 64) fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:63:63:63:63: [icmp6 sum ok] ICMP6, echo reply, seq 5
19:08:45.271522 IP6 (flowlabel 0xb4ce6, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:XXXX:XXXX:179:63:63:63:63 > fra16s50-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 6
19:08:45.340142 IP6 (flowlabel 0xb4ce6, hlim 58, next-header ICMPv6 (58) payload length: 64) fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:63:63:63:63: [icmp6 sum ok] ICMP6, echo reply, seq 6
19:08:46.273100 IP6 (flowlabel 0xb4ce6, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:XXXX:XXXX:179:63:63:63:63 > fra16s50-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 7
19:08:46.321433 IP6 (flowlabel 0xb4ce6, hlim 58, next-header ICMPv6 (58) payload length: 64) fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:63:63:63:63: [icmp6 sum ok] ICMP6, echo reply, seq 7
19:08:47.275126 IP6 (flowlabel 0xb4ce6, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:XXXX:XXXX:179:63:63:63:63 > fra16s50-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 8
19:08:47.297175 IP6 (flowlabel 0xb4ce6, hlim 58, next-header ICMPv6 (58) payload length: 64) fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:63:63:63:63: [icmp6 sum ok] ICMP6, echo reply, seq 8
19:08:48.276029 IP6 (flowlabel 0xb4ce6, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:XXXX:XXXX:179:63:63:63:63 > fra16s50-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 9
19:08:48.292930 IP6 (flowlabel 0xb4ce6, hlim 58, next-header ICMPv6 (58) payload length: 64) fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:63:63:63:63: [icmp6 sum ok] ICMP6, echo reply, seq 9
19:08:49.278065 IP6 (flowlabel 0xb4ce6, hlim 63, next-header ICMPv6 (58) payload length: 64) 2a02:XXXX:XXXX:179:63:63:63:63 > fra16s50-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 10
19:08:49.295078 IP6 (flowlabel 0xb4ce6, hlim 58, next-header ICMPv6 (58) payload length: 64) fra16s50-in-x0e.1e100.net > 2a02:XXXX:XXXX:179:63:63:63:63: [icmp6 sum ok] ICMP6, echo reply, seq 10

seq 48-53 dont work
seq 1-10 works

what is hlim - and why is it bigger on the not working hosts...?

EDIT: ok, hlim is Hop limit... this can`t be the reason...?

6

I tested to manually allow echo-reply for debugging and saw, that the problem still exists...

ip6tables -A forwarding_rule -i wan -p icmpv6 --icmpv6-type echo-reply -j ACCEPT

The packets are matching the rule (counter increased)....

Means, that it is not the fault of the firewall...?

7

Perhaps it's related to source-based policy routing enabled by default for IPv6.
IPv6 prefix is often dynamic, and some hosts may not support DHCP FORCERENEW.

8

but this seems not my problem, because my prefix of the outgoing packets is always the same and matched the current one from my ISP and I also disabled the dhcpv6 server in OpenWRT and use only SLAAC.

I have also tested with my Android phone yesterday which was freshly connected the the WiFi and it also can´t ping outside (tested with PingTools App where you can force a ipv6 ping) and this was also not working.

1 Like
9

maybe a problem with the default gw my provider sends?

root@gw:~# ip -6 r s
default from 2a02:XXXY:XXXX:XXXX:8542:74e1:e6ad:dbb1 via fe80::1 dev wan proto static metric 512 pref medium
default from 2a02:XXXX:XXXX:178::/62 via fe80::1 dev wan proto static metric 512 pref medium
2a02:XXXX:XXXX:178::/64 dev br-switch.30 proto static metric 1024 pref medium
2a02:XXXX:XXXX:179::/64 dev br-switch.10 proto static metric 1024 pref medium
2a02:XXXX:XXXX:17a::/64 dev br-switch.1 proto static metric 1024 pref medium
unreachable 2a02:XXXX:XXXX:178::/62 dev lo proto static metric 2147483647 pref medium
fd16:d416:891:99::/64 dev br-switch.10 proto static metric 1024 pref medium
fd16:d416:891:189::/64 dev br-switch.30 proto static metric 1024 pref medium
fd16:d416:891:252::/64 dev br-switch.1 proto static metric 1024 pref medium
unreachable fd16:d416:891::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev wlan2g proto kernel metric 256 pref medium
fe80::/64 dev wlan-gast2g proto kernel metric 256 pref medium
fe80::/64 dev br-switch proto kernel metric 256 pref medium
fe80::/64 dev br-switch.1 proto kernel metric 256 pref medium
fe80::/64 dev br-switch.10 proto kernel metric 256 pref medium
fe80::/64 dev br-switch.30 proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev ws0 proto kernel metric 256 pref medium
fe80::/64 dev wlan5g proto kernel metric 256 pref medium
fe80::/64 dev wlan-gast5g proto kernel metric 256 pref medium

because fe80 is always on every interface...?! But this should be covered with the device definition?!

via fe80::1 **dev wan**
10

I did now also a other test....

When I try to ping those hosts from external, which also can not ping to external I see the same problem with tcpdump:
The packets arrive on wan interface, but get not routed to the lan interface.

I again see the counters raise in the iptables rule

grafik
grafik960×195 3.53 KB

When I ping one of my hosts which are working (I tested with the Windows PC), the packets arrive on the lan interface and can get also answered from the working hosts inside the lan.

I really not understand whats wrong..... :worried:

11

Any help is still appreciated :slight_smile:

12

Hi, I found on this discussion some new tools for debugging:

root@gw:~# ip monitor | grep -e "2a02:XXXX:XXXX:179:c468:ed4f:bb18:8ae2" -e "2a00:1450:4005:803::200e"
2a02:XXXX:XXXX:179:c468:ed4f:bb18:8ae2 dev br-switch.10  FAILED
2a02:XXXX:XXXX:179:c468:ed4f:bb18:8ae2 dev br-switch.10  FAILED
2a02:XXXX:XXXX:179:c468:ed4f:bb18:8ae2 dev br-switch.10  FAILED
2a02:XXXX:XXXX:179:c468:ed4f:bb18:8ae2 dev br-switch.10  FAILED
2a02:XXXX:XXXX:179:c468:ed4f:bb18:8ae2 dev br-switch.10  FAILED
2a02:XXXX:XXXX:179:c468:ed4f:bb18:8ae2 dev br-switch.10  FAILED
2a02:XXXX:XXXX:179:c468:ed4f:bb18:8ae2 dev br-switch.10  FAILED
2a02:XXXX:XXXX:179:c468:ed4f:bb18:8ae2 dev br-switch.10  FAILED
2a02:XXXX:XXXX:179:c468:ed4f:bb18:8ae2 dev br-switch.10  FAILED

but bridge monitor gives me not related output.

this is the source ip from where I start the ping: 2a02:XXXX:XXXX:179:c468:ed4f:bb18:8ae2
And this is the destination 2a00:1450:4005:803::200e

So this looks like a routing issue - but why? DSA related?

1 Like
13

Try disabling source routing and check whether the issue persists.

14

Hi, I have tested this:

root@gw:~# uci show network.wan
network.wan=interface
network.wan.proto='dhcp'
network.wan.dns_metric='1'
network.wan.metric='1'
network.wan.device='wan'
network.wan.delegate='0'
root@gw:~# uci show network.wan6
network.wan6=interface
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='force'
network.wan6.metric='1'
network.wan6.dns_metric='1'
network.wan6.reqprefix='auto'
network.wan6.device='@wan'
network.wan6.sourcefilter='0'

but even after a reboot it is the same problem.

1 Like
15

today I updated to 21.02.1 - but the problem still persist.

I have noted a short change, when I toggle network.globals.packet_steering and reboot.

For a shot time (1-2 pings) I can ping outside.. But nothing constant.

So IPv6 keeps broken on my Xiaomi Redmi Router AC2100 :worried:

Just want to add, that I reported this at https://bugs.openwrt.org/index.php?do=details&task_id=4128

16

Hi all

I have a similar problem with my openwrt router set behind ISP router which start a 6rd tunnel and get a /64 prefix, with SLAAC and DHCPv6 enabled.

The router is a raspberry pi that I upgraded from a random snapshot post 19.07 built in 2020 to 21.02.1.

With the snapshot build ipv6 connectivity was OK, but now I get correct Ipv6 address on the clients, but Ipv6 connectivity from the clients is erratic, after a while it just stop to work.

I have disabled source-based routing and got it restored, but I will monitor it to check if the Ipv6 connectivity is stable or just restored because of network restart on the openwrt router.

17

No, the problem is still here. IPv6 works for a couple of day and then stops, only rounter can access internet via IPv6

18

Raspberry Pi does not have an ethernet switch, so I doubt this is related to DSA.

19

For me the problem disappeared... dont know why...

But I am tired of 21.02 - only problems. I switch back to 19.07 and hope things get fixed later. (the ipv6 issue was not the only problem)