IPv6 issues for LAN

I've been having issues setting up IPv6 on my RPi-4 running OpenWrt 23.05.0. I've been trying to get dual stack mode to work for a while now, but unfortunately unsuccessfully.

I know there have been a lot of posts about IPv6, and I went through as many as I can trying all the advice, but with no luck.

Setup

• RPi-4 running 23.05.0 (but wasn't working on previous versions either)
• RPi-4 is configured as router on a stick
• Fiber cable/wan is connected straight to my switch and available via eth0.10
• Most lan clients are connected via separate AP
• wan6 interface is getting /56 IPv6 PD, but no "IA_NA"
  • ISP does not offer IA_NA

Prefix delegation seems to be working and LAN clients are getting 2001:* addresses, but none of my clients are able to ping IPv6 addresses.

Successful ping6 from router

Screenshot 2023-10-26 at 2.39.07 PM1352×220 66.2 KB

Unsuccessful ping6 from macos lan client (just freezes)

Screenshot 2023-10-26 at 2.46.35 PM1852×218 80.4 KB

Unsuccessful ping6 from linux lan client

Screenshot 2023-10-26 at 2.50.26 PM1594×178 37.1 KB

wan6 is getting /56 PD

Screenshot 2023-10-26 at 2.33.09 PM1132×450 52.8 KB

lan is getting /60 assignment

Screenshot 2023-10-26 at 2.33.16 PM1126×312 35.3 KB

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fddd::/48'
	option packet_steering 'true'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.0.1'
	option netmask '255.255.248.0'
	option ip6assign '60'
	option peerdns '0'

config interface 'guest'
	option device 'eth0.2'
	option proto 'static'
	option ip6assign '60'
	option ipaddr '10.0.20.1'
	option netmask '255.255.255.0'
	option peerdns '0'

config interface 'isolated'
	option device 'eth0.4'
	option proto 'static'
	option ip6assign '60'
	option ipaddr '10.0.50.1'
	option netmask '255.255.255.0'
	option peerdns '0'

config interface 'wan'
	option device 'eth0.10'
	option proto 'dhcp'
	option metric '10'
	option peerdns '0'
	list dns '127.0.0.1'

config interface 'wan6'
	option device 'eth0.10'
	option proto 'dhcpv6'
	option metric '10'
	option peerdns '0'
	list dns '127.0.0.1'

# And a bunch of other unrelated interfaces for wireguard/openvpn/tor/tethering/etc, but should be unrelated

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	list server '/mask.icloud.com/'
	list server '/mask-h2.icloud.com/'
	list server '/use-application-dns.net/'
	list server '127.0.0.1#5053'
	list notinterface 'eth0.3'
	list notinterface 'tor'
	option confdir '/tmp/dnsmasq.d'
	option doh_backup_noresolv '-1'
	option noresolv '1'
	list doh_backup_server '/mask.icloud.com/'
	list doh_backup_server '/mask-h2.icloud.com/'
	list doh_backup_server '/use-application-dns.net/'
	list doh_backup_server '127.0.0.1#5053'
	list doh_server '127.0.0.1#5053'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '2h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '2h'

config dhcp 'isolated'
	option interface 'isolated'
	option start '100'
	option limit '150'
	option leasetime '2h'

# Config for tor
config dnsmasq
	option boguspriv '0'
	option rebind_protection '0'
	option noresolv '1'
	list server '127.0.0.1#9053'
	list server '::1#9053'
	option localservice '0'
	list interface 'eth0.3'
	list interface 'tor'

config dhcp 'tor'
	option interface 'tor'
	option start '100'
	option limit '150'
	option leasetime '2h'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	list network 'wg'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	list network 'wan'
	list network 'wan6'
	list network 'tethering'
	list network 'qmi'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'guest'

config zone
	option name 'isolated'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'isolated'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'isolated'
	option dest 'wan'

config zone
	option name 'tor'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'tor'

config zone
	option name 'openvpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option device 'tun+'
	list network 'tun0'
	list network 'tun1'
	list network 'tun2'
	list network 'tun3'
	list network 'tun4'
	list network 'tun5'
	list network 'tun6'
	list network 'tun7'
	list network 'tun8'

config forwarding
	option src 'lan'
	option dest 'openvpn'

config rule
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'wireguard'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option device 'tun+'
	list network 'vpn_van'

config forwarding
	option src 'lan'
	option dest 'wireguard'

ifstatus wan6

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 50526,
	"l3_device": "eth0.10",
	"proto": "dhcpv6",
	"device": "eth0.10",
	"updated": [
		"prefixes"
	],
	"metric": 10,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [

	],
	"ipv6-address": [

	],
	"ipv6-prefix": [
		{
			"address": "2001:569:*:*::",
			"mask": 56,
			"preferred": 14289,
			"valid": 14589,
			"class": "wan6",
			"assigned": {
				"guest": {
					"address": "2001:569:*:*::",
					"mask": 60
				},
				"isolated": {
					"address": "2001:569:*:*::",
					"mask": 60
				},
				"lan": {
					"address": "2001:569:*:*::",
					"mask": 60
				},
				"tor": {
					"address": "2001:569:*:*::",
					"mask": 60
				}
			}
		}
	],
	"ipv6-prefix-assignment": [

	],
	"route": [
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::2621:*:623f",
			"metric": 512,
			"valid": 3667,
			"source": "2001:569:*::/56"
		}
	],
	"dns-server": [
		"127.0.0.1"
	],
	"dns-search": [

	],
	"neighbors": [

	],
	"inactive": {
		"ipv4-address": [

		],
		"ipv6-address": [

		],
		"route": [

		],
		"dns-server": [
			"2001:568:*::68",
			"2001:568:*::124"
		],
		"dns-search": [

		],
		"neighbors": [

		]
	},
	"data": {
		"passthru": "00170020200*"
	}

ip -6 route on router

default from 2001:569:*:*::/56 via fe80::2621:24ff:*:* dev eth0.10 proto static metric 512 pref medium
2001:569:7e91:*::/64 dev eth0.2 proto static metric 1024 pref medium
2001:569:7e91:*::/64 dev eth0.4 proto static metric 1024 pref medium
2001:569:7e91:*::/64 dev br-lan proto static metric 1024 pref medium
2001:569:7e91:*::/62 via fe80::106d:a3e:48a6:* dev br-lan proto static metric 1024 pref medium
2001:569:7e91:*::/64 dev eth0.3 proto static metric 1024 pref medium
unreachable 2001:569:7e91:*::/56 dev lo proto static metric 2147483647 pref medium
fddd::/64 dev eth0.2 proto static metric 1024 pref medium
fddd:0:0:10::/64 dev eth0.4 proto static metric 1024 pref medium
fddd:0:0:20::/64 dev br-lan proto static metric 1024 pref medium
fddd:0:0:24::/62 via fe80::106d:a3e:48a6:f95a dev br-lan proto static metric 1024 pref medium
fddd:0:0:30::/64 dev eth0.3 proto static metric 1024 pref medium
unreachable fddd::/48 dev lo proto static metric 2147483647 pref medium
fdf1:e8a1:8d3f:9::/64 dev wg proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev eth0.4 proto kernel metric 256 pref medium
fe80::/64 dev eth0.3 proto kernel metric 256 pref medium
fe80::/64 dev eth0.10 proto kernel metric 256 pref medium
fe80::/64 dev ifb4br-lan proto kernel metric 256 pref medium

ip -6 route on lan client

::1 dev lo proto kernel metric 256 pref medium
2001:569:7e91:*::* dev eth0 proto kernel metric 256 pref medium
2001:569:7e91:*::/64 dev eth0 proto kernel metric 256 expires 14139sec pref medium
fd25:1028:6f4:*::/64 dev eth0 proto kernel metric 256 expires 1742sec pref medium
fddd:0:0:20::100 dev eth0 proto kernel metric 256 pref medium
fddd:0:0:20::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::dea6:32ff:fee2:4ec6 dev eth0 proto ra metric 1024 expires 1667sec hoplimit 64 pref medium

It feels like there is no default route set for clients... But I'm unsure how I can debug this

I have also tried to set this up with a fresh clean slate of 23.05.0 and no additional packages/networks/etc, but no luck

I remember it had worked in the past, but it suddenly stopped working and at this point I have spent days on this..

I'm almost questioning if it's something with the ISP implementation of IPv6, but I have seen articles from people getting it to work on pfSense with the same ISP.

So I'm at a loss! Any advice/input would be greatly appreciated!

This fe80 address is on your router? Nevermind, I see it in the LuCI screenshot.

Why do you give an IPv4 DNS server in wan6?

@dave14305 Good catch! Adjusted it ::1, but I also think it's unrelated.

I'm convinced ipv6 default routes are not being set for clients But I'm unsure why.

Also found this warning in the logs

daemon.warn odhcpd[3188]: No default route present, overriding ra_lifetime!

but unsure if it's related

Try setting uci set dhcp.lan.ra_default='1'.

Or in LuCI “on available prefix”

image1369×654 73.1 KB

Put a VLAN tag on the LAN as well, so the cable from the router to the switch is a true trunk cable. Some hardware does not work with tagged and untagged on the same port.

The default v6 route for clients will be the link-local of the router's LAN interface. Make sure every interface has a link-local, they are critical for IPv6 to work. You can, however, delete the ULA address. It isn't doing anything for you here.

These should only be listed once. The situation is acting like wan6 is not in the wan firewall zone.

I see remnants of wireguard and OpenVPN configured, remove those until you have basic routing working.

From the linux lan client ping it seems that the default route is installed properly. However the OpenWrt is reporting back that there is no route.
After you make the changes suggested earlier post again the following:

ip -6 addr; ip -6 ro list table all; ip -6 ru

Also try from the OpenWrt to ping google from the wan and the lan interfaces:
ping -6 -I 2001:569:.... google.com
Might as well be your ISP not routing the delegated prefix.

Put a VLAN tag on the LAN as well, so the cable from the router to the switch is a true trunk cable. Some hardware does not work with tagged and untagged on the same port.

That's probably a good idea! Will change it up, thanks for the suggestion!

I've made all suggested changes on a fresh install of 23.05.0 and still no luck.. Not hiding addresses because it's a temp sandbox env anyway

ip -6 addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fddd::20:2a87:baff:fec0:e21b/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 2001:569:7e95:3520:2a87:baff:fec0:e21b/64 scope global deprecated dynamic noprefixroute
       valid_lft 6359sec preferred_lft 0sec
    inet6 fe80::2a87:baff:fec0:e21b/64 scope link
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:569:7e95:db00::1/60 scope global dynamic noprefixroute
       valid_lft 12110sec preferred_lft 11810sec
    inet6 fde0:31ce:d95d::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::e65f:1ff:fec4:f9f/64 scope link
       valid_lft forever preferred_lft forever

ip -6 ro list table all

default from 2001:569:7e95:3520::/64 via fe80::2621:24ff:fec7:623f dev eth1  metric 512
default from 2001:569:7e95:db00::/56 via fe80::2621:24ff:fec7:623f dev eth1  metric 512
default from fddd:0:0:20::/64 via fe80::2621:24ff:fec7:623f dev eth1  metric 512
2001:569:7e95:3520::/64 dev eth1  metric 256
unreachable 2001:569:7e95:3520::/64 dev lo  metric 2147483647
2001:569:7e95:db00::/64 dev br-lan  metric 1024
unreachable 2001:569:7e95:db00::/56 dev lo  metric 2147483647
unreachable fd25:1028:6f4:43f3::/64 dev lo  metric 2147483647
fddd:0:0:20::/64 dev eth1  metric 256
unreachable fddd:0:0:20::/64 dev lo  metric 2147483647
fddd:0:0:24::/64 from 2001:569:7e95:3520::/64 via fe80::145e:af46:6445:db86 dev eth1  metric 512
fddd:0:0:24::/64 from 2001:569:7e95:db00::/56 via fe80::145e:af46:6445:db86 dev eth1  metric 512
fddd:0:0:24::/64 from fddd:0:0:20::/64 via fe80::145e:af46:6445:db86 dev eth1  metric 512
fde0:31ce:d95d::/64 dev br-lan  metric 1024
unreachable fde0:31ce:d95d::/48 dev lo  metric 2147483647
fe80::/64 dev br-lan  metric 256
fe80::/64 dev eth1  metric 256
local ::1 dev lo table local  metric 0
anycast 2001:569:7e95:3520:: dev eth1 table local  metric 0
local 2001:569:7e95:3520:2a87:baff:fec0:e21b dev eth1 table local  metric 0
anycast 2001:569:7e95:db00:: dev br-lan table local  metric 0
local 2001:569:7e95:db00::1 dev br-lan table local  metric 0
anycast fddd:0:0:20:: dev eth1 table local  metric 0
local fddd::20:2a87:baff:fec0:e21b dev eth1 table local  metric 0
anycast fde0:31ce:d95d:: dev br-lan table local  metric 0
local fde0:31ce:d95d::1 dev br-lan table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev eth1 table local  metric 0
local fe80::2a87:baff:fec0:e21b dev eth1 table local  metric 0
local fe80::e65f:1ff:fec4:f9f dev br-lan table local  metric 0
multicast ff00::/8 dev br-lan table local  metric 256
multicast ff00::/8 dev eth1 table local  metric 256

ip -6 ru

0:	from all lookup local
32766:	from all lookup main
4200000000:	from 2001:569:7e95:db00::1/60 iif br-lan lookup unspec unreachable

Might as well be your ISP not routing the delegated prefix.

@trendy Honestly, I'm beginning to believe that, but it's strange that the routers pings are being routed.

For the ping6 -I option, should I use the ipv6 of one of the clients? I'll test it out

Use the IP of the lan interface in the router (usually prefix::1). This will be a source within the /56 that the ISP is supposed to route back to you. Ordinarily a ping from inside the router uses the wan IP as its source, which is a different prefix.

ping6 -I 2001:569:7e95:db00::1 google.com

root@Sample:~# ping6 -I 2001:569:7e95:db00::1 google.com
PING google.com (2607:f8b0:400a:804::200e) from 2001:569:7e95:db00::1: 56 data bytes
64 bytes from 2607:f8b0:400a:804::200e: seq=0 ttl=61 time=5.096 ms
64 bytes from 2607:f8b0:400a:804::200e: seq=1 ttl=61 time=4.831 ms
64 bytes from 2607:f8b0:400a:804::200e: seq=2 ttl=61 time=4.426 ms
64 bytes from 2607:f8b0:400a:804::200e: seq=3 ttl=61 time=4.364 ms

2001:569:7e95:db00::1/60 is the lan IPv6 that has been assigned from the /56 PD and it seems to work

But still no luck on the clients unfortunately

Is /60 on br-lan really correct? shouldn't that be just /64? Even if there are are downstream routers which might get a prefix delegation the subnet on the interface should just be /64 or not? And then a /60 route on that interface, or not?

Ok, I got things working by manually calling

killall -SIGUSR2 odhcp6c
killall -SIGUSR1 odhcp6c
/etc/init.d/odhcpd reload
/etc/init.d/odhcpd restart
ifup wan6

Clients can successfully use ping6, but only temporarily... I have to keep using the script above to re-establish a connect.

At this point it seems like it's an issue with the ISP and how they handle RA (possibly)? cc @trendy

Is /60 on br-lan really correct? shouldn't that be just /64? Even if there are are downstream routers which might get a prefix delegation the subnet on the interface should just be /64 or not? And then a /60 route on that interface, or not?

@_bernd Since I'm getting /56 PD from my ISP, /60 network assignment should be fine.

Can you install tcpdump on the router and watch the RAs and DHCPv6 on your WAN interface? Do the RAs arrive consistently?

tcpdump -nvei eth0.10 '(icmp6 and ip6[40] == 134) or (udp and port 547)'

Run this in one session and run ifup wan6 in another session.

tcpdump -nvei eth1 '(icmp6 and ip6[40] == 134) or (udp and port 547)'

tcpdump: listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:30:26.850690 28:87:ba:c0:e2:1b > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 184: (flowlabel 0x8c2cc, hlim 1, next-header UDP (17) payload length: 130) fe80::2a87:baff:fec0:e21b.546 > ff02::1:2.547: [bad udp cksum 0xc47d -> 0x0a41!] dhcp6 release (xid=9aea1b (elapsed-time 0) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_94 opt_95 opt_96) (client-ID hwaddr type 1 2887bac0e21b) (server-ID hwaddr type 1 242124c7623f) (Client-FQDN) (IA_PD IAID:1 T1:0 T2:0 (IA_PD-prefix 2001:569:7e92:7f00::/56 pltime:0 vltime:0)))
11:30:26.860960 24:21:24:c7:63:c6 > 28:87:ba:c0:e2:1b, ethertype IPv6 (0x86dd), length 147: (class 0x40, hlim 255, next-header UDP (17) payload length: 93) fe80::2621:24ff:fec7:623f.547 > fe80::2a87:baff:fec0:e21b.546: [udp sum ok] dhcp6 reply (xid=9aea1b (server-ID hwaddr type 1 242124c7623f) (client-ID hwaddr type 1 2887bac0e21b) (IA_PD IAID:1 T1:0 T2:0 (status-code Success)))
11:30:27.197214 28:87:ba:c0:e2:1b > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 163: (flowlabel 0x8c2cc, hlim 1, next-header UDP (17) payload length: 109) fe80::2a87:baff:fec0:e21b.546 > ff02::1:2.547: [bad udp cksum 0xc468 -> 0xf0e2!] dhcp6 solicit (xid=35190e (elapsed-time 0) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_94 opt_95 opt_96 opt_82) (client-ID hwaddr type 1 2887bac0e21b) (reconfigure-accept) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0) (IA_PD IAID:1 T1:0 T2:0))
11:30:27.200807 24:21:24:c7:63:c6 > 28:87:ba:c0:e2:1b, ethertype IPv6 (0x86dd), length 228: (class 0x40, hlim 255, next-header UDP (17) payload length: 174) fe80::2621:24ff:fec7:623f.547 > fe80::2a87:baff:fec0:e21b.546: [udp sum ok] dhcp6 advertise (xid=35190e (server-ID hwaddr type 1 242124c7623f) (client-ID hwaddr type 1 2887bac0e21b) (IA_NA IAID:1 T1:0 T2:0 (status-code NoAddrsAvail)) (IA_PD IAID:1 T1:7200 T2:10800 (IA_PD-prefix 2001:569:7e92:8a00::/56 pltime:14400 vltime:14700)) (DNS-server 2001:568:ff09:10c::68 2001:568:ff09:10b::124))
11:30:28.560279 28:87:ba:c0:e2:1b > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 147: (flowlabel 0x8c2cc, hlim 1, next-header UDP (17) payload length: 93) fe80::2a87:baff:fec0:e21b.546 > ff02::1:2.547: [bad udp cksum 0xc458 -> 0x2875!] dhcp6 solicit (xid=b1f11f (elapsed-time 0) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_94 opt_95 opt_96 opt_82) (client-ID hwaddr type 1 2887bac0e21b) (reconfigure-accept) (Client-FQDN) (IA_PD IAID:1 T1:0 T2:0))
11:30:28.563227 24:21:24:c7:63:c6 > 28:87:ba:c0:e2:1b, ethertype IPv6 (0x86dd), length 175: (class 0x40, hlim 255, next-header UDP (17) payload length: 121) fe80::2621:24ff:fec7:623f.547 > fe80::2a87:baff:fec0:e21b.546: [udp sum ok] dhcp6 advertise (xid=b1f11f (server-ID hwaddr type 1 242124c7623f) (client-ID hwaddr type 1 2887bac0e21b) (IA_PD IAID:1 T1:7200 T2:10800 (IA_PD-prefix 2001:569:7e92:8a00::/56 pltime:14400 vltime:14700)) (DNS-server 2001:568:ff09:10c::68 2001:568:ff09:10b::124))
11:30:30.237278 28:87:ba:c0:e2:1b > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 188: (flowlabel 0x8c2cc, hlim 1, next-header UDP (17) payload length: 134) fe80::2a87:baff:fec0:e21b.546 > ff02::1:2.547: [bad udp cksum 0xc481 -> 0x7f38!] dhcp6 request (xid=90c2a0 (elapsed-time 0) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_94 opt_95 opt_96) (client-ID hwaddr type 1 2887bac0e21b) (server-ID hwaddr type 1 242124c7623f) (reconfigure-accept) (Client-FQDN) (IA_PD IAID:1 T1:0 T2:0 (IA_PD-prefix 2001:569:7e92:8a00::/56 pltime:14400 vltime:14700)))
11:30:30.600208 24:21:24:c7:63:c6 > 28:87:ba:c0:e2:1b, ethertype IPv6 (0x86dd), length 175: (class 0x40, hlim 255, next-header UDP (17) payload length: 121) fe80::2621:24ff:fec7:623f.547 > fe80::2a87:baff:fec0:e21b.546: [udp sum ok] dhcp6 reply (xid=90c2a0 (server-ID hwaddr type 1 242124c7623f) (client-ID hwaddr type 1 2887bac0e21b) (IA_PD IAID:1 T1:7200 T2:10800 (IA_PD-prefix 2001:569:7e92:8a00::/56 pltime:14400 vltime:14700)) (DNS-server 2001:568:ff09:10c::68 2001:568:ff09:10b::124))
11:30:31.559827 24:21:24:c7:63:c6 > 28:87:ba:c0:e2:1b, ethertype IPv6 (0x86dd), length 78: (class 0xe0, hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::2621:24ff:fec7:623f > fe80::2a87:baff:fec0:e21b: [icmp6 sum ok] ICMP6, router advertisement, length 24
	hop limit 64, Flags [none], pref medium, router lifetime 4500s, reachable time 0ms, retrans timer 100ms
	  source link-address option (1), length 8 (1): 24:21:24:c7:63:c6

Ran this in a sandbox environment, where wan device is eth1. Not hiding IP/mac addresses because they are temp anyway

I've also seen these:

11:42:04.616742 40:cb:c0:af:a1:03 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 158: (flowlabel 0x00a00, hlim 1, next-header UDP (17) payload length: 104) fe80::18cc:85b1:d51:2566.546 > ff02::1:2.547: [udp sum ok] dhcp6 request (xid=22b43c (client-ID hwaddr/time type 1 time 575791280 40cbc0afa103) (option-request DNS-server DNS-search-list opt_103) (elapsed-time 0) (server-ID hwaddr type 1 dca632e24ec6) (IA_NA IAID:0 T1:0 T2:0 (IA_ADDR 2001:569:7e92:d120::1 pltime:0 vltime:0)))
11:42:05.638414 40:cb:c0:af:a1:03 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 158: (flowlabel 0x70600, hlim 1, next-header UDP (17) payload length: 104) fe80::18cc:85b1:d51:2566.546 > ff02::1:2.547: [udp sum ok] dhcp6 decline (xid=6360c1 (client-ID hwaddr/time type 1 time 575791280 40cbc0afa103) (option-request DNS-server DNS-search-list opt_103) (elapsed-time 0) (server-ID hwaddr type 1 dca632e24ec6) (IA_NA IAID:0 T1:0 T2:0 (IA_ADDR 2001:569:7e92:d120::1 pltime:0 vltime:0)))
11:42:05.990059 40:cb:c0:af:a1:03 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 116: (flowlabel 0x70600, hlim 1, next-header UDP (17) payload length: 62) fe80::18cc:85b1:d51:2566.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=a19719 (client-ID hwaddr/time type 1 time 575791280 40cbc0afa103) (option-request DNS-server DNS-search-list opt_103) (elapsed-time 0) (IA_NA IAID:0 T1:0 T2:0))

Try running the same for the br-lan side to see what’s being sent to clients by the router.

Is the ISP changing the prefix on you?
I'd also configure so it is not getting the WAN IPv6 by both DHCPv6 and RA-- choose one. If the ISP fully supports DHCPv6 you can disable RA on wan. The other common setup is to take the IP over RA then only use DHCPv6 to request the prefix.

Ok, it seems that manually triggering RA seems to fix the issue temporarily.. Wrote a quick watchdog script which calls the mentioned script

killall -SIGUSR2 odhcp6c
killall -SIGUSR1 odhcp6c
/etc/init.d/odhcpd reload
/etc/init.d/odhcpd restart
ifup wan6

Which is less than ideal, because I think it will disconnect current connections. rdisc6 would help with just sending route solicitations, but unfortunately it doesn't come by default with openwrt.

And after reading a bit more about what other users say about my ISP (Telus Canada), they don't seem to be obeying the RFC.

Anyway, for now I will roll with this and mention it to Telus. But I don't have high hopes for it getting fixed any time soon..

Thanks for all the help!