IPv6 lost connection for a while periodically, with Apple TV in the LAN

Hi, I am using OpenWrt as my home router, with 2 routers act as wireless AP. Openwrt utilize PPPOE to get Internet access. My ISP got IPv6 PD support and I actually need it.
I set up the IPv6 on OP but occasionally I found out IPv6 connection problems, client in the LAN cannot ping IPv6 hosts but my OP always can.
On my NAS, I use Home Assistant's Ping intergration to notify me if the IPv6 connection breaks. When outrage happens, ip addr on NAS shows a fdxx address as a prefered address.
I realize it may be some address ditribution issue, I used tcpdump -i br-lan -evn 'icmp6 && ip6[40] == 134' to capture RA packages. And I found something strange.


09:52:49.280252 OPENWRT_MAC_ADDR > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 174: (flowlabel 0x325b4, hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::open:wrt > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 120
        hop limit 64, Flags [managed, other stateful], pref high, router lifetime 9000s, reachable time 0ms, retrans timer 0ms
          source link-address option (1), length 8 (1): OPENWRT_MAC_ADDR
          mtu option (5), length 8 (1):  1492
          prefix info option (3), length 32 (4): 2xxx:xxxx:xxxx:xxxx::/64, Flags [onlink, auto], valid time 43200s, pref. time 3521s
          route info option (24), length 24 (3):  2xxx:xxxx:xxxx:xxxx::/60, pref=high, lifetime=9000s
          rdnss option (25), length 24 (3):  lifetime 9000s, addr: 2xxx:xxxx:xxxx:xxxx::1
          advertisement interval option (7), length 8 (1):  150000ms
09:53:40.645101 APPLETV_MAC_ADDR > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 102: (flowlabel 0xf0300, hlim 255, next-header ICMPv6 (58) payload length: 48) fe80::apple:tv > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 48
        hop limit 0, Flags [none], pref medium, router lifetime 0s, reachable time 0ms, retrans timer 0ms
          route info option (24), length 16 (2):  fd7a:3a79:8c2d::/64, pref=medium, lifetime=1800s
          unknown option (26), length 8 (1): 
          0x0000:  8000 0000 0000

First I found my bedroom's Apple TV is send out RAs every 3 mins, I googled this problem, there are many people also found this. But theirs IPv6 connection was not interrupted.
I tried to shorten the RA interval, raise RA preference to high, increase RA lifetime to 9000. But every 12 hour or a day, problem just keep going. Then during the connection issue, I found this:

13:38:19.726222 OPENWRT_MAC_ADDR > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 174: (flowlabel 0x325b4, hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::open:wrt > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 120
        hop limit 64, Flags [managed, other stateful], pref high, router lifetime 9000s, reachable time 0ms, retrans timer 0ms
          source link-address option (1), length 8 (1): OPENWRT_MAC_ADDR
          mtu option (5), length 8 (1):  1492
          prefix info option (3), length 32 (4): 2xxx:xxxx:xxxx:xxxx::/64, Flags [onlink, auto], valid time 43200s, pref. time 0s
          route info option (24), length 24 (3):  2xxx:xxxx:xxxx:xxxx::/60, pref=high, lifetime=9000s
          rdnss option (25), length 24 (3):  lifetime 9000s, addr: 2xxx:xxxx:xxxx:xxxx::1
          advertisement interval option (7), length 8 (1):  150000ms

"pref. time 0s"? which means this address is deprecated, but this address actually works, they can be pinged from outside. I found the pref time number does reset to 3600s at around every 30mins, but sometimes it stopped refreshing and down straight to 0.
So I went through some config again, I modified the preferred_lifetime ra_useleasetime on the lan but no luck.

Is there a way to find out the where real problem is?

My config:

# cat /etc/config/network 

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config device
        option name 'eth1'
        option macaddr 'MAC1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.3.1'
        option ip6assign '64'
        option delegate '0'

config device
        option name 'eth0'
        option macaddr 'MAC2'

config interface 'wan'
        option proto 'pppoe'
        option device 'eth1'
        option username 'XXXX'
        option password 'XXXX'
        option ipv6 'auto'


# cat /etc/config/dhcp

...

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ra_management '1'
        option ra_preference 'high'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra_maxinterval '150'
        option ra_mininterval '30'
        option dhcpv6 'server'
        option ra_lifetime '9000'
        option ra_useleasetime '1'
        option preferred_lifetime '150m'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '7'

...


Running Openwrt 21.02.7

Lets start by checking if you can upgrade to a supported 23.05.4, while some fixups may be possible on old release, you will need modern system, possibly on upgraded hardware for stable operation.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I got some package doen't work with OP 22 and above(because of nftables), so I stick on 21.

You can back up v21 configuration and v21 sysupgrade.
Your random package does not magically make v21 supported again.
There are 2 levels of degrading fw4+nft back to iptables-
A - replace nft kmods for xt to allow nft userland (iptables-nft fw4) to program old engine
B - move from fw4 to fw3 downgrading firewall part to v21

You have to provide information either way.
First we try to tackle ip6 issue with new version and try firewall degradations to see if your app can work there
Failing that ip6 things learned can be applied on reverted installation too.

@brada4 I got some package doen't work with OP 22 and above(because of nftables), so I stick on 21.

ImmortalWrt is almost the same as Openwrt main release but more package source and more accessible in China.

root@ImmortalWrt:~# ubus call system board
{
        "kernel": "5.4.255",
        "hostname": "ImmortalWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R2S",
        "board_name": "friendlyarm,nanopi-r2s",
        "release": {
                "distribution": "ImmortalWrt",
                "version": "21.02.7",
                "revision": "r20074-a8bbadefaf",
                "target": "rockchip/armv8",
                "description": "ImmortalWrt 21.02.7 r20074-a8bbadefaf"
        }
}


root@ImmortalWrt:~# cat /etc/config/firewall

config defaults
        option output 'ACCEPT'
        option forward 'REJECT'
        option fullcone '1'
        option flow_offloading '1'
        option flow_offloading_hw '0'
        option synflood_protect '1'
        option input 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config include 'passwall'
        option type 'script'
        option path '/var/etc/passwall.include'
        option reload '1'

config include 'passwall_server'
        option type 'script'
        option path '/var/etc/passwall_server.include'
        option reload '1'

config rule
        option name 'allow high forward'
        option src 'wan'
        option dest 'lan'
        option dest_port '20000-65535'
        option target 'ACCEPT'
        option family 'ipv6'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config rule
        option name 'allow https luci'
        option family 'ipv6'
        list proto 'tcp'
        option src 'wan'
        option dest_port '22000'
        option target 'ACCEPT'
        option enabled '0'


root@ImmortalWrt:~# cat /etc/config/dhcp # a

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option localuse '1'
        option mini_ttl '0'
        option rebind_protection '0'
        option noresolv '1'
        option cachesize '0'
        list server '127.0.0.1#5335'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ra_management '1'
        option ra_preference 'high'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra_maxinterval '150'
        option ra_mininterval '30'
        option dhcpv6 'server'
        option ra_lifetime '9000'
        option ra_useleasetime '1'
        option preferred_lifetime '150m'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '7'


Please see the 1st post for the network conf. No wireless confs.

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

You have to ask ImmortalWRT, or repeat the problem with official and supported OpenWRT.
Passwall and fullcone are both to do with network workings and do not come from here.

@brada4 something the same happened when I using official openwrt 21. I think these modification doen't touch the IPv6 or odhcpd staff. They were using the same code base. Maybe we try to trouble shoot with odhcpd first?

odhcpd-ipv6only 2021-07-18-bc9d317f-3

I tried OP23 but the some game udp relay staff does not work with it, so if there is some bug in odhcpd i could patch it from commit bc9d317f and compile a new package by myself?

I think the key problem is the "pref time 0s", but why odhcpd would send this out?

I upload the full tcpdump output from a from OK to bad, problem happens around 13:28: