IPv6 not working for clients but router

Hello everyone,

I am trying to configure my network to be ipv6 compatible but I a struggeling..
I configured my ipv6 wan (it is a native ipv6 connection provided via dhcpv6 from my FritzBox which gets a /56 Prefix from my ISP). I can ping e.g. ipv6.google.com from the OpenWRT router, but I can not ping it from my clients connected to the router. I read the LEDE ipv6 basics but still can not figure out what is wrong. Especially what I do not understand is, that if I run traceroute6 google.de on my client, I get the following:

traceroute to  (2a00:1450:4001:820::2003) from YYYY:YYYY:YYYY:YYY3:750c:6656:82cc:c9a6, 30 hops max, 24 byte packets
 1  markus-P500CA (YYYY:YYYY:YYYY:YYY3:750c:6656:82cc:c9a6)  3073,36 ms !H  3063,31 ms

For my client I get the following output for ip a:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 60:a4:4c:06:e5:a5 brd ff:ff:ff:ff:ff:ff
3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 192.168.30.222/24 brd 192.168.30.255 scope global dynamic noprefixroute wlp2s0
       valid_lft 43171sec preferred_lft 43171sec
    inet6 fd62:6f6e:6e00:3:750c:6656:82cc:c9a6/64 scope global temporary dynamic 
       valid_lft 604795sec preferred_lft 85809sec
    inet6 fd62:6f6e:6e00:3:fe2c:3ffc:9fc:32f6/64 scope global mngtmpaddr noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 YYYY:YYYY:YYYY:YYY3:750c:6656:82cc:c9a6/64 scope global temporary dynamic 
       valid_lft 5414sec preferred_lft 1814sec
    inet6 YYYY:YYYY:YYYY:YYY3:892c:b49a:fd84:432d/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 5414sec preferred_lft 1814sec
    inet6 fe80::a1d8:95b5:b0a8:84d6/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

My /etc/config/interface config:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd62:6f6e:6e00::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.30.1'
	option dns '192.168.50.19 9.9.9.9 8.8.8.8'
	option ip6ifaceid '::1'
	option ip6assign '64'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '98:de:d0:c1:f4:0e'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr '98:de:d0:c1:f4:0f'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix '60'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 1 2'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '0t 4'

config interface 'MGM_LAN'
	option proto 'static'
	option ifname 'eth0.3'
	option ipaddr '192.168.40.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6ifaceid '::1'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '4'
	option ports '0t 3'

config interface 'IOT_LAN'
	option proto 'static'
	option ifname 'eth0.4'
	option ipaddr '192.168.50.1'
	option netmask '255.255.255.0'
	option type 'bridge'
	option ip6assign '64'
	option dns '192.168.50.19 9.9.9.9 8.8.8.8'
	option ip6ifaceid '::1'

config interface 'Guest_LAN'
	option proto 'static'
	option ipaddr '192.168.80.1'
	option netmask '255.255.255.0'
	option dns '192.168.50.19 9.9.9.9 8.8.8.8'
	option ip6ifaceid '::1'
	option ip6assign '64'

My /etc/config/dhcp config file:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'MGM_LAN'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'MGM_LAN'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'


config dhcp 'IOT_LAN'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'IOT_LAN'
        option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'


config dhcp 'Guest_LAN'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'Guest_LAN'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'

The output of ifstatus wan6:

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 1217,
	"l3_device": "eth0.2",
	"proto": "dhcpv6",
	"device": "eth0.2",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "fd00::9ade:d0ff:fec1:f40f",
			"mask": 64,
			"preferred": 3553,
			"valid": 7153
		},
		{
			"address": "YYYY:YYYY:YYYY:YY00:9ade:d0ff:fec1:f40f",
			"mask": 128,
			"preferred": 2372,
			"valid": 5972
		}
	],
	"ipv6-prefix": [
		{
			"address": "YYYY:YYYY:YYY0::",
			"mask": 60,
			"preferred": 2372,
			"valid": 5972,
			"class": "wan6",
			"assigned": {
				"Guest_LAN": {
					"address": "YYYY:YYYY:YYY0::",
					"mask": 64
				},
				"IOT_LAN": {
					"address": "YYYY:YYYY:YYY1::",
					"mask": 64
				},
				"MGM_LAN": {
					"address": "YYYY:YYYY:YYY2::",
					"mask": 64
				},
				"lan": {
					"address": "YYYY:YYYY:YYY3::",
					"mask": 64
				}
			}
		}
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "YYYY:YYYY:YY00::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 7153,
			"source": "::\/0"
		},
		{
			"target": "fd00::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 7153,
			"source": "::\/0"
		},
		{
			"target": "YYYY:YYYY:YY00::",
			"mask": 64,
			"nexthop": "fe80::7eff:4dff:fea9:eb00",
			"metric": 512,
			"valid": 1753,
			"source": "::\/0"
		},
		{
			"target": "fd00::",
			"mask": 64,
			"nexthop": "fe80::7eff:4dff:fea9:eb00",
			"metric": 512,
			"valid": 1753,
			"source": "::\/0"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::7eff:4dff:fea9:eb00",
			"metric": 512,
			"valid": 1753,
			"source": "YYYY:YYYY:YYY0::\/60"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::7eff:4dff:fea9:eb00",
			"metric": 512,
			"valid": 1753,
			"source": "fd00::9ade:d0ff:fec1:f40f\/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::7eff:4dff:fea9:eb00",
			"metric": 512,
			"valid": 1753,
			"source": "YYYY:YYYY:YY00:9ade:d0ff:fec1:f40f\/128"
		}
	],
	"dns-server": [
		"fd00::7eff:4dff:fea9:eb00"
	],
	"dns-search": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		]
	},
	"data": {
		"passthru": "YYYXXX"
	}
}

I don't see anything obviously wrong. You do have addresses and they are being propagated to your client.

You've got a rather sophisticated set-up with multiple LANs, have you made changes to the ipv6 firewall? In particular did you alter any of the default rules that allow icmpv6 through? You must have working icmpv6 for ipv6 to work, you can't be blocking it.

The rule is called "Allow-ICMPv6-Forward" in the default firewall, and it allows certain icmpv6 packets from any host in wan to any host in any zone with a rate limit.

I suspect you are missing valid default route for your client prefixes:

ip -6 route show; ip -6 rule show

If that's true, then create it:
https://openwrt.org/docs/guide-user/network/protocol.dhcp#default_ipv6_route

Hey there, thanks for commenting!

The rule "Allow-ICMPv6-Forward" is still there. Here is the /etc/config/firewall config file:

config rule
	option target 'ACCEPT'
	option src 'lan'
	option name 'LAN_AccesTP'
	option dest_ip '192.168.30.1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'GUEST_LAN_DNS'
	option src 'Guest_LAN'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '67-68'
	option name 'GUEST_LAN_DHCP'
	option src 'Guest_LAN'

config rule
	option target 'ACCEPT'
	option src 'lan'
	option name 'LAN_DNS'
	option dest_port '53'

config rule
	option target 'ACCEPT'
	option src 'lan'
	option name 'LAN_DHCP'
	option dest_port '67-68'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'IOT_LAN_DNS'
	option src 'IOT_LAN'

config rule
	option target 'ACCEPT'
	option src 'IOT_LAN'
	option name 'IOT_LAN_DHCP'
	option dest_port '67-68'

config rule
	option src 'Guest_LAN'
	option name 'GUEST_LAN_BlockO2LAN'
	option dest 'wan'
	option dest_ip '192.168.1.1/24'
	option target 'REJECT'

config rule
	option src 'Guest_LAN'
	option name 'GUEST_LAN_BlockTPRouter'
	option target 'REJECT'
	option dest_ip '192.168.80.1'

config defaults
	option syn_flood '1'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'

config zone
	option name 'lan'
	option output 'ACCEPT'
	option network 'lan'
	option forward 'ACCEPT'
	option input 'REJECT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 wwan'

config include
	option path '/etc/firewall.user'

config zone
	option name 'Guest_LAN'
	option output 'ACCEPT'
	option network 'Guest_LAN'
	option input 'REJECT'
	option forward 'REJECT'

config zone
	option name 'MGM_LAN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'MGM_LAN'
	option forward 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'Guest_LAN'

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'IOT_LAN'
	option network 'IOT_LAN'
	option input 'REJECT'

config forwarding
	option dest 'wan'
	option src 'IOT_LAN'

config forwarding
	option dest 'Guest_LAN'
	option src 'MGM_LAN'

config forwarding
	option dest 'IOT_LAN'
	option src 'MGM_LAN'

config forwarding
	option dest 'wan'
	option src 'MGM_LAN'

config forwarding
	option dest 'IOT_LAN'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'MGM_LAN'

config rule
	option src 'IOT_LAN'
	option name 'IOT_LAN_BlockO2LAN'
	option dest_ip '192.168.1.1/24'
	option dest 'wan'
	option target 'REJECT'

After adding the route the output of ip -6 r; ip -6 ru looks like. Hereby fe80::7eff:4dff:fea9:eb00 is the ULA of the FritzBox:

default from YYYY:YYYY:YY00:9ade:d0ff:fec1:f40f via fe80::7eff:4dff:fea9:eb00 dev eth0.2  metric 512 
default from YYYY:YYYY:YYY0::/60 via fe80::7eff:4dff:fea9:eb00 dev eth0.2  metric 512 
default from fd00::/64 via fe80::7eff:4dff:fea9:eb00 dev eth0.2  metric 512 
YYYY:YYYY:YY00::/64 dev eth0.2  metric 256 
YYYY:YYYY:YY00::/64 via fe80::7eff:4dff:fea9:eb00 dev eth0.2  metric 512 
YYYY:YYYY:YYY0::/64 dev wlan0-1  metric 1024 
YYYY:YYYY:YYY1::/64 dev br-IOT_LAN  metric 1024 
YYYY:YYYY:YYY2::/64 dev eth0.3  metric 1024 
YYYY:YYYY:YYY3::/64 dev br-lan  metric 1024 
unreachable YYYY:YYYY:YYY0::/60 dev lo  metric 2147483647  error -148
fd00::/64 dev eth0.2  metric 256 
fd00::/64 via fe80::7eff:4dff:fea9:eb00 dev eth0.2  metric 512 
fd62:6f6e:6e00::/64 dev wlan0-1  metric 1024 
fd62:6f6e:6e00:1::/64 dev br-IOT_LAN  metric 1024 
fd62:6f6e:6e00:2::/64 dev eth0.3  metric 1024 
fd62:6f6e:6e00:3::/64 dev br-lan  metric 1024 
unreachable fd62:6f6e:6e00::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev eth0  metric 256 
fe80::/64 dev eth0.2  metric 256 
fe80::/64 dev eth0.3  metric 256 
fe80::/64 dev br-IOT_LAN  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan0  metric 256 
fe80::/64 dev wlan0-1  metric 256 
fe80::/64 dev wlan0-2  metric 256 
unreachable default dev lo  metric -1  error -128
ff00::/8 dev br-IOT_LAN  metric 256 
ff00::/8 dev eth0.3  metric 256 
ff00::/8 dev eth0  metric 256 
ff00::/8 dev eth0.2  metric 256 
ff00::/8 dev br-lan  metric 256 
ff00::/8 dev wlan0  metric 256 
ff00::/8 dev wlan0-1  metric 256 
ff00::/8 dev wlan0-2  metric 256 
unreachable default dev lo  metric -1  error -128
0:	from all lookup local 
32766:	from all lookup main 
4200000000:	from YYYY:YYYY:YYY1::1/64 iif br-IOT_LAN lookup unspec unreachable
4200000000:	from YYYY:YYYY:YYY2::1/64 iif eth0.3 lookup unspec unreachable
4200000000:	from YYYY:YYYY:YYY3::1/64 iif br-lan lookup unspec unreachable
4200000000:	from YYYY:YYYY:YYY0::1/64 iif wlan0-1 lookup unspec unreachable
4200000001:	from all iif lo lookup unspec 12
4200000004:	from all iif br-IOT_LAN lookup unspec 12
4200000008:	from all iif eth0.3 lookup unspec 12
4200000009:	from all iif eth0.2 lookup unspec 12
4200000009:	from all iif eth0.2 lookup unspec 12
4200000018:	from all iif br-lan lookup unspec 12
4200000021:	from all iif wlan0-1 lookup unspec 12

On my client the output of ip -6 r; ip -6 ru is as follows. Hereby I do not know what the default route IP fe80::9ade:d0ff:fec1:f40e is...:

YYYY:YYYY:YYY3::/64 dev wlp2s0 proto ra metric 600 pref medium
fd2f:6754:f736::185 dev wlp2s0 proto kernel metric 600 pref medium
fd62:6f6e:6e00:3::/64 dev wlp2s0 proto ra metric 600 pref medium
fe80::/64 dev wlp2s0 proto kernel metric 256 pref medium
fe80::/64 dev wlp2s0 proto kernel metric 600 pref medium
default via fe80::9ade:d0ff:fec1:f40e dev wlp2s0 proto ra metric 600 pref medium
0:	from all lookup local 
32766:	from all lookup main 

Check from your router:

# nslookup -qAAAA openwrt.org 
Server:		127.0.0.1
Address:	127.0.0.1#53

Non-authoritative answer:
openwrt.org	has AAAA address 2a03:b0c0:3:d0::1af1:1

# ip -6 route get 2a03:b0c0:3:d0::1af1:1 from CLIENT_IPV6_ADDRESS
...
~$ nslookup -qAAAA openwrt.org 
Server:		127.0.0.1
Address:	127.0.0.1#53

Non-authoritative answer:
openwrt.org	has AAAA address 2a03:b0c0:3:d0::1af1:1

~$ ip -6 route get 2a03:b0c0:3:d0::1af1:1 from YYYY:YYYY:YYf3:892c:b49a:fd84:432d
2a03:b0c0:3:d0::1af1:1 from YYYY:YYYY:YYf3:892c:b49a:fd84:432d via fe80::7eff:4dff:fea9:eb00 dev eth0.2  src YYYY:YYY:YY00:9ade:d0ff:fec1:f40f  metric 512 

Strange, it should not limiting the source, like this:

# OpenWrt
# ip -6 r
default via fe80::7eff:4dff:fea9:eb00 dev eth0.2  metric 1024 
...

But I don't see it, although ip -6 route get says that it's working somehow.

Check this:

# OpenWrt
service network restart
uci show network | grep route6
ip -6 route show default table all

# LAN-client
traceroute6 openwrt.org
~$ sudo uci show network | grep route6
network.@route6[0]=route6
network.@route6[0].target='::/0'
~$ ip -6 route show default table all
default from YYYY:YYYY:YY00:9ade:d0ff:fec1:f40f via fe80::7eff:4dff:fea9:eb00 dev eth0.2  metric 512 
default from YYYY:YYYY:YYf0::/60 via fe80::7eff:4dff:fea9:eb00 dev eth0.2  metric 512 
default from fd00::/64 via fe80::7eff:4dff:fea9:eb00 dev eth0.2  metric 512 
unreachable default dev lo  metric -1  error -128
unreachable default dev lo  metric -1  error -128
traceroute to  (2a03:b0c0:3:d0::1af1:1) from YYYY:YYYY:YYf3:750c:6656:82cc:c9a6, 30 hops max, 24 byte packets
 1  markus-P500CA (YYYY:YYYY:YYf3:750c:6656:82cc:c9a6)  3078,38 ms !H

Just figured out that the variable NET_IF6 is/was not set by network_find_wan6.

Finally did a reset of the config and started from scratch – solved the issue :see_no_evil:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.