IPv6 not working in 19.07 in standard configuration, only disable Firewall rules helped

Collect diagnostics from OpenWrt:

ip -6 address show; ip -6 route show; ip -6 rule show; ip6tables-save
1 Like

ULA prefix is private, not a problem to post it publicly.
ULA is assigned to the LAN.
This firewall rule allows link local addresses fe80:... from ISP router to your router to communicate for DHCPv6.
There are some more rules, like the 'Allow-ICMPv6-Input' which are also necessary to allow IPv6.

More to what @vgaetera asked you to post, post also the whole firewall configuration: uci export firewall

Default rules work fine. If they don't then maybe your ISP is using a non-standard setup, or something has been changed in your configuration accidentally.

2 Likes

I'm sorry for the long delay. I had so much going on. My SIP Phone does work in IPV4, but not with IPv6. As I understand it IPv4 ist NATed, so it works, but an IPv6 Devices get's two IPv6 addresses: one local and one globally accessible. It seems to be that request from the internet on Port 5060 don't get through. Is this normal? Should I allow Port 5060 to go through the firewall?

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 532
    inet6 fe80::6238:e0ff:fed7:7293/64 scope link 
       valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 532
    inet6 fe80::6038:e0ff:fed7:7293/64 scope link 
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a01:71a0:8012:5100::1/60 scope global dynamic 
       valid_lft 67829sec preferred_lft 24629sec
    inet6 fd8b:6396:42::1/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::6038:e0ff:fed7:7293/64 scope link 
       valid_lft forever preferred_lft forever
9: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a01:71a0:8000:1:6238:e0ff:fed7:7293/64 scope global dynamic 
       valid_lft 2591616sec preferred_lft 604416sec
    inet6 2a01:71a0:8000:1:0:d:0:1245/128 scope global dynamic 
       valid_lft 67828sec preferred_lft 24628sec
    inet6 fe80::6238:e0ff:fed7:7293/64 scope link 
       valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::6038:e0ff:fed7:7295/64 scope link 
       valid_lft forever preferred_lft forever
11: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::6038:e0ff:fed7:7294/64 scope link 
       valid_lft forever preferred_lft forever
default from 2a01:71a0:8000:1:0:d:0:1245 via fe80::5e00:202 dev eth1.2  metric 512 
default from 2a01:71a0:8000:1::/64 via fe80::5e00:202 dev eth1.2  metric 512 
default from 2a01:71a0:8012:5100::/56 via fe80::5e00:202 dev eth1.2  metric 512 
2a01:71a0:8000:1::/64 dev eth1.2  metric 256 
2a01:71a0:8012:5100::/64 dev br-lan  metric 1024 
unreachable 2a01:71a0:8012:5100::/56 dev lo  metric 2147483647  error -113
fd8b:6396:42::/64 dev br-lan  metric 1024 
unreachable fd8b:6396:42::/48 dev lo  metric 2147483647  error -113
fe80::/64 dev eth0  metric 256 
fe80::/64 dev eth1  metric 256 
fe80::/64 dev eth1.2  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan1  metric 256 
fe80::/64 dev wlan0  metric 256 
anycast 2a01:71a0:8000:1:: dev eth1.2  metric 0 
anycast 2a01:71a0:8012:5100:: dev br-lan  metric 0 
anycast fd8b:6396:42:: dev br-lan  metric 0 
anycast fe80:: dev eth1.2  metric 0 
anycast fe80:: dev eth1  metric 0 
anycast fe80:: dev eth0  metric 0 
anycast fe80:: dev br-lan  metric 0 
anycast fe80:: dev wlan1  metric 0 
anycast fe80:: dev wlan0  metric 0 
ff00::/8 dev eth0  metric 256 
ff00::/8 dev br-lan  metric 256 
ff00::/8 dev eth1  metric 256 
ff00::/8 dev eth1.2  metric 256 
ff00::/8 dev wlan1  metric 256 
ff00::/8 dev wlan0  metric 256 
0:      from all lookup local 
32766:  from all lookup main 
4200000000:     from 2a01:71a0:8012:5100::1/60 iif br-lan lookup unspec unreachable
4200000001:     from all iif lo lookup unspec 12
4200000007:     from all iif br-lan lookup unspec 12
4200000009:     from all iif eth1.2 lookup unspec 12
4200000009:     from all iif eth1.2 lookup unspec 12

root@OpenWrt:~# ip6tables-save
# Generated by ip6tables-save v1.8.3 on Sun Aug 23 20:41:42 2020
*mangle
:PREROUTING ACCEPT [37945052:46048129125]
:INPUT ACCEPT [387334:46796001]
:FORWARD ACCEPT [37507388:45987114337]
:OUTPUT ACCEPT [410870:76950463]
:POSTROUTING ACCEPT [37902919:46062826397]
-A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Aug 23 20:41:42 2020
# Generated by ip6tables-save v1.8.3 on Sun Aug 23 20:41:42 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
COMMIT

THX in advance,

Greenoid

I cannot find the dialog in LuCI from the screenshot in that thread.

It's the ICMPv6 type checklist on that firewall rule.

Yes, incoming traffic not related to outgoing traffic is restricted by default.

Yes, if you need it.

In addition, you may want to install this package:
https://openwrt.org/packages/pkgdata/kmod-nf-nathelper-extra

Disabling sourcefilter for the WAN6 interface may help to avoid adding extra routes:
https://openwrt.org/docs/guide-user/network/ipv6/start#protocol_dhcpv6

Next weekend I'll do a clean new install of OpenWRT 19.07.3 on my router.
Currently I'm running 19.07.2. I hope to see the new dialogs in LuCi and will log all changes neccessary.
The Solution from Problems getting native IPv6 to work with LUCI will hopefully apply.
From what I experienced IPv4 will work out of the box so I wont loose my internet connection.

Ok. I've updated everything to the newest versions. I'm on OpenWRT 19.07.3. with latest LuCI. The problem persists and the solution from the other thread does not help me and I cannot find the dialog in the screenshot.
Anyway. I think I've learned more on the problem and the solution.
No device in my LAN gets ULA adresses. IPv6 addresses do not begin with fc00 or fd80 (ULA) but with fe80. My client and the router have IPv6 addresses beginning with fe80 and all is working when I delete the restriction in the DHCPv6 firewall rule.

All IPv6 traffic from wan6 to lan is normally rejected by the firewall. There needs to be an exception rule for answers or traffic from dhcp6, which is there, but is restricted to source and destination fc00::/6 which does not work. The next exception rule Allow-MLD is restricted to fe80::/10.

So the default route is set via DHCPv6 (in renegotiation?) and it has to reach the client.

For the time being no IP restriction or fe80::/10 will work, but fc00::/6 wont.

Perhaps my DHCP config is wrong and it should use fc00 or fd80 addresses, so I post my dhcp config here:

root@OpenWrt:/etc/config# cat dhcp 

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

Anything wrong with it? I only use LuCI.

Greetings,

Greenoid

One more thing In this old ticket the rule was introduced frp DHCPv6 answers and it used fe80::/10 too:
https://dev.archive.openwrt.org/ticket/10381

This is weird, it should work by default if you reset the configuration.

Those look like limited-scope addresses which most likely require using the relay mode, so no additional firewall rule should be needed.

My DHCP is configured like this

Should I try 'relay' settings?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip6tables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru
1 Like

I upgraded the firmware from 19.07.2 to 19.07.3 and disabled keep settings. Then I updated every opkg package. The firewall package warned that it could not find "ipset". So I installed "ipset" and reinstalled the firewall package via "opkg install --force-reinstall firewall" to get everything as standard as possible.
I then recreated the two wlan APs und experimented with the source and destination ip restrictions in the Allow-DHCPv6 rule. Orignal was fc00::/6. Last status is fe80::/10.

> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; ip6tables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru
{
        "kernel": "4.14.180",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT1900ACS",
        "board_name": "linksys,shelby",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.3",
                "revision": "r11063-85e04e9f46",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 19.07.3 r11063-85e04e9f46"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd80:5342:XXXX::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
# added manually by me because I read it somewhere in the forum:
        option ip6class 'wan6'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
        option country 'DE'
        option htmode 'VHT20'
        option channel 'auto'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option macaddr '62:38:e0:XX:XX:XX'
        option ssid 'Magrathea5'
        option encryption 'psk2'
        option key 'XXXXXXXX'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
        option country 'DE'
        option htmode 'HT40'
        option channel 'auto'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option macaddr '62:38:e0:XX:XX:XX'
        option key 'XXXXXXXX'
        option ssid 'Magrathea'
        option encryption 'psk2'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option mac '28:D2:44:XX:XX:XX'
        option leasetime '3600'
        option dns '1'
        option name 'moby'
        option ip '192.168.1.125'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
# latest try, was 'fc00::/6' original which didn't work
# which is no route from client to router and the internet in IPv6
        option src_ip 'fe80::/10'
        option dest_ip 'fe80::/10'
# end of modification
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Sat Aug 29 19:19:35 2020
*nat
:PREROUTING ACCEPT [34485:4658163]
:INPUT ACCEPT [12274:933969]
:OUTPUT ACCEPT [9183:625936]
:POSTROUTING ACCEPT [49:9774]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[34485:4658163] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[28590:4405549] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[5895:252614] -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[23194:2705419] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[30:8348] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[23145:2695645] -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[30:8348] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[28590:4405549] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[23145:2695645] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[23145:2695645] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[5895:252614] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sat Aug 29 19:19:35 2020
# Generated by iptables-save v1.8.3 on Sat Aug 29 19:19:35 2020
*mangle
:PREROUTING ACCEPT [2389059:2848272749]
:INPUT ACCEPT [35494:5066177]
:FORWARD ACCEPT [2345574:2841586349]
:OUTPUT ACCEPT [35298:5978076]
:POSTROUTING ACCEPT [2379756:2847497297]
[6300:358548] -A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[6484:361744] -A FORWARD -i eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Aug 29 19:19:35 2020
# Generated by iptables-save v1.8.3 on Sat Aug 29 19:19:35 2020
*filter
:INPUT ACCEPT [1:52]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[759:73040] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[34737:4993241] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[13552:3614381] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[5677:231132] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[13569:1045322] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[7506:329138] -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
[2345574:2841586349] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[2335165:2839116635] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[10409:2469714] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[759:73040] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[34544:5906528] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[25157:5267823] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[47:13705] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[9340:625000] -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
[7243:303197] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[201:22775] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[5567:226732] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[110:4400] -A syn_flood -m comment --comment "!fw3" -j DROP
[47:13705] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[10409:2469714] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[10409:2469714] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[13569:1045322] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[13569:1045322] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[47:13705] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[47:13705] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[13568:1045270] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[1122:69141] -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[18627:3025573] -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[7506:329138] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[62:3166] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[7444:325972] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[9340:625000] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[9340:625000] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[7444:325972] -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Aug 29 19:19:35 2020
# Generated by ip6tables-save v1.8.3 on Sat Aug 29 19:19:35 2020
*mangle
:PREROUTING ACCEPT [8913:1610510]
:INPUT ACCEPT [6987:1170228]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7770:1385834]
:POSTROUTING ACCEPT [7770:1385834]
[0:0] -A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Aug 29 19:19:35 2020
# Generated by ip6tables-save v1.8.3 on Sat Aug 29 19:19:35 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [14:1296]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[6987:1170228] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1633:622649] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[3610:309399] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[1744:238180] -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[7770:1385834] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[3990:1061227] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1037:87612] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[2729:235699] -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[764:170372] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1037:87612] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[3610:309399] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[3610:309399] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1037:87612] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1037:87612] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[3610:309399] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[2729:235699] -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[1744:238180] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fe80::/10 -d fe80::/10 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[4:224] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[76:5472] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[62:8432] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[838:53680] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[764:170372] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[2729:235699] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[2729:235699] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[764:170372] -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Aug 29 19:19:35 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 94.126.36.216/22 brd 94.126.39.255 scope global eth1.2
       valid_lft forever preferred_lft forever
default via 94.126.36.1 dev eth1.2  src 94.126.36.216 
94.126.36.0/22 dev eth1.2 scope link  src 94.126.36.216 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
broadcast 94.126.36.0 dev eth1.2 table local scope link  src 94.126.36.216 
local 94.126.36.216 dev eth1.2 table local scope host  src 94.126.36.216 
broadcast 94.126.39.255 dev eth1.2 table local scope link  src 94.126.36.216 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1 
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1 
0:      from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 532
    inet6 fe80::6238:e0ff:fed7:7293/64 scope link 
       valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 532
    inet6 fe80::6038:e0ff:fed7:7293/64 scope link 
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::6038:e0ff:fed7:7293/64 scope link 
       valid_lft forever preferred_lft forever
9: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a01:71a0:8000:1:6238:e0ff:fed7:7293/64 scope global dynamic 
       valid_lft 2591861sec preferred_lft 604661sec
    inet6 fe80::6238:e0ff:fed7:7293/64 scope link 
       valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::6038:e0ff:fed7:7295/64 scope link 
       valid_lft forever preferred_lft forever
11: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::6038:e0ff:fed7:7294/64 scope link 
       valid_lft forever preferred_lft forever
default from 2a01:71a0:8000:1::/64 via fe80::5e00:202 dev eth1.2  metric 512 
2a01:71a0:8000:1::/64 dev eth1.2  metric 256 
unreachable fd80:5342:6255::/48 dev lo  metric 2147483647  error -113
fe80::/64 dev eth0  metric 256 
fe80::/64 dev eth1  metric 256 
fe80::/64 dev eth1.2  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan1  metric 256 
fe80::/64 dev wlan0  metric 256 
local ::1 dev lo table local  metric 0 
anycast 2a01:71a0:8000:1:: dev eth1.2 table local  metric 0 
local 2a01:71a0:8000:1:6238:e0ff:fed7:7293 dev eth1.2 table local  metric 0 
anycast fe80:: dev eth1 table local  metric 0 
anycast fe80:: dev eth0 table local  metric 0 
anycast fe80:: dev eth1.2 table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
anycast fe80:: dev wlan1 table local  metric 0 
anycast fe80:: dev wlan0 table local  metric 0 
local fe80::6038:e0ff:fed7:7293 dev eth0 table local  metric 0 
local fe80::6038:e0ff:fed7:7293 dev br-lan table local  metric 0 
local fe80::6038:e0ff:fed7:7294 dev wlan1 table local  metric 0 
local fe80::6038:e0ff:fed7:7295 dev wlan0 table local  metric 0 
local fe80::6238:e0ff:fed7:7293 dev eth1 table local  metric 0 
local fe80::6238:e0ff:fed7:7293 dev eth1.2 table local  metric 0 
ff00::/8 dev eth0 table local  metric 256 
ff00::/8 dev eth1 table local  metric 256 
ff00::/8 dev eth1.2 table local  metric 256 
ff00::/8 dev br-lan table local  metric 256 
ff00::/8 dev wlan1 table local  metric 256 
ff00::/8 dev wlan0 table local  metric 256 
0:      from all lookup local 
32766:  from all lookup main 
4200000001:     from all iif lo lookup unspec 12
4200000007:     from all iif br-lan lookup unspec 12
4200000009:     from all iif eth1.2 lookup unspec 12
4200000009:     from all iif eth1.2 lookup unspec 12


Greetings, Greenoid.

1 Like

This way you limited prefix delegation and disabled the ULA-prefix.
By default, it should use all available prefixes.

1 Like

I added this line today, and so I deleted it now.
I restarted the network of the router and client. Client has no IPv6 connection to the internet.

frerk@moby:~> ip -6 route
::1 dev lo proto kernel metric 256 pref medium
fd80:5342:6255::bce dev eth0 proto kernel metric 100 pref medium
fd80:5342:6255::/64 dev eth0 proto ra metric 100 pref medium
fd80:5342:6255::/48 via fe80::6038:e0ff:fed7:7293 dev eth0 proto ra metric 100 pref medium
fe80::/64 dev eth0 proto kernel metric 100 pref medium

frerk@moby:~> ip -6 neigh
fe80::6038:e0ff:fed7:7293 dev eth0 lladdr 62:38:e0:d7:72:93 router STALE

I change to fd80::/10 since it gets fd80 addresses and fe80 address:

frerk@moby:~> ip -6 route
::1 dev lo proto kernel metric 256 pref medium
fd80:5342:6255::bce dev eth0 proto kernel metric 100 pref medium
fd80:5342:6255::/64 dev eth0 proto ra metric 100 pref medium
fd80:5342:6255::/48 via fe80::6038:e0ff:fed7:7293 dev eth0 proto ra metric 100 pref medium
fe80::/64 dev eth0 proto kernel metric 100 pref medium

frerk@moby:~> ip -6 neigh
fe80::6038:e0ff:fed7:7293 dev eth0 lladdr 62:38:e0:d7:72:93 router STALE
frerk@moby:~> ip -6 neigh
fe80::6038:e0ff:fed7:7293 dev eth0 lladdr 62:38:e0:d7:72:93 router DELAY
frerk@moby:~> ip -6 neigh
fe80::6038:e0ff:fed7:7293 dev eth0 lladdr 62:38:e0:d7:72:93 router REACHABLE
frerk@moby:~> ping -6 ipv6.google.com
connect: Das Netzwerk ist nicht erreichbar

Now I remove the source--ip and dest-ip filters complety:

frerk@moby:~> ip -6 route
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 100 pref medium
frerk@moby:~> ip -6 route
::1 dev lo proto kernel metric 256 pref medium
2a01:71a0:8012:5100::bce dev eth0 proto kernel metric 100 pref medium
2a01:71a0:8012:5100::/64 dev eth0 proto ra metric 100 pref medium
2a01:71a0:8012:5100::/56 via fe80::6038:e0ff:fed7:7293 dev eth0 proto ra metric 100 pref medium
fd80:5342:6255::bce dev eth0 proto kernel metric 100 pref medium
fd80:5342:6255::/64 dev eth0 proto ra metric 100 pref medium
fd80:5342:6255::/48 via fe80::6038:e0ff:fed7:7293 dev eth0 proto ra metric 100 pref medium
fe80::/64 dev eth0 proto kernel metric 100 pref medium
default via fe80::6038:e0ff:fed7:7293 dev eth0 proto ra metric 20100 pref medium
frerk@moby:~> ip -6 route
::1 dev lo proto kernel metric 256 pref medium
2a01:71a0:8012:5100::bce dev eth0 proto kernel metric 100 pref medium
2a01:71a0:8012:5100::/64 dev eth0 proto ra metric 100 pref medium
2a01:71a0:8012:5100::/56 via fe80::6038:e0ff:fed7:7293 dev eth0 proto ra metric 100 pref medium
fd80:5342:6255::bce dev eth0 proto kernel metric 100 pref medium
fd80:5342:6255::/64 dev eth0 proto ra metric 100 pref medium
fd80:5342:6255::/48 via fe80::6038:e0ff:fed7:7293 dev eth0 proto ra metric 100 pref medium
fe80::/64 dev eth0 proto kernel metric 100 pref medium
default via fe80::6038:e0ff:fed7:7293 dev eth0 proto ra metric 100 pref medium
frerk@moby:~> ip -6 neigh
fe80::6038:e0ff:fed7:7293 dev eth0 lladdr 62:38:e0:d7:72:93 router REACHABLE
frerk@moby:~> ping -6 ipv6.google.com
PING ipv6.google.com(ham02s17-in-x0e.1e100.net (2a00:1450:4005:80b::200e)) 56 data bytes
64 bytes from ham02s17-in-x0e.1e100.net (2a00:1450:4005:80b::200e): icmp_seq=1 ttl=119 time=1.97 ms
64 bytes from ham02s17-in-x0e.1e100.net (2a00:1450:4005:80b::200e): icmp_seq=2 ttl=119 time=1.94 ms
^C
--- ipv6.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.941/1.959/1.977/0.018 ms

Suddenly I get 2a01: addresses and a default route to fe80::6038:e0ff:fed7:7293.
IPv6 connect to the internet woks.

So I didn't find any filter that worked by now.

Thanks in advance,

Greenoid.

1 Like

Sorry to break it, but fe80::/10 is included in fc00::/6. (fc00:: until ffff:ff...ffff)
The point of this rule is to allow DHCPv6 over link local IPv6 addresses from wan.
I suspect it doesn't work in your case because your ISP has implemented some different way to negotiate dhcpv6.

Other than that, you are not getting any ULA address on the lan interface because of ip6class as @vgaetera mentioned already.

These are not connected. The fe80 are link local IPs and the fc or fd are ULA.

Run the following:
opkg update; opkg install tcpdump; ifup wan6; tcpdump -i eth1.2 -evn icmp6 or udp port 546
Let it run for half a minute, stop it and post here the capture.

1 Like

What I did: Shutdown wan6 on the router, wait 10s, Up wan6 on the router, begin capture, wait 10s, unplug my client/notebook, wait 20s, replug my client/notebook, wait 10s, stop.
I hope to show you what's happening with the DHCPv6 on the router of my provider and between my OpenWRT and the client. (I have no filter active on the Allow-DHCPv6 rule).

root@OpenWrt:/etc/config# ifdown wan6; sleep 10; ifup wan6; tcpdump -i eth1.2 -evn icmp6 or udp port 546
tcpdump: listening on eth1.2, link-type EN10MB (Ethernet), capture size 262144 bytes
16:11:16.089856 60:38:e0:d7:72:93 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 164: (flowlabel 0xa45ce, hlim 1, next-header UDP (17) payload length: 110) fe80::6238:e0ff:fed7:7293.546 > ff02::1:2.547: [bad udp cksum 0xb2a9 -> 0x50d0!] dhcp6 solicit (xid=d3beae (elapsed-time 0) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_94 opt_95 opt_96 opt_82) (client-ID hwaddr type 1 6038e0d77293) (reconfigure-accept) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0) (IA_PD IAID:1 T1:0 T2:0))
16:11:16.166756 00:04:96:8b:8c:8d > 60:38:e0:d7:72:93, ethertype IPv6 (0x86dd), length 237: (hlim 64, next-header UDP (17) payload length: 183) 2a01:71a0:8000:1::3.547 > fe80::6238:e0ff:fed7:7293.546: [udp sum ok] dhcp6 advertise (xid=d3beae (client-ID hwaddr type 1 6038e0d77293) (server-ID hwaddr/time type 1 time 625652870 005056a5d054) (IA_NA IAID:1 T1:0 T2:21600 (IA_ADDR 2a01:71a0:8000:1:0:d:0:129f pltime:43200 vltime:86400)) (DNS-server 2a01:71a0:40:53::53 2a01:71a0:40:53::1:53) (IA_PD IAID:1 T1:0 T2:21600 (IA_PD-prefix 2a01:71a0:8012:a300::/56 pltime:43200 vltime:86400)) (Client-FQDN))
16:11:16.167864 00:04:96:8b:8c:8d > 60:38:e0:d7:72:93, ethertype IPv6 (0x86dd), length 237: (hlim 64, next-header UDP (17) payload length: 183) 2a01:71a0:8000:1::3.547 > fe80::6238:e0ff:fed7:7293.546: [udp sum ok] dhcp6 advertise (xid=d3beae (client-ID hwaddr type 1 6038e0d77293) (server-ID hwaddr/time type 1 time 625653035 005056a54e8b) (IA_NA IAID:1 T1:0 T2:21600 (IA_ADDR 2a01:71a0:8000:1:0:d:0:129f pltime:43200 vltime:86400)) (DNS-server 2a01:71a0:40:53::53 2a01:71a0:40:53::1:53) (IA_PD IAID:1 T1:0 T2:21600 (IA_PD-prefix 2a01:71a0:8012:a300::/56 pltime:43200 vltime:86400)) (Client-FQDN))
16:11:16.168914 00:04:96:52:8f:b1 > 60:38:e0:d7:72:93, ethertype IPv6 (0x86dd), length 237: (hlim 64, next-header UDP (17) payload length: 183) 2a01:71a0:8000:1::2.547 > fe80::6238:e0ff:fed7:7293.546: [udp sum ok] dhcp6 advertise (xid=d3beae (client-ID hwaddr type 1 6038e0d77293) (server-ID hwaddr/time type 1 time 625653035 005056a54e8b) (IA_NA IAID:1 T1:0 T2:21600 (IA_ADDR 2a01:71a0:8000:1:0:d:0:12a0 pltime:43200 vltime:86400)) (DNS-server 2a01:71a0:40:53::53 2a01:71a0:40:53::1:53) (IA_PD IAID:1 T1:0 T2:21600 (IA_PD-prefix 2a01:71a0:8012:a400::/56 pltime:43200 vltime:86400)) (Client-FQDN))
16:11:16.170076 00:04:96:52:8f:b1 > 60:38:e0:d7:72:93, ethertype IPv6 (0x86dd), length 237: (hlim 64, next-header UDP (17) payload length: 183) 2a01:71a0:8000:1::2.547 > fe80::6238:e0ff:fed7:7293.546: [udp sum ok] dhcp6 advertise (xid=d3beae (client-ID hwaddr type 1 6038e0d77293) (server-ID hwaddr/time type 1 time 625652870 005056a5d054) (IA_NA IAID:1 T1:0 T2:21600 (IA_ADDR 2a01:71a0:8000:1:0:d:0:12a0 pltime:43200 vltime:86400)) (DNS-server 2a01:71a0:40:53::53 2a01:71a0:40:53::1:53) (IA_PD IAID:1 T1:0 T2:21600 (IA_PD-prefix 2a01:71a0:8012:a400::/56 pltime:43200 vltime:86400)) (Client-FQDN))
16:11:16.366578 00:00:5e:00:02:02 > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 150: (hlim 255, next-header ICMPv6 (58) payload length: 96) fe80::5e00:202 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 96
        hop limit 64, Flags [managed], pref medium, router lifetime 1800s, reachable time 30000ms, retrans timer 1000ms
          source link-address option (1), length 8 (1): 00:00:5e:00:02:02
          prefix info option (3), length 32 (4): 2a01:71a0:8000:1::/64, Flags [onlink, auto], valid time 2592000s, pref. time 604800s
          rdnss option (25), length 40 (5):  lifetime 1200s, addr: 2a01:71a0:40:53::53 addr: 2a01:71a0:40:53::1:53
16:11:18.163665 60:38:e0:d7:72:93 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 237: (flowlabel 0xa45ce, hlim 1, next-header UDP (17) payload length: 183) fe80::6238:e0ff:fed7:7293.546 > ff02::1:2.547: [bad udp cksum 0xb2f2 -> 0xc6fb!] dhcp6 request (xid=4bb6a7 (elapsed-time 0) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_94 opt_95 opt_96) (client-ID hwaddr type 1 6038e0d77293) (server-ID hwaddr/time type 1 time 625653035 005056a54e8b) (reconfigure-accept) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0 (IA_ADDR 2a01:71a0:8000:1:0:d:0:12a0 pltime:43200 vltime:86400)) (IA_PD IAID:1 T1:0 T2:0 (IA_PD-prefix 2a01:71a0:8012:a400::/56 pltime:43200 vltime:86400)))
16:11:18.182380 00:04:96:8b:8c:8d > 60:38:e0:d7:72:93, ethertype IPv6 (0x86dd), length 237: (hlim 64, next-header UDP (17) payload length: 183) 2a01:71a0:8000:1::3.547 > fe80::6238:e0ff:fed7:7293.546: [udp sum ok] dhcp6 reply (xid=4bb6a7 (client-ID hwaddr type 1 6038e0d77293) (server-ID hwaddr/time type 1 time 625653035 005056a54e8b) (IA_NA IAID:1 T1:0 T2:21600 (IA_ADDR 2a01:71a0:8000:1:0:d:0:12a0 pltime:43200 vltime:86400)) (DNS-server 2a01:71a0:40:53::53 2a01:71a0:40:53::1:53) (IA_PD IAID:1 T1:0 T2:21600 (IA_PD-prefix 2a01:71a0:8012:a400::/56 pltime:43200 vltime:86400)) (Client-FQDN))
16:11:18.521532 60:38:e0:d7:72:93 > 33:33:ff:d7:72:93, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) :: > ff02::1:ffd7:7293: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a01:71a0:8000:1:6238:e0ff:fed7:7293
          unknown option (14), length 8 (1): 
          0x0000:  3315 2992 d2ce
16:11:18.526181 00:04:96:8b:8c:8d > 33:33:ff:00:00:bf, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::204:96ff:fe8b:8c8d > ff02::1:ff00:bf: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a01:71a0:8000:1:0:d:0:bf
          source link-address option (1), length 8 (1): 00:04:96:8b:8c:8d
16:11:18.991537 60:38:e0:d7:72:93 > 33:33:ff:00:12:a0, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) :: > ff02::1:ff00:12a0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a01:71a0:8000:1:0:d:0:12a0
          unknown option (14), length 8 (1): 
          0x0000:  deb6 79e0 0c52
16:11:21.395808 00:04:96:8b:8c:8d > 33:33:ff:d7:72:93, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::204:96ff:fe8b:8c8d > ff02::1:ffd7:7293: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::6238:e0ff:fed7:7293
          source link-address option (1), length 8 (1): 00:04:96:8b:8c:8d
16:11:21.395856 60:38:e0:d7:72:93 > 00:04:96:8b:8c:8d, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::6238:e0ff:fed7:7293 > fe80::204:96ff:fe8b:8c8d: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fe80::6238:e0ff:fed7:7293, Flags [router, solicited, override]
          destination link-address option (2), length 8 (1): 60:38:e0:d7:72:93
16:11:22.116407 00:04:96:8b:8c:8d > 33:33:ff:e0:4c:c9, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::204:96ff:fe8b:8c8d > ff02::1:ffe0:4cc9: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a01:71a0:8000:1:18e:4a93:5be0:4cc9
          source link-address option (1), length 8 (1): 00:04:96:8b:8c:8d
16:11:26.431533 60:38:e0:d7:72:93 > 00:04:96:8b:8c:8d, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::6238:e0ff:fed7:7293 > fe80::204:96ff:fe8b:8c8d: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::204:96ff:fe8b:8c8d
          source link-address option (1), length 8 (1): 60:38:e0:d7:72:93
16:11:26.433730 00:04:96:8b:8c:8d > 60:38:e0:d7:72:93, ethertype IPv6 (0x86dd), length 78: (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::204:96ff:fe8b:8c8d > fe80::6238:e0ff:fed7:7293: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::204:96ff:fe8b:8c8d, Flags [router, solicited]
16:11:28.388751 60:38:e0:d7:72:93 > 00:00:5e:00:02:02, ethertype IPv6 (0x86dd), length 578: (flowlabel 0x720ba, hlim 64, next-header ICMPv6 (58) payload length: 524) 2a01:71a0:8000:1:6238:e0ff:fed7:7293 > 2a01:71a0:40:53::1:53: [icmp6 sum ok] ICMP6, destination unreachable, unreachable port, 2a01:71a0:8000:1:6238:e0ff:fed7:7293 udp port 8899
16:11:34.056951 00:04:96:8b:8c:8d > 33:33:ff:00:00:6e, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::204:96ff:fe8b:8c8d > ff02::1:ff00:6e: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a01:71a0:8000:1:0:d:0:6e
          source link-address option (1), length 8 (1): 00:04:96:8b:8c:8d
16:11:35.016807 00:04:96:8b:8c:8d > 33:33:ff:00:00:06, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::204:96ff:fe8b:8c8d > ff02::1:ff00:6: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a01:71a0:8000:1:0:d:0:6
          source link-address option (1), length 8 (1): 00:04:96:8b:8c:8d
16:11:39.206854 00:04:96:8b:8c:8d > 33:33:ff:00:00:14, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::204:96ff:fe8b:8c8d > ff02::1:ff00:14: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a01:71a0:8000:1:0:d:0:14
          source link-address option (1), length 8 (1): 00:04:96:8b:8c:8d
16:11:40.273511 00:04:96:52:8f:b1 > 33:33:ff:83:f9:67, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::204:96ff:fe52:8fb1 > ff02::1:ff83:f967: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::618:d6ff:fe83:f967
          source link-address option (1), length 8 (1): 00:04:96:52:8f:b1
16:11:48.191530 60:38:e0:d7:72:93 > 00:00:5e:00:02:02, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::6238:e0ff:fed7:7293 > fe80::5e00:202: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::5e00:202
          source link-address option (1), length 8 (1): 60:38:e0:d7:72:93
16:11:48.193838 00:04:96:8b:8c:8d > 60:38:e0:d7:72:93, ethertype IPv6 (0x86dd), length 78: (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::5e00:202 > fe80::6238:e0ff:fed7:7293: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::5e00:202, Flags [router, solicited]
16:11:50.324021 60:38:e0:d7:72:93 > 00:00:5e:00:02:02, ethertype IPv6 (0x86dd), length 576: (flowlabel 0x720ba, hlim 64, next-header ICMPv6 (58) payload length: 522) 2a01:71a0:8000:1:6238:e0ff:fed7:7293 > 2a01:71a0:40:53::1:53: [icmp6 sum ok] ICMP6, destination unreachable, unreachable port, 2a01:71a0:8000:1:6238:e0ff:fed7:7293 udp port 39468
16:11:54.694130 00:04:96:52:8f:b1 > 33:33:ff:d6:f2:ce, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::204:96ff:fe52:8fb1 > ff02::1:ffd6:f2ce: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::f2b0:14ff:fed6:f2ce
          source link-address option (1), length 8 (1): 00:04:96:52:8f:b1
16:11:56.377447 00:04:96:8b:8c:8d > 33:33:ff:00:00:2b, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::204:96ff:fe8b:8c8d > ff02::1:ff00:2b: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a01:71a0:8000:1:0:d:0:2b
          source link-address option (1), length 8 (1): 00:04:96:8b:8c:8d
16:12:01.187480 00:04:96:8b:8c:8d > 33:33:ff:00:00:b3, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::204:96ff:fe8b:8c8d > ff02::1:ff00:b3: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a01:71a0:8000:1:0:d:0:b3
          source link-address option (1), length 8 (1): 00:04:96:8b:8c:8d
^C
27 packets captured
29 packets received by filter
0 packets dropped by kernel

Thanks for your patience and time.

Greenoid

16:11:16.166756 00:04:96:8b:8c:8d > 60:38:e0:d7:72:93, ethertype IPv6 (0x86dd), length 237: (hlim 64, next-header UDP (17) payload length: 183) 2a01:71a0:8000:1::3.547 > fe80::6238:e0ff:fed7:7293.546: [udp sum ok] dhcp6 advertise (xid=d3beae (client-ID hwaddr type 1 6038e0d77293) (server-ID hwaddr/time type 1 time 625652870 005056a5d054) (IA_NA IAID:1 T1:0 T2:21600 (IA_ADDR 2a01:71a0:8000:1:0:d:0:129f pltime:43200 vltime:86400)) (DNS-server 2a01:71a0:40:53::53 2a01:71a0:40:53::1:53) (IA_PD IAID:1 T1:0 T2:21600 (IA_PD-prefix 2a01:71a0:8012:a300::/56 pltime:43200 vltime:86400)) (Client-FQDN))

Fine example of ISP stupidity: DHCPv6 advertise coming from GUA to LLA.
Change the firewall into this one:

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

If I were you, I would also notify them that they are breaking things like this.

4 Likes

Many thanks to @trendy for finding the solution.
Let me clarify the solution, that is only the difference to the standard configuration of 19.07.3:
Command Line in /etc/config/firewall delete or comment the line like this

# option src_ip 'fc00::/6'

Or in LuCi delete the value in the field with the label "Source-IP" like in this screenshot

4 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.