IPv6 packets on WAN are not forwarded/routed to the client

Hi,

I have a Cable Router, which connects to my ISP and I got a /56 Prefix assigned.
Behind that I have a Fritzbox 4040 with OpenWrt 19.07.4 running.

The WAN Interface of OpenWrt is DHCPv4 and DHCPv6 Client of the first router and gets a IPv4, IPv6 and a /57 PD.

On OpenWrt I have IPv6 enable for two Interfaces, each of this interfaces requests a /60 network.
On the OpenWrt box itself and on clients on the LAN Interface I can ping ipv6.google.com.

On clients on the seconed Interface (eth0.31) I don't can ping ipv6.google.com.

IP6 2a02:810d:8500:1ab0:5054:ff:fe33:3751 > 2a00:1450:4016:801::200e: ICMP6, echo request, seq 12, length 64
IP6 2a00:1450:4016:801::200e > 2a02:810d:8500:1ab0:5054:ff:fe33:3751: ICMP6, echo reply, seq 12, length 64

With tcpdump on the wan interface I can see the request and the reply. But this reply never reaches the client.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip6tables-save -c; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru
1 Like
# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip6tables-save -c; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru
{
	"kernel": "4.14.195",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "AVM FRITZ!Box 4040",
	"board_name": "avm,fritzbox-4040",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.4",
		"revision": "r11208-ce6496d796",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 19.07.4 r11208-ce6496d796"
	}
}
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7d:cb74:2cf6::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.27.1'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix '56'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 4'
	option vid '1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxx'
	option listen_port '12345'
	list addresses '100.64.0.1/10'

config wireguard_wg0
	option persistent_keepalive '25'
	option public_key 'xxx'
	option description 'Test'
	list allowed_ips '100.64.0.2/32'

config switch_vlan
	option device 'switch0'
	option vlan '30'
	option ports '0t 4t'
	option vid '30'

config switch_vlan
	option device 'switch0'
	option vlan '31'
	option ports '0t 4t'
	option vid '31'

config interface 'DMZ0'
	option ifname 'eth0.30'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.30.1'

config interface 'DMZ1'
	option ifname 'eth0.31'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.31.1'
	option ip6assign '60'
	option ip6hint '31'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/soc/a000000.wifi'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'platform/soc/a800000.wifi'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'DMZ0'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'DMZ0'

config dhcp 'DMZ1'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'DMZ1'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'time-exceeded'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option dest_port '12345'
	option src 'wan'
	option name 'WireGuard'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option network 'wg0'
	option output 'ACCEPT'

config forwarding
	option dest 'lan'
	option src 'vpn'

config zone
	option name 'dmz'
	option input 'ACCEPT'
	option network 'DMZ0 DMZ1'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'dmz'

config forwarding
	option dest 'dmz'
	option src 'lan'

config rule
	option dest_port '80'
	option src 'wan'
	option name 'DMZ - HTTP'
	option dest 'dmz'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option dest_port '443'
	option src 'wan'
	option name 'DMZ - HTTPS'
	option dest 'dmz'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option dest_port '993'
	option src 'wan'
	option name 'DMZ - IMAPS'
	option dest 'dmz'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option dest_port '465'
	option src 'wan'
	option name 'DMZ - SMTPS'
	option dest 'dmz'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option dest_port '587'
	option src 'wan'
	option name 'DMZ - Submission'
	option dest 'dmz'
	option target 'ACCEPT'
	list proto 'tcp'

config forwarding
	option dest 'dmz'
	option src 'vpn'

config forwarding
	option dest 'wan'
	option src 'vpn'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by ip6tables-save v1.8.3 on Wed Sep 23 13:50:37 2020
*mangle
:PREROUTING ACCEPT [12157:1635362]
:INPUT ACCEPT [713:50209]
:FORWARD ACCEPT [7406:904445]
:OUTPUT ACCEPT [3479:309494]
:POSTROUTING ACCEPT [10885:1213939]
[22:1760] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[12:960] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Sep 23 13:50:37 2020
# Generated by ip6tables-save v1.8.3 on Wed Sep 23 13:50:37 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_dmz_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_dmz_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_dmz_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_dmz_dest_ACCEPT - [0:0]
:zone_dmz_forward - [0:0]
:zone_dmz_input - [0:0]
:zone_dmz_output - [0:0]
:zone_dmz_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[41:5546] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[672:44663] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[70:5909] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[117:8340] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_vpn_input
[0:0] -A INPUT -i eth0.30 -m comment --comment "!fw3" -j zone_dmz_input
[485:30414] -A INPUT -i eth0.31 -m comment --comment "!fw3" -j zone_dmz_input
[7406:904445] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[7379:902197] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[23:1856] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_vpn_forward
[0:0] -A FORWARD -i eth0.30 -m comment --comment "!fw3" -j zone_dmz_forward
[4:392] -A FORWARD -i eth0.31 -m comment --comment "!fw3" -j zone_dmz_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[41:5546] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[3438:303948] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[18:4948] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[46:5696] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[263:19840] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_vpn_output
[0:0] -A OUTPUT -o eth0.30 -m comment --comment "!fw3" -j zone_dmz_output
[3111:273464] -A OUTPUT -o eth0.31 -m comment --comment "!fw3" -j zone_dmz_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[10:624] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_dmz_dest_ACCEPT -o eth0.30 -m comment --comment "!fw3" -j ACCEPT
[3111:273464] -A zone_dmz_dest_ACCEPT -o eth0.31 -m comment --comment "!fw3" -j ACCEPT
[4:392] -A zone_dmz_forward -m comment --comment "!fw3: Custom dmz forwarding rule chain" -j forwarding_dmz_rule
[4:392] -A zone_dmz_forward -m comment --comment "!fw3: Zone dmz to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_dmz_forward -m comment --comment "!fw3" -j zone_dmz_dest_ACCEPT
[485:30414] -A zone_dmz_input -m comment --comment "!fw3: Custom dmz input rule chain" -j input_dmz_rule
[485:30414] -A zone_dmz_input -m comment --comment "!fw3" -j zone_dmz_src_ACCEPT
[3111:273464] -A zone_dmz_output -m comment --comment "!fw3: Custom dmz output rule chain" -j output_dmz_rule
[3111:273464] -A zone_dmz_output -m comment --comment "!fw3" -j zone_dmz_dest_ACCEPT
[0:0] -A zone_dmz_src_ACCEPT -i eth0.30 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[485:30414] -A zone_dmz_src_ACCEPT -i eth0.31 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[46:5696] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[23:1856] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[23:1856] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to dmz forwarding policy" -j zone_dmz_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[70:5909] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[70:5909] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[46:5696] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[46:5696] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[70:5909] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to dmz forwarding policy" -j zone_dmz_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
[0:0] -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
[0:0] -A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
[0:0] -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[290:22088] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p tcp -m tcp --dport 80 -m comment --comment "!fw3: DMZ - HTTP" -j zone_dmz_dest_ACCEPT
[0:0] -A zone_wan_forward -p tcp -m tcp --dport 443 -m comment --comment "!fw3: DMZ - HTTPS" -j zone_dmz_dest_ACCEPT
[0:0] -A zone_wan_forward -p tcp -m tcp --dport 993 -m comment --comment "!fw3: DMZ - IMAPS" -j zone_dmz_dest_ACCEPT
[0:0] -A zone_wan_forward -p tcp -m tcp --dport 465 -m comment --comment "!fw3: DMZ - SMTPS" -j zone_dmz_dest_ACCEPT
[0:0] -A zone_wan_forward -p tcp -m tcp --dport 587 -m comment --comment "!fw3: DMZ - Submission" -j zone_dmz_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[117:8340] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[2:476] -A zone_wan_input -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[1:72] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[8:1024] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[96:6144] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p tcp -m tcp --dport 12345 -m comment --comment "!fw3: WireGuard" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 12345 -m comment --comment "!fw3: WireGuard" -j ACCEPT
[10:624] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[263:19840] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[263:19840] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[10:624] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Sep 23 13:50:37 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a02:810d:8500:1a00:eadf:70ff:fe89:52e3/128 scope global dynamic noprefixroute
       valid_lft 6435sec preferred_lft 2835sec
    inet6 fe80::eadf:70ff:fe89:52e3/64 scope link
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd7d:cb74:2cf6::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 2a02:810d:8500:1a80::1/60 scope global dynamic noprefixroute
       valid_lft 6435sec preferred_lft 2835sec
    inet6 2a02:810d:8500:1a90::1/60 scope global deprecated dynamic noprefixroute
       valid_lft 2832sec preferred_lft 0sec
    inet6 fd7d:cb74:2cf6:10::1/60 scope global deprecated dynamic noprefixroute
       valid_lft 3382sec preferred_lft 0sec
    inet6 fe80::eadf:70ff:fe89:52e2/64 scope link
       valid_lft forever preferred_lft forever
7: eth0.30@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::eadf:70ff:fe89:52e2/64 scope link
       valid_lft forever preferred_lft forever
8: eth0.31@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd7d:cb74:2cf6:30::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 2a02:810d:8500:1ab0::1/60 scope global dynamic noprefixroute
       valid_lft 6435sec preferred_lft 2835sec
    inet6 2a02:810d:8500:1a80::1/60 scope global deprecated dynamic noprefixroute
       valid_lft 2832sec preferred_lft 0sec
    inet6 fd7d:cb74:2cf6::1/60 scope global deprecated dynamic noprefixroute
       valid_lft 3382sec preferred_lft 0sec
    inet6 fe80::eadf:70ff:fe89:52e2/64 scope link
       valid_lft forever preferred_lft forever
default from 2a02:810d:8500:1a00:eadf:70ff:fe89:52e3 via fe80::ca0e:14ff:fee1:798d dev eth1 proto static metric 384 pref medium
default from 2a02:810d:8500:1a80::/57 via fe80::ca0e:14ff:fee1:798d dev eth1 proto static metric 384 pref medium
2a02:810d:8500:1a00::/56 from 2a02:810d:8500:1a00:eadf:70ff:fe89:52e3 via fe80::ca0e:14ff:fee1:798d dev eth1 proto static metric 384 pref medium
2a02:810d:8500:1a00::/56 from 2a02:810d:8500:1a80::/57 via fe80::ca0e:14ff:fee1:798d dev eth1 proto static metric 384 pref medium
2a02:810d:8500:1a00::/64 dev eth1 proto static metric 256 pref medium
2a02:810d:8500:1a80::/64 dev br-lan proto static metric 1024 pref medium
2a02:810d:8500:1ab0::/64 dev eth0.31 proto static metric 1024 pref medium
unreachable 2a02:810d:8500:1a80::/57 dev lo proto static metric 2147483647 error 4294967183 pref medium
fd7d:cb74:2cf6::/64 dev br-lan proto static metric 1024 pref medium
fd7d:cb74:2cf6:30::/64 dev eth0.31 proto static metric 1024 pref medium
unreachable fd7d:cb74:2cf6::/48 dev lo proto static metric 2147483647 error 4294967183 pref medium
fe80::/64 dev eth0.30 proto kernel metric 256 pref medium
fe80::/64 dev eth0.31 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2a02:810d:8500:1a00:eadf:70ff:fe89:52e3 dev eth1 table local proto kernel metric 0 pref medium
anycast 2a02:810d:8500:1a80:: dev eth0.31 table local proto kernel metric 0 pref medium
anycast 2a02:810d:8500:1a80:: dev br-lan table local proto kernel metric 0 pref medium
local 2a02:810d:8500:1a80::1 dev eth0.31 table local proto kernel metric 0 pref medium
local 2a02:810d:8500:1a80::1 dev br-lan table local proto kernel metric 0 pref medium
anycast 2a02:810d:8500:1a90:: dev br-lan table local proto kernel metric 0 pref medium
local 2a02:810d:8500:1a90::1 dev br-lan table local proto kernel metric 0 pref medium
anycast 2a02:810d:8500:1ab0:: dev eth0.31 table local proto kernel metric 0 pref medium
local 2a02:810d:8500:1ab0::1 dev eth0.31 table local proto kernel metric 0 pref medium
anycast fd7d:cb74:2cf6:: dev eth0.31 table local proto kernel metric 0 pref medium
anycast fd7d:cb74:2cf6:: dev br-lan table local proto kernel metric 0 pref medium
local fd7d:cb74:2cf6::1 dev eth0.31 table local proto kernel metric 0 pref medium
local fd7d:cb74:2cf6::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fd7d:cb74:2cf6:10:: dev br-lan table local proto kernel metric 0 pref medium
local fd7d:cb74:2cf6:10::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fd7d:cb74:2cf6:30:: dev eth0.31 table local proto kernel metric 0 pref medium
local fd7d:cb74:2cf6:30::1 dev eth0.31 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.30 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.31 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
local fe80::eadf:70ff:fe89:52e2 dev eth0.30 table local proto kernel metric 0 pref medium
local fe80::eadf:70ff:fe89:52e2 dev eth0.31 table local proto kernel metric 0 pref medium
local fe80::eadf:70ff:fe89:52e2 dev br-lan table local proto kernel metric 0 pref medium
local fe80::eadf:70ff:fe89:52e3 dev eth1 table local proto kernel metric 0 pref medium
ff00::/8 dev br-lan table local metric 256 pref medium
ff00::/8 dev eth0.30 table local metric 256 pref medium
ff00::/8 dev eth0.31 table local metric 256 pref medium
ff00::/8 dev eth1 table local metric 256 pref medium
ff00::/8 dev wg0 table local metric 256 pref medium
0:	from all lookup local
32766:	from all lookup main
4200000000:	from 2a02:810d:8500:1a80::1/60 iif br-lan unreachable
4200000000:	from 2a02:810d:8500:1ab0::1/60 iif eth0.31 unreachable
4200000001:	from all iif lo failed_policy
4200000003:	from all iif eth1 failed_policy
4200000003:	from all iif eth1 failed_policy
4200000006:	from all iif br-lan failed_policy
4200000007:	from all iif eth0.30 failed_policy
4200000008:	from all iif eth0.31 failed_policy
4200000009:	from all iif wg0 failed_policy

According to this thread I removed option src_ip 'fc00::/6' option dest_ip 'fc00::/6' from Allow DHCPv6 in /etc/config/firewall, but this does't changed anything.

Why did you remove it???

This means after your lease is over you will loose IPv6. You misunderstood that thread.

Make this 64

1 Like

You are right, I misunderstood it completely.
Therefore I have added it again.

And changed the IPv6 assignment length from 60 to 64.

But ping6 on clients, connected to the eth0.31 Interface are still not working.

Let me show you all to add:

        option ip6assign '64'
        option ip6class 'wan6'

The ip6hint may be wrong depending on the /56 issued to you (but I think you do have those 2 "hex-bits" to use)...I'm not going to properly count out your /56 subnet...so I advise removing this.

You should be able to assign 256 /64's to your end of the connection (i.e. 256 LANs with IPv6).

Ok, I removed the ip6hint and Interface configuration is now:

config interface 'DMZ1'
	option ifname 'eth0.31'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.31.1'
	option ip6assign '64'
    option ip6class 'wan6'

I have rebooted the OpenWrt router and my linux client on eth0.31, but it is still the same.
I am able to ping ipv6.google.com from the OpenWrt gateway, from clients connected to br-lan, but not from clients on the eth0.31 interface.

Regarding ip6assign, you can have '60' if you plan to delegate something downstream the lan or dmz interfaces. Otherwise the '64' will serve one network.
ip6class is not really needed here, as it will only allocate an IPv6 from the prefix of wan6. You may want to allocate also IPs from the ULA private prefix for intraLAN communication.

This is not a problem for you since you get the prefix from dhcpv6. Leave it as it was.

The only thing that I found wrong is the ip6hint. The /57 range is 2A02:810D:8500:1A80:0000:0000:0000:0000 -
2A02:810D:8500:1AFF:FFFF:FFFF:FFFF:FFFF so 31 is not a valid value. You can assign something from 80 to FF. You can leave it empty for now and fill it in later after the issue is sorted out.

Do a tcpdump on eth0.31 and verify that the answer to the ping is not being sent out to the host.
Check logread and dmesg if there is any evidence of the replies being dropped.

1 Like

So, ok, I have changed it back from 64 to 60, removed the ip6class and the ipv6hint.
As already told I have added the option to the DHCPv6 Rule, again, so that it is the default, now.

tcpdump on eth0.31, there is no icmp reply:

tcpdump -i eth0.31 -n host 2a00:1450:4016:800::200e
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.31, link-type EN10MB (Ethernet), capture size 262144 bytes
16:05:34.293032 IP6 2a02:810d:8500:1a80::85c > 2a00:1450:4016:800::200e: ICMP6, echo request, seq 27, length 64
16:05:34.773691 IP6 2a02:810d:8500:1a80:5054:ff:fe8c:a8e > 2a00:1450:4016:800::200e: ICMP6, echo request, seq 3097, length 64
16:05:35.317031 IP6 2a02:810d:8500:1a80::85c > 2a00:1450:4016:800::200e: ICMP6, echo request, seq 28, length 64
16:05:35.797687 IP6 2a02:810d:8500:1a80:5054:ff:fe8c:a8e > 2a00:1450:4016:800::200e: ICMP6, echo request, seq 3098, length 64
16:05:36.341085 IP6 2a02:810d:8500:1a80::85c > 2a00:1450:4016:800::200e: ICMP6, echo request, seq 29, length 64
16:05:36.821486 IP6 2a02:810d:8500:1a80:5054:ff:fe8c:a8e > 2a00:1450:4016:800::200e: ICMP6, echo request, seq 3099, length 64

tcpdump on eth1 and there is the icmp reply

tcpdump -i eth1 -n host 2a00:1450:4016:800::200e
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:05:46.581947 IP6 2a02:810d:8500:1a80::85c > 2a00:1450:4016:800::200e: ICMP6, echo request, seq 39, length 64
16:05:46.601922 IP6 2a00:1450:4016:800::200e > 2a02:810d:8500:1a80::85c: ICMP6, echo reply, seq 39, length 64
16:05:47.062628 IP6 2a02:810d:8500:1a80:5054:ff:fe8c:a8e > 2a00:1450:4016:800::200e: ICMP6, echo request, seq 3109, length 64
16:05:47.080641 IP6 2a00:1450:4016:800::200e > 2a02:810d:8500:1a80:5054:ff:fe8c:a8e: ICMP6, echo reply, seq 3109, length 64

With dmesg and logread I didn't see something special...

Can you add a log entry just to verify?

ip6tables -I FORWARD 1 -i eth1 -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m comment --comment "!fw3" -j LOG --log-prefix "Before Conntrack: "
ip6tables -I FORWARD 4 -i eth1 -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m comment --comment "!fw3" -j LOG --log-prefix "After Conntrack: "

Then run the ping and check in logread if you see only before conntrack or both.

Sure, I have added the log entry rules, but it seems that the "after conntrack" is not matched:

Wed Sep 23 17:14:17 2020 user.notice root: test
Wed Sep 23 17:14:37 2020 kern.warn kernel: [ 7504.569387] Before Conntrack: IN=eth1 OUT=eth0.31 MAC=e8:df:70:89:52:e3:c8:0e:14:e1:79:8d:86:dd SRC=2a00:1450:4016:0801:0000:0000:0000:200e DST=2a02:810d:8500:1a80:0000:0000:0000:085c LEN=104 TC=0 HOPLIMIT=113 FLOWLBL=188940 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3 SEQ=1
Wed Sep 23 17:14:38 2020 kern.warn kernel: [ 7505.571029] Before Conntrack: IN=eth1 OUT=eth0.31 MAC=e8:df:70:89:52:e3:c8:0e:14:e1:79:8d:86:dd SRC=2a00:1450:4016:0801:0000:0000:0000:200e DST=2a02:810d:8500:1a80:0000:0000:0000:085c LEN=104 TC=0 HOPLIMIT=113 FLOWLBL=188940 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3 SEQ=2
Wed Sep 23 17:14:40 2020 kern.warn kernel: [ 7507.621824] Before Conntrack: IN=eth1 OUT=eth0.31 MAC=e8:df:70:89:52:e3:c8:0e:14:e1:79:8d:86:dd SRC=2a00:1450:4016:0801:0000:0000:0000:200e DST=2a02:810d:8500:1a80:0000:0000:0000:085c LEN=104 TC=0 HOPLIMIT=113 FLOWLBL=188940 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3 SEQ=4
Wed Sep 23 17:14:41 2020 kern.warn kernel: [ 7508.641802] Before Conntrack: IN=eth1 OUT=eth0.31 MAC=e8:df:70:89:52:e3:c8:0e:14:e1:79:8d:86:dd SRC=2a00:1450:4016:0801:0000:0000:0000:200e DST=2a02:810d:8500:1a80:0000:0000:0000:085c LEN=104 TC=0 HOPLIMIT=113 FLOWLBL=188940 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3 SEQ=5

That's good and bad.
Good cause the packet is not dropped by the firewall as it is accepted by the conntrack rule.
Bad because I cannot think where else can they be dropped.

I already added a fw rule, which allowed any <=> any icmp, but it also didn't the trick.
Today I also performed a fresh installation of 19.07.4 and started with a new configuration from scratch. I am trying to get this working for a while and with old firmware 19.07.1 it was also not working on my Fritzbox. :confounded:

@hnyman, @vgaetera, @mk24, @dlakelan, @jow maybe can think of where are the packets lost.

I downgraded to 18.06.8, but the behavior remains.

# OpenWrt
ifstatus wan6
tcpdump -n -i any icmp6

# Client
ping6 -c 3 openwrt.org
ifstatus wan6
ifstatus wan6
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 60525,
	"l3_device": "eth1",
	"proto": "dhcpv6",
	"device": "eth1",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [

	],
	"ipv6-address": [
		{
			"address": "fd00::eadf:70ff:fe89:52e3",
			"mask": 64,
			"preferred": 3557,
			"valid": 7157
		},
		{
			"address": "2a02:810d:8500:1a00:eadf:70ff:fe89:52e3",
			"mask": 128,
			"preferred": 2547,
			"valid": 6147
		}
	],
	"ipv6-prefix": [
		{
			"address": "2a02:810d:8500:1af0::",
			"mask": 60,
			"preferred": 2547,
			"valid": 6147,
			"class": "wan6",
			"assigned": {
				"DMZ1": {
					"address": "2a02:810d:8500:1af0::",
					"mask": 62
				},
				"lan": {
					"address": "2a02:810d:8500:1af4::",
					"mask": 62
				}
			}
		}
	],
	"ipv6-prefix-assignment": [

	],
	"route": [
		{
			"target": "2a02:810d:8500:1a00::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 5357,
			"source": "::\/0"
		},
		{
			"target": "fd00::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 7157,
			"source": "::\/0"
		},
		{
			"target": "fd00::",
			"mask": 64,
			"nexthop": "fe80::ca0e:14ff:fee1:798d",
			"metric": 384,
			"valid": 1757,
			"source": "::\/0"
		},
		{
			"target": "2a02:810d:8500:1a00::",
			"mask": 56,
			"nexthop": "fe80::ca0e:14ff:fee1:798d",
			"metric": 384,
			"valid": 1757,
			"source": "2a02:810d:8500:1af0::\/60"
		},
		{
			"target": "2a02:810d:8500:1a00::",
			"mask": 56,
			"nexthop": "fe80::ca0e:14ff:fee1:798d",
			"metric": 384,
			"valid": 1757,
			"source": "fd00::eadf:70ff:fe89:52e3\/64"
		},
		{
			"target": "2a02:810d:8500:1a00::",
			"mask": 56,
			"nexthop": "fe80::ca0e:14ff:fee1:798d",
			"metric": 384,
			"valid": 1757,
			"source": "2a02:810d:8500:1a00:eadf:70ff:fe89:52e3\/128"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::ca0e:14ff:fee1:798d",
			"metric": 384,
			"valid": 1757,
			"source": "2a02:810d:8500:1af0::\/60"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::ca0e:14ff:fee1:798d",
			"metric": 384,
			"valid": 1757,
			"source": "fd00::eadf:70ff:fe89:52e3\/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::ca0e:14ff:fee1:798d",
			"metric": 384,
			"valid": 1757,
			"source": "2a02:810d:8500:1a00:eadf:70ff:fe89:52e3\/128"
		}
	],
	"dns-server": [
		"fd00::ca0e:14ff:fee1:798d"
	],
	"dns-search": [

	],
	"inactive": {
		"ipv4-address": [

		],
		"ipv6-address": [

		],
		"route": [

		],
		"dns-server": [

		],
		"dns-search": [

		]
	},
	"data": {
		"passthru": "0038001401001000fd00000000000000ca0e14fffee1798d00170010fd00000000000000ca0e14fffee1798d005600102a02810d85001a00ca0e14fffee1798d"
	}
}
tcpdump -n -i any icmp6
# tcpdump -n -i any icmp6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
07:07:21.522187 ethertype IPv6, IP6 2a02:810d:8500:1af0::53c > 2a03:b0c0:3:d0::1af1:1: ICMP6, echo request, seq 1, length 64
07:07:21.522187 IP6 2a02:810d:8500:1af0::53c > 2a03:b0c0:3:d0::1af1:1: ICMP6, echo request, seq 1, length 64
07:07:21.523496 IP6 2a02:810d:8500:1af0::53c > 2a03:b0c0:3:d0::1af1:1: ICMP6, echo request, seq 1, length 64
07:07:21.551099 IP6 2a03:b0c0:3:d0::1af1:1 > 2a02:810d:8500:1af0::53c: ICMP6, echo reply, seq 1, length 64
07:07:21.552646 IP6 fe80::eadf:70ff:fe89:52e2 > ff02::1:ff00:53c: ICMP6, neighbor solicitation, who has 2a02:810d:8500:1af0::53c, length 32
07:07:21.552831 ethertype IPv6, IP6 fe80::eadf:70ff:fe89:52e2 > ff02::1:ff00:53c: ICMP6, neighbor solicitation, who has 2a02:810d:8500:1af0::53c, length 32
07:07:22.534833 ethertype IPv6, IP6 2a02:810d:8500:1af0::53c > 2a03:b0c0:3:d0::1af1:1: ICMP6, echo request, seq 2, length 64
07:07:22.534833 IP6 2a02:810d:8500:1af0::53c > 2a03:b0c0:3:d0::1af1:1: ICMP6, echo request, seq 2, length 64
07:07:22.536080 IP6 2a02:810d:8500:1af0::53c > 2a03:b0c0:3:d0::1af1:1: ICMP6, echo request, seq 2, length 64
07:07:22.559910 IP6 2a03:b0c0:3:d0::1af1:1 > 2a02:810d:8500:1af0::53c: ICMP6, echo reply, seq 2, length 64
07:07:22.603187 IP6 fe80::eadf:70ff:fe89:52e2 > ff02::1:ff00:53c: ICMP6, neighbor solicitation, who has 2a02:810d:8500:1af0::53c, length 32
07:07:22.603296 ethertype IPv6, IP6 fe80::eadf:70ff:fe89:52e2 > ff02::1:ff00:53c: ICMP6, neighbor solicitation, who has 2a02:810d:8500:1af0::53c, length 32
07:07:23.558777 ethertype IPv6, IP6 2a02:810d:8500:1af0::53c > 2a03:b0c0:3:d0::1af1:1: ICMP6, echo request, seq 3, length 64
07:07:23.558777 IP6 2a02:810d:8500:1af0::53c > 2a03:b0c0:3:d0::1af1:1: ICMP6, echo request, seq 3, length 64
07:07:23.559931 IP6 2a02:810d:8500:1af0::53c > 2a03:b0c0:3:d0::1af1:1: ICMP6, echo request, seq 3, length 64
07:07:23.582980 IP6 2a03:b0c0:3:d0::1af1:1 > 2a02:810d:8500:1af0::53c: ICMP6, echo reply, seq 3, length 64
07:07:23.643673 IP6 fe80::eadf:70ff:fe89:52e2 > ff02::1:ff00:53c: ICMP6, neighbor solicitation, who has 2a02:810d:8500:1af0::53c, length 32
07:07:23.643990 ethertype IPv6, IP6 fe80::eadf:70ff:fe89:52e2 > ff02::1:ff00:53c: ICMP6, neighbor solicitation, who has 2a02:810d:8500:1af0::53c, length 32
07:07:26.758580 ethertype IPv6, IP6 fe80::5054:ff:fe33:3751 > fe80::eadf:70ff:fe89:52e2: ICMP6, neighbor solicitation, who has fe80::eadf:70ff:fe89:52e2, length 32
07:07:26.758580 IP6 fe80::5054:ff:fe33:3751 > fe80::eadf:70ff:fe89:52e2: ICMP6, neighbor solicitation, who has fe80::eadf:70ff:fe89:52e2, length 32
07:07:26.760152 IP6 fe80::eadf:70ff:fe89:52e2 > fe80::5054:ff:fe33:3751: ICMP6, neighbor advertisement, tgt is fe80::eadf:70ff:fe89:52e2, length 24
07:07:26.760333 ethertype IPv6, IP6 fe80::eadf:70ff:fe89:52e2 > fe80::5054:ff:fe33:3751: ICMP6, neighbor advertisement, tgt is fe80::eadf:70ff:fe89:52e2, length 24
07:07:31.803634 IP6 fe80::eadf:70ff:fe89:52e2 > fe80::5054:ff:fe33:3751: ICMP6, neighbor solicitation, who has fe80::5054:ff:fe33:3751, length 32
07:07:31.803938 ethertype IPv6, IP6 fe80::eadf:70ff:fe89:52e2 > fe80::5054:ff:fe33:3751: ICMP6, neighbor solicitation, who has fe80::5054:ff:fe33:3751, length 32
07:07:31.804622 ethertype IPv6, IP6 fe80::5054:ff:fe33:3751 > fe80::eadf:70ff:fe89:52e2: ICMP6, neighbor advertisement, tgt is fe80::5054:ff:fe33:3751, length 24
07:07:31.804622 IP6 fe80::5054:ff:fe33:3751 > fe80::eadf:70ff:fe89:52e2: ICMP6, neighbor advertisement, tgt is fe80::5054:ff:fe33:3751, length 24
07:07:32.740605 IP6 fe80::4dcb:5c6f:6d09:d8bf > ff02::1:ffe1:798d: ICMP6, neighbor solicitation, who has fe80::ca0e:14ff:fee1:798d, length 32
07:07:32.740605 IP6 fe80::4dcb:5c6f:6d09:d8bf > ff02::1:ffe1:798d: ICMP6, neighbor solicitation, who has fe80::ca0e:14ff:fee1:798d, length 32
07:07:36.123651 IP6 fe80::eadf:70ff:fe89:52e3 > fe80::ca0e:14ff:fee1:798d: ICMP6, neighbor solicitation, who has fe80::ca0e:14ff:fee1:798d, length 32
07:07:36.124216 IP6 fe80::ca0e:14ff:fee1:798d > fe80::eadf:70ff:fe89:52e3: ICMP6, neighbor advertisement, tgt is fe80::ca0e:14ff:fee1:798d, length 24
ping6 -c 3 openwrt.org
# ping6 -c 3 openwrt.org
PING openwrt.org(wiki-01.infra.openwrt.org (2a03:b0c0:3:d0::1af1:1)) 56 data bytes

--- openwrt.org ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2037ms

Do you have flow offload activated?

I have an issue when ipv6 connections break with flow offload active.
Constantly dropped from google meet (it works for a little time, then it breaks).

No, Software flow offloading is still not activated.
I had it enabled to see if that can change something, but because nothing happens, I have it disabled it, again.