IPv6 PD but clients cannot connect to Internet

My ISP provides IPv6 access with a dynamic /56 prefix (say 24aa:bbcc:ddee:ff00::/56). The modem (which is also provided by ISP) runs DHCPv6 and radvd, and I can get a global IPv6 address if connected directly to the modem.

I'm currently trying to connect a OpenWrt router to this modem. I enabled prefix delegation on the modem (sort of - see below) and configured my router correspondingly, and can confirm the router itself now has proper IPv6 Internet access. However, clients connected to my router cannot (ping6 would timeout), despite having obtained a global IPv6 address. I wonder if my settings are incorrect, or something's wrong with that modem.

/etc/config/network
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option default_ps '0'
        option ula_prefix 'fd0a:a801::/64'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '10.168.1.1'
        option netmask '255.255.255.0'
        option ipv6 '1'
        option ip6assign '64'
        option ip6class 'wan6 local'
        option ip6hint 'f'

config interface 'wan'
        option ifname 'eth1'
        option ipv6 '1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'
        option sourcefilter '0'
        option delegate '1'
`ifstatus wan`
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 9853,
        "l3_device": "eth1",
        "proto": "dhcp",
        "device": "eth1",
        "updated": [
                "addresses",
                "routes",
                "data"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "192.168.1.4",
                        "mask": 24
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "192.168.1.1",
                        "mask": 32,
                        "nexthop": "0.0.0.0",
                        "source": "192.168.1.4\/32"
                },
                {
                        "target": "0.0.0.0",
                        "mask": 0,
                        "nexthop": "192.168.1.1",
                        "source": "192.168.1.4\/32"
                }
        ],
        "dns-server": [
                "192.168.1.1"
        ],
        "dns-search": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ]
        },
        "data": {
                "leasetime": 86400
        }
}
`ifstatus wan6`
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 9677,
        "l3_device": "eth1",
        "proto": "dhcpv6",
        "device": "eth1",
        "updated": [
                "prefixes"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "24aa:bbcc:ddee:ff00:a2c5:f2ff:febe:4bf7",
                        "mask": 128,
                        "preferred": 76714,
                        "valid": 76714
                }
        ],
        "ipv6-prefix": [
                {
                        "address": "24aa:bbcc:ddee:ff00::",
                        "mask": 56,
                        "preferred": 76714,
                        "valid": 76714,
                        "class": "wan6",
                        "assigned": {
                                "lan": {
                                        "address": "24aa:bbcc:ddee:ff0f::",
                                        "mask": 64
                                }
                        }
                }
        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::1",
                        "metric": 640,
                        "valid": 46,
                        "source": "::\/0"
                }
        ],
        "dns-server": [
                "fe80::1"
        ],
        "dns-search": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ]
        },
        "data": {
                "passthru": "00170010fe800000000000000000000000000001"
        }
}
`ifstatus lan`
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 9767,
        "l3_device": "br-lan",
        "proto": "static",
        "device": "br-lan",
        "updated": [
                "addresses"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "10.168.1.1",
                        "mask": 24
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [
                {
                        "address": "24aa:bbcc:ddee:ff0f::",
                        "mask": 64,
                        "preferred": 76643,
                        "valid": 76643,
                        "local-address": {
                                "address": "24aa:bbcc:ddee:ff0f::1",
                                "mask": 64
                        }
                },
                {
                        "address": "fd0a:a801::",
                        "mask": 64,
                        "local-address": {
                                "address": "fd0a:a801::1",
                                "mask": 64
                        }
                }
        ],
        "route": [

        ],
        "dns-server": [

        ],
        "dns-search": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ]
        },
        "data": {

        }
}
`ip addr` on the router
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
    link/ether a0:c5:f2:be:4b:f6 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether a0:c5:f2:be:4b:f7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.4/24 brd 192.168.1.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 24aa:bbcc:ddee:ff00:a2c5:f2ff:febe:4bf7/128 scope global noprefixroute dynamic
       valid_lft 76372sec preferred_lft 76372sec
    inet6 fe80::a2c5:f2ff:febe:4bf7/64 scope link
       valid_lft forever preferred_lft forever
4: teql0: <> mtu 1500 qdisc noop state DOWN group default qlen 100
    link/void
5: ra0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UNKNOWN group default qlen 1000
    link/ether a0:c5:f2:be:4b:f8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::a2c5:f2ff:febe:4bf8/64 scope link
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether a0:c5:f2:be:4b:f6 brd ff:ff:ff:ff:ff:ff
    inet 10.168.1.1/24 brd 10.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 24aa:bbcc:ddee:ff0f::1/64 scope global noprefixroute dynamic
       valid_lft 76372sec preferred_lft 76372sec
    inet6 fd0a:a801::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::a2c5:f2ff:febe:4bf6/64 scope link
       valid_lft forever preferred_lft forever
7: ra1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
8: ra2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
9: ra3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
10: ra4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
11: rax0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UNKNOWN group default qlen 1000
    link/ether a2:c5:f2:0e:4b:f8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::a0c5:f2ff:fe0e:4bf8/64 scope link
       valid_lft forever preferred_lft forever
12: rax1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
13: rax2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
14: rax3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
15: rax4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
16: apcli0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether a6:c5:f2:be:4b:f8 brd ff:ff:ff:ff:ff:ff
17: apclix0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether a6:d5:f2:be:4b:f8 brd ff:ff:ff:ff:ff:ff
`ip addr` on one of the clients
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: enp0s31f6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 6c:4b:90:36:f5:df brd ff:ff:ff:ff:ff:ff
    inet 10.168.1.254/24 brd 10.168.1.255 scope global dynamic noprefixroute enp0s31f6
       valid_lft 33236sec preferred_lft 33236sec
    inet6 fd0a:a801::57a7:ed0f:cebc:83be/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 24aa:bbcc:ddee:ff0f:556c:69e9:8bf8:ec4f/64 scope global dynamic noprefixroute 
       valid_lft 76440sec preferred_lft 76440sec
    inet6 fe80::5d02:dacd:5f71:2819/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

Thanks in advance.

The ISP modem runs a peculiar OS that is quite limited. I'm able to configure it with a hidden admin account, but even with this account the only options available on the settings page are to turn DHCPv6 and radvd on or off, enable "Stateless IPv6" (which disables PD), or to change PD prefix length.

After a bit of fiddling I've able to get a couple of config files from the modem:

/var/dhcp6s.conf from modem
option domain-name-servers fe80::1;
host br0
{
  prefix 24aa:bbcc:ddee:ff00::/56 86400;
};
/var/radvd.conf from modem
interface br0
{
  AdvSendAdvert on;
  AdvManagedFlag on;
  AdvOtherConfigFlag on;
  MinRtrAdvInterval 10;
  MaxRtrAdvInterval 30;
  AdvDefaultPreference low;
};

These configs does not seem correct to me (IMO dhcp6s should not give out the entire prefix on every request), but there's no way to fix it. Changing PD prefix length on the settings page only changes prefix length in /var/dhcp6s.conf (but not the prefix itself). Modifying these files have no effect as they will get overwritten when the modem reboots.

You got a valid /56 prefix delegated so that looks good.

The problem is you network setup, br-lan seems missing or did you not copy everything from:
cat /etc/config/network ?

You might consider just resetting to defaults alternative add br-lan

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

change interface lan, add br-lan and remove option type 'bridge' and option ifname 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.168.1.1'
        option netmask '255.255.255.0'
        option ipv6 '1'
        option ip6assign '64'
        option ip6class 'wan6 local'
        option ip6hint 'f'

It is possible you do not need br-lan but can just add an interface (in case this is a two port router without wireless) so we also like to see output of: ubus call system board

But basically resetting to defaults and then show output of

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Might be the smarter option

I can confirm there is no br-lan in /etc/config/network, but the interface is there and working correctly (at least for IPv4; IPv4 connection is functioning for all devices), so I assume it's auto-generated by the system.

As for the router hardware, it's a OrayBox X3A running "OrayOS 6.3.0" (a proprietary fork of OpenWrt "Barrier Breaker", according to packages installed on the system). It has wireless, a WAN port and two LAN ports.

`ubus call system board`
{
        "kernel": "4.4.302",
        "hostname": "OrayBox",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "OrayBox-X3A",
        "board_name": "oraybox-x3a",
        "release": {
                "distribution": "stable",
                "version": "6.3.0",
                "revision": "6.3.0",
                "codename": "orayos",
                "target": "ramips\/mt7621",
                "description": "stable 6.3.0 6.3.0"
        }
}
/etc/config/wireless
config wifi-device 'ra'
        option type 'mt_dbdc'
        option hwmode '11g'
        option channel 'auto'
        option htmode 'HT20'
        option country 'CN'
        option txburst '1'
        option noscan '1'
        option smart '1'
        option disabled '0'
        option txpower '80'

config wifi-device 'rax'
        option type 'mt_dbdc'
        option hwmode '11a'
        option channel 'auto'
        option txpower '100'
        option htmode 'VHT40'
        option country 'CN'
        option txburst '1'
        option noscan '1'
        option smart '0'
        option disabled '0'

config wifi-iface 'wlan0'
        option ifname 'ra0'
        option network 'lan'
        option device 'ra'
        option hidden '1'
        option key 'XXXXXX'
        option disabled '0'
        option mode 'ap'
        option isolation '0'
        option ssid 'XXXXXX'
        option encryption 'psk2+ccmp'

config wifi-iface 'wlan1'
        option ifname 'rax0'
        option network 'lan'
        option device 'rax'
        option hidden '1'
        option disabled '0'
        option mode 'ap'
        option isolation '0'
        option ssid 'XXXXXX-5G'
        option key 'XXXXXX'
        option encryption 'psk2+ccmp'
/etc/config/firewall
config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'REJECT'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'
        option enabled '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config include 'dnsmasq'
        option type 'script'
        option path '/usr/share/dnsmasq/firewall.include'
        option family 'any'
        option reload '1'

config include 'ipv6'
        option type 'script'
        option path '/etc/ipv6_tables'
        option family 'ipv6'
        option reload '1'

config rule
        option name 'ALLOW-IPv6-WAN-TO-LAN'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option target 'ACCEPT'
        option family 'ipv6'
        option dest_port '22 443 8443 8888 25565'
        option dest_ip '::fe/-64'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'oray'
        option enabled '1'
        option type 'script'
        option path '/etc/firewall.oray'
        option family 'ipv4'
        option reload '1'

config include 'oray_low_priority'
        option enabled '1'
        option type 'script'
        option path '/etc/firewall_low_priority.oray'
        option family 'ipv4'
        option reload '0'

config include 'mwan3'
        option enabled '1'
        option type 'script'
        option path '/etc/firewall.mwan3'
        option family 'ipv4'
        option reload '0'

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

Dude. If memory serves me well, this release is like 10 years old...

1 Like