IPV6-PD what is going wrong. Cannot Ping outside v6 address on lan, but can on wan

Hello
I have an IPv6 PD from my upstream and a getting the correct address on my clients on lan.

But cannot ping the upstream router from lan, I can ping it from the wan (eth 0.2)

It seems like the Lan is not forwarding to the wan correctly when using IPv6 PD

Here are my pings

From wan:

       root@OpenWrt:~# ping 2602:XXXX:1::5
       PING 2602:XXXX:1::5 (2602:XXXX:1::5): 56 data bytes
       64 bytes from 2602:XXXX:1::5: seq=0 ttl=62 time=1.829 ms
       64 bytes from 2602:XXXX:1::5: seq=1 ttl=63 time=1.057 ms
       64 bytes from 2602:XXXX:1::5: seq=2 ttl=63 time=1.122 ms
       ^C
       --- 2602:XXXX:1::5 ping statistics ---
       3 packets transmitted, 3 packets received, 0% packet loss
       round-trip min/avg/max = 1.057/1.336/1.829 ms
       root@OpenWrt:~# ping -I eth0.2 2602:XXXX:1::5
       PING 2602:XXXX:1::5 (2602:XXXX:1::5): 56 data bytes
       64 bytes from 2602:XXXX:1::5: seq=0 ttl=63 time=1.211 ms
       64 bytes from 2602:XXXX:1::5: seq=1 ttl=63 time=1.005 ms
       64 bytes from 2602:XXXX:1::5: seq=2 ttl=63 time=1.083 ms
       64 bytes from 2602:XXXX:1::5: seq=3 ttl=63 time=1.080 ms
       ^C
       --- 2602:XXXX:1::5 ping statistics ---
       4 packets transmitted, 4 packets received, 0% packet loss
       round-trip min/avg/max = 1.005/1.094/1.211 ms
       root@OpenWrt:~#

From br-lan:


        root@OpenWrt:~# ping -I br-lan 2602:XXXX:1::5
        PING 2602:XXXX:1::5 (2602:XXXX:1::5): 56 data bytes
        ping: sendto: Permission denied
        

From Client:


        C:\Users\username>ping  2602:XXXX:1::5 -t
        Pinging 2602:XXXX:1::5 with 32 bytes of data:
        Destination host unreachable.
        Destination host unreachable.
        Destination host unreachable.

what may be wrong?

Thanks

Here is wan6 ifstatus:


root@OpenWrt:~# ifstatus wan6
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 1254,
        "l3_device": "eth0.2",
        "proto": "dhcpv6",
        "device": "eth0.2",
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [
                {
                        "address": "2602:XXXX:1001::",
                        "mask": 56,
                        "preferred": 232026,
                        "valid": 257946,
                        "class": "wan6",
                        "assigned": {
                                "lan": {
                                        "address": "2602:XXXX:1001::",
                                        "mask": 64
                                }
                        }
                }
        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "::",
                        "mask": 64,
                        "nexthop": "::",
                        "metric": 256,
                        "valid": 2591959,
                        "source": "::/0"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::4a8f:5aff:fe12:4f72",
                        "metric": 512,
                        "valid": 1759,
                        "source": "2602:XXXX:1001::/56"
                }
        ],
        "dns-server": [

        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {

        }
}

dhcp output:


config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ra 'server'
        option ra_management '1'
        option dhcpv6 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

Here is lan ifstatus:

root@OpenWrt:~# ifstatus lan
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 1375,
        "l3_device": "br-lan",
        "proto": "static",
        "device": "br-lan",
        "updated": [
                "addresses"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "192.168.1.1",
                        "mask": 24
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [
                {
                        "address": "2602:XXXX:1001::",
                        "mask": 64,
                        "preferred": 231911,
                        "valid": 257831,
                        "local-address": {
                                "address": "2602:XXXX:1001::1",
                                "mask": 64
                        }
                },
                {
                        "address": "fd10:255e:6822::",
                        "mask": 64,
                        "local-address": {
                                "address": "fd10:255e:6822::1",
                                "mask": 64
                        }
                }
        ],
        "route": [

        ],
        "dns-server": [

        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {

        }
}

firewall :

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option dest 'wan'
        option src 'lan'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

route:

router total ifconfig:

root@OpenWrt:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 78:A3:51:62:70:CA
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: 2602:XXXX:1001::1/64 Scope:Global
          inet6 addr: fe80::7aa3:51ff:fe62:70ca/64 Scope:Link
          inet6 addr: fd10:255e:6822::1/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:32574 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29525 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2741502 (2.6 MiB)  TX bytes:3140019 (2.9 MiB)

eth0      Link encap:Ethernet  HWaddr 78:A3:51:62:70:CA
          inet6 addr: fe80::7aa3:51ff:fe62:70ca/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:33430 errors:0 dropped:2 overruns:0 frame:0
          TX packets:30089 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3410200 (3.2 MiB)  TX bytes:3551520 (3.3 MiB)
          Interrupt:22

eth0.1    Link encap:Ethernet  HWaddr 78:A3:51:62:70:CA
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:32576 errors:0 dropped:1 overruns:0 frame:0
          TX packets:29525 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2741691 (2.6 MiB)  TX bytes:3140019 (2.9 MiB)

eth0.2    Link encap:Ethernet  HWaddr 78:A3:51:62:70:CB
          inet6 addr: fe80::7aa3:51ff:fe62:70cb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:345 errors:0 dropped:48 overruns:0 frame:0
          TX packets:495 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:31262 (30.5 KiB)  TX bytes:163245 (159.4 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:460 errors:0 dropped:0 overruns:0 frame:0
          TX packets:460 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:36922 (36.0 KiB)  TX bytes:36922 (36.0 KiB)

Luci output for ifconfig:


WAN6

eth0.2

Protocol: DHCPv6 client
Uptime: 0h 1m 16s
MAC: 78:A3:51:62:70:CB
RX: 2.82 KB (29 Pkts.)
TX: 10.93 KB (42 Pkts.)
IPv6-PD: 2602:XXXX:1001::/56

LAN

br-lan

Protocol: Static address
Uptime: 0h 29m 25s
MAC: 78:A3:51:62:70:CA
RX: 3.28 MB (38664 Pkts.)
TX: 3.94 MB (35622 Pkts.)
IPv4: 192.168.1.1/24
IPv6: 2602:XXXX:1001::1/64
IPv6: fd10:255e:6822::1/64

client ipconfig:


Ethernet adapter Ethernet 4:

   Connection-specific DNS Suffix  . : lan
   IPv6 Address. . . . . . . . . . . : 2602:XXXX:1001::516
   IPv6 Address. . . . . . . . . . . : 2602:XXXX:1001:0:9cXX:XXXX:XX93:2906
   IPv6 Address. . . . . . . . . . . : fd10:255e:6822::516
   IPv6 Address. . . . . . . . . . . : fd10:255e:6822:0:9cXX:XXXX:XX93:2906
   Temporary IPv6 Address. . . . . . : 2602:XXXX:1001:0:5d60:f7b9:90a8:8c19
   Temporary IPv6 Address. . . . . . : fd10:255e:6822:0:5d60:f7b9:90a8:8c19
   Link-local IPv6 Address . . . . . : fe80::9cXX:XXXX:XX93:2906%19
   IPv4 Address. . . . . . . . . . . : 192.168.1.220
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : ::
                                       fe80::7aa3:51ff:fe62:70ca%19
                                       192.168.1.1

and device and software if needed:

System
Hostname        OpenWrt
Model   ZBT-WG2626
Architecture    MediaTek MT7621 ver:1 eco:3
Firmware Version        OpenWrt 19.07.6 r11278-8055e38794 / LuCI openwrt-19.07 branch git-21.018.57536-6ba9740

Thanks again.