I have my main ISP router running OpenWRT delegating prefixes to downstream routers like so :
OpenWRT.ISP (2001:db8::/56) ---> OpenWRT.local1 (2001:db8:1::/64) --> Windows PC (2001:db8:1::322)
If I try to ping OpenWRT.local1 on it's LAN interface (2001:db8:1::1) from the internet, the ping invariably fails, however pings to the downstream Windows Clients succeeds.
Here are the firewall rules one OpenWRT.ISP :
Here is the interface on OpenWRT.local :
What additional firewall rules do I need to make ?
The default rules should be enough. Can you verify that you get the pings and respond?
tcpdump -i eth1 -evn icmp6
Also the counter on the firewall should increase:
ip6tables-save -c -t filter | grep "type 128"
You should also check your general settings for the lan. I think, you have to allow/accept input and ouput to be able to receive and answer to the ping.
Nope, traffic incoming from the internet is treated according to the wan firewall zone.
Capturing traffic on the LAN interface of OpenWRT.ISP detects packets arriving to that interface, however capturing traffic on the WAN of OpenWRT.local doesn't show any packets arriving !?
I can sucessfully ping >
OpenWRT.ISP WAN Address, LAN Address
OpenWRT.ISP > Windows10 Client
OpenWRT.ISP > OpenWRT.local > Windows 10 Client
However the following pings are still failing :
OpenWRT.ISP > OpenWRT.local WAN (2001:db8::20c:29ff:fefe:8bf3), LAN addresses (2001:db8:1::1)
No, that is the for the default behavior of the firewall for packets that do not match any rule.
This doesn't make sense. These two interfaces are connected to each other. Is there any other device between them? You just cannot see something going out of the lan of the upstream and not reaching the wan of the downstream.
take care if you have old switch / hub, somes are not IPv6 compliant and may break ipv6 connectivity !
The second router is actually a VM running in VMWare esxi, connected to OpenWRT.ISP router through a cable.
I'll see with a physical router flashed with OpenWRT if that solves the problem.
Yeah, better try that first. Those esxi are not acting normally.