IPv6 prefix from the VPN server side

Hello.

I hope I have selected the right category for this Topic.

I have this script:

opkg update
opkg install kmod-ipt-nat6
cat << EOF > /etc/firewall.nat6
iptables-save --table="nat" 
| sed -e "/\s[DS]NAT\s/d" 
| ip6tables-restore --table="nat"
EOF
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
service firewall Restart

from here.

This script requests a public IPv6 prefix on the VPN server side. The problem is, it only works with one OpenVPN client.

If I create multiple OpenVPN clients, then it requests wrong public IPv6 prefixes from the VPN server.

Consequence:

  • Routing is not correct then
  • Packages like VPN Policy Routing do not work

An extension of this script would not be bad.

No, it enables NAT6 on the server side if you have no prefix.
The owner of the server should manually request an additional prefix from the ISP or split his current prefix and use it as the VPN_POOL6 variable value.

In case of commercial VPN provider I doubt they give you a prefix wider than /64, so using NAT6 on the client side seems to be the proper approach.

For multiple commercial clients you should probably do this:

uci set firewall.@zone[1].device="tun+"
uci commit firewall
service firewall restart

And the rest will depend on your routing.

OK. Client side or server side?

If I do that, then I have an entry at wan:

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	option device 'tun+'

After reboot, I have no internet connection.

uci show network; uci show firewall

Very interesting. After reboot, I had this time:

Personal Computer 1:
IPv4 Server1
IPv6 Server1

That's all right.

But at Personal Computer 2:
IPv4: Server2
IPv6: Server1 and not Server2

root@OpenWrt:~# uci show network; uci show firewall
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='8.8.8.8 8.8.4.4'
network.wan_dev=device
network.wan_dev.name='eth0.2'
network.wan_dev.macaddr='D8:50:E6:4f:98:49'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.wan6.peerdns='0'
network.wan6.dns='2001:4860:4860::8888 2001:4860:4860::8844'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 5t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 5t'
network.PP_VPN1=interface
network.PP_VPN1.proto='none'
network.PP_VPN1.ifname='tun0'
network.PP_VPN1.auto='1'
network.PP_VPN2=interface
network.PP_VPN2.proto='none'
network.PP_VPN2.auto='1'
network.PP_VPN2.ifname='tun1'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@zone[1].device='tun+'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[6].enabled='1'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].name='PP_Firewall'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].network='PP_VPN1 PP_VPN2'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='PP_Firewall'
firewall.@forwarding[1].src='lan'
firewall.@rule[9]=rule
firewall.@rule[9].src='wan'
firewall.@rule[9].name='IPSec ESP'
firewall.@rule[9].proto='esp'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[10]=rule
firewall.@rule[10].src='wan'
firewall.@rule[10].name='IPSec IKE'
firewall.@rule[10].proto='udp'
firewall.@rule[10].dest_port='500'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[11]=rule
firewall.@rule[11].src='wan'
firewall.@rule[11].name='IPSec NAT-T'
firewall.@rule[11].proto='udp'
firewall.@rule[11].dest_port='4500'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[12]=rule
firewall.@rule[12].src='wan'
firewall.@rule[12].name='Auth Header'
firewall.@rule[12].proto='ah'
firewall.@rule[12].target='ACCEPT'
firewall.nat6=include
firewall.nat6.path='/etc/firewall.nat6'
firewall.nat6.reload='1'

Let's clarify:

  • Are you trying to run both VPN connections at the same time?
  • The firewall rules 9-12 - is that another VPN?
  • The script /etc/firewall.user - did you edit it?

Yes.

The firewall rules 9-12?
I have one VPN service and 2 different servers configured.

No, it's empty.

Edit:
Oh. 9-12. It is for IPSec IKEv2 Client. The Topic is here.

The IPSec IKEv2 connection is currently disabled.

Okay then.

Do they both try to redirect the gateway?
If so, then how the router should select the default route?

I dont know. Should I remove the option "redirect-gateway def1" in Server1 and Server2 configuration?

Here is my configuration:

auth-user-pass userpass.txt
client
dev tun0
hand-window 120
inactive 604800
mute-replay-warnings
nobind
persist-key
persist-remote-ip
persist-tun
ping 5
ping-restart 120
redirect-gateway def1
remote-random
reneg-sec 3600
resolv-retry 60
route-delay 2
route-method exe
script-security 2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
tls-timeout 5
verb 4

tun-ipv6
tun-mtu  1500
proto udp
fragment 1300
mssfix
comp-lzo

remote 85.17.28.145 148
remote 85.17.28.145 149
remote 85.17.28.145 150
remote 85.17.28.145 151
remote 85.17.28.145 1148
remote 85.17.28.145 1149
remote 85.17.28.145 1150
remote 85.17.28.145 1151

cipher AES-256-CBC
auth SHA512
ignore-unknown-option ncp-disable
ncp-disable
remote-cert-tls server
key-direction 1

ca ca.crt
cert Amsterdam1_cl.crt
key Amsterdam1_cl.key
tls-auth Amsterdam1_ta.key 1
log /var/log/openvpn1.log
log-append /var/log/openvpn1.log
up up.sh
down down.sh

It depends on your goal.
What are you trying to achieve running 2 VPN instances simultaneously?

Yes, I am trying to run 2 VPN connections at the same time.

Hello.

What about this NAT6 guide?

I tried it, but I do not get an IPv6 prefix.

I also tried the new version. Without success.

Can someone explain the differences?

Usually there's no point to run 2 VPN client instances unless you want to utilize specific routes.
Do you really need it and what is the reason?
I have no way to help you until I understand why you're doing it.

I usually look for 2 VPN client instances or more.

I need it because my VPN service offers IPv6.

So what do I need for that? NAT6 or not?

You do not need run 2 instances to get IPv6.
In general every single instance can run in dual stack mode.
So, if they offer IPv6, it means they usually also offer IPv4 on the same connection.

And why I do not have IPv6, if I run OpenVPN 2 instances or more?

That's why I opened the thread.

ip -6 addr show; ip -6 route show; ip -6 rule show; ip6tables-save
traceroute6 openwrt.org

Sorry for the answer:

And why I do not have IPv6, if I run OpenVPN 2 instances or more?

I mean:

I have wrong IPv6 IPs if I run OpenVPN 2 instances or more.

without tun+:

root@OpenWrt:~# ip -6 addr show; ip -6 route show; ip -6 rule show; ip6tables-sa
ve
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::da50:e6ff:fe4f:9848/64 scope link
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a02:908:3034:f2e0::1/60 scope global dynamic noprefixroute
       valid_lft 1044041sec preferred_lft 439241sec
    inet6 fd48:17a:cb5c::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::da50:e6ff:fe4f:9848/64 scope link
       valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a02:908:3000:3:f8:a4fa:dd16:daeb/128 scope global dynamic noprefixroute
       valid_lft 1044041sec preferred_lft 439241sec
    inet6 fe80::da50:e6ff:fe4f:9849/64 scope link
       valid_lft forever preferred_lft forever
12: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 100
    inet6 fdbf:1d37:bbe0::72:10:0:f2/112 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::46a1:bd85:230c:7287/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 100
    inet6 fdbf:1d37:bbe0::48:5:0:f5/112 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::c846:dffc:d5c0:989b/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
default from 2a02:908:3000:3:f8:a4fa:dd16:daeb via fe80::201:5cff:fe92:9846 dev eth0.2 proto static metric 512 pref medium
default from 2a02:908:3034:f2e0::/59 via fe80::201:5cff:fe92:9846 dev eth0.2 proto static metric 512 pref medium
::/3 dev tun1 metric 1 pref medium
::/3 dev tun0 metric 1 pref medium
2a02:908:3034:f2e0::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2a02:908:3034:f2e0::/59 dev lo proto static metric 2147483647 error -113 pref medium
2000::/4 dev tun1 metric 1 pref medium
2000::/4 dev tun0 metric 1 pref medium
3000::/4 dev tun1 metric 1 pref medium
3000::/4 dev tun0 metric 1 pref medium
2000::/3 dev tun1 metric 1 pref medium
2000::/3 dev tun0 metric 1 pref medium
fd48:17a:cb5c::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd48:17a:cb5c::/48 dev lo proto static metric 2147483647 error -113 pref medium
fdbf:1d37:bbe0:0:48:5::/112 dev tun0 proto kernel metric 256 pref medium
fdbf:1d37:bbe0:0:72:10::/112 dev tun1 proto kernel metric 256 pref medium
fc00::/7 dev tun1 metric 1 pref medium
fc00::/7 dev tun0 metric 1 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev tun1 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
0:      from all lookup local
32766:  from all lookup main
4200000000:     from 2a02:908:3034:f2e0::1/60 iif br-lan unreachable
4200000001:     from all iif lo failed_policy
4200000007:     from all iif br-lan failed_policy
4200000009:     from all iif eth0.2 failed_policy
4200000009:     from all iif eth0.2 failed_policy
4200000012:     from all iif tun1 failed_policy
4200000013:     from all iif tun0 failed_policy
# Generated by ip6tables-save v1.6.2 on Thu Jul 11 22:54:11 2019
*nat
:PREROUTING ACCEPT [1110:100357]
:INPUT ACCEPT [769:67792]
:OUTPUT ACCEPT [30:3360]
:POSTROUTING ACCEPT [12:2208]
:postrouting_PP_Firewall_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_PP_Firewall_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_PP_Firewall_postrouting - [0:0]
:zone_PP_Firewall_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_PP_Firewall_prerouting
-A PREROUTING -i tun1 -m comment --comment "!fw3" -j zone_PP_Firewall_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_PP_Firewall_postrouting
-A POSTROUTING -o tun1 -m comment --comment "!fw3" -j zone_PP_Firewall_postrouting
-A zone_PP_Firewall_postrouting -m comment --comment "!fw3: Custom PP_Firewall postrouting rule chain" -j postrouting_PP_Firewall_rule
-A zone_PP_Firewall_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_PP_Firewall_prerouting -m comment --comment "!fw3: Custom PP_Firewall prerouting rule chain" -j prerouting_PP_Firewall_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Jul 11 22:54:11 2019
# Generated by ip6tables-save v1.6.2 on Thu Jul 11 22:54:11 2019
*mangle
:PREROUTING ACCEPT [97928:57628347]
:INPUT ACCEPT [8592:550451]
:FORWARD ACCEPT [78964:56318726]
:OUTPUT ACCEPT [2156:277566]
:POSTROUTING ACCEPT [81113:56595872]
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone PP_Firewall MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone PP_Firewall MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Jul 11 22:54:11 2019
# Generated by ip6tables-save v1.6.2 on Thu Jul 11 22:54:11 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_PP_Firewall_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_PP_Firewall_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_PP_Firewall_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_PP_Firewall_dest_ACCEPT - [0:0]
:zone_PP_Firewall_dest_REJECT - [0:0]
:zone_PP_Firewall_forward - [0:0]
:zone_PP_Firewall_input - [0:0]
:zone_PP_Firewall_output - [0:0]
:zone_PP_Firewall_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_PP_Firewall_input
-A INPUT -i tun1 -m comment --comment "!fw3" -j zone_PP_Firewall_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_PP_Firewall_forward
-A FORWARD -i tun1 -m comment --comment "!fw3" -j zone_PP_Firewall_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_PP_Firewall_output
-A OUTPUT -o tun1 -m comment --comment "!fw3" -j zone_PP_Firewall_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_PP_Firewall_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_PP_Firewall_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_PP_Firewall_dest_ACCEPT -o tun1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_PP_Firewall_dest_ACCEPT -o tun1 -m comment --comment "!fw3" -j ACCEPT
-A zone_PP_Firewall_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_PP_Firewall_dest_REJECT -o tun1 -m comment --comment "!fw3" -j reject
-A zone_PP_Firewall_forward -m comment --comment "!fw3: Custom PP_Firewall forwarding rule chain" -j forwarding_PP_Firewall_rule
-A zone_PP_Firewall_forward -m comment --comment "!fw3" -j zone_PP_Firewall_dest_REJECT
-A zone_PP_Firewall_input -m comment --comment "!fw3: Custom PP_Firewall input rule chain" -j input_PP_Firewall_rule
-A zone_PP_Firewall_input -m comment --comment "!fw3" -j zone_PP_Firewall_src_REJECT
-A zone_PP_Firewall_output -m comment --comment "!fw3: Custom PP_Firewall output rule chain" -j output_PP_Firewall_rule
-A zone_PP_Firewall_output -m comment --comment "!fw3" -j zone_PP_Firewall_dest_ACCEPT
-A zone_PP_Firewall_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
-A zone_PP_Firewall_src_REJECT -i tun1 -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to PP_Firewall forwarding policy" -j zone_PP_Firewall_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
root@OpenWrt:~# traceroute6 openwrt.org
traceroute to openwrt.org (2a03:b0c0:3:d0::1af1:1), 30 hops max, 64 byte packets
 1  fdbf:1d37:bbe0::72:10:0:1 (fdbf:1d37:bbe0::72:10:0:1)  26.224 ms  26.118 ms  26.505 ms
 2  2a01:4a0:c::1 (2a01:4a0:c::1)  34.076 ms  33.907 ms  33.897 ms
 3  2a01:4a0:0:2019::31 (2a01:4a0:0:2019::31)  39.336 ms  40.352 ms  39.085 ms
 4  fra1-edge1.digitalocean.com (2001:7f8::36ed:0:1)  40.039 ms  39.792 ms  39.979 ms
 5  *  *  *
 6  wiki-01.infra.openwrt.org (2a03:b0c0:3:d0::1af1:1)  39.865 ms  39.511 ms  39.236 ms

Diagnostics from the router shows no issues.
Check the IPv6 traceroute from your PC.