IPv6 question - Can it be enabled without resetting the settings to default

sppmaster · September 26, 2023, 12:27pm

My ISP has started leasing an IPv6 recently although it's still not mentioned officially anywhere.
WAN6 interface gets an IPv6 from upstream network. That is with default OpenWrt configuration.
The ISP supports Prefix Delegation too.
Both IPv6 Ping and Treceroute work OK when I aim them at openwrt.org.

I've configured all router settings long time ago and in the past I've used the following commands run from rc.local to disable IPv6.

# DISABLE IPV6
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
echo 0 > /proc/sys/net/ipv6/conf/default/forwarding
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1
sysctl -w net.ipv6.conf.lo.disable_ipv6=1
sysctl -p

I've simply tried to reverse all of them running

echo 0 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 0 > /proc/sys/net/ipv6/conf/default/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
echo 1 > /proc/sys/net/ipv6/conf/default/forwarding
sysctl -w net.ipv6.conf.all.disable_ipv6=0
sysctl -w net.ipv6.conf.default.disable_ipv6=0
sysctl -w net.ipv6.conf.lo.disable_ipv6=0
sysctl -p
reboot

After the reboot the router cannot get IPv6 address from the ISP network.

Is there a way/commands that I can make/run to restore only IPv6 configuration to default without the need to restore all the settings to default.

lleachii · September 26, 2023, 12:35pm

Please provide configs:

cat /etc/config/network

cat /etc/config/dhcp

sppmaster · September 26, 2023, 12:39pm

root@R7800-IS:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd66:2b14:dc6a::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'none'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

config interface 'zerotier'
        option proto 'none'
        option device 'ztxxxxxxx'

root@R7800-IS:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        option sequential_ip '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option dhcpv4 'server'
        option leasetime '72h'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dhcpv6 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

lleachii · September 26, 2023, 12:42pm

There's no IPv6 network config/setting for LAN. See: How to configure ipv6 with slaac+dhcpv6 stateless - #2 by lleachii

In particular, review your network config (e.g. ip6class and ip6assign) and compare DHCP(v6) settings.

lleachii · September 26, 2023, 12:51pm

@vgaetera - thanks, I fixed it!

sppmaster · September 26, 2023, 2:19pm

I have these settings now but still unable to get IPv6.

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	option sequential_ip '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option dhcpv4 'server'
	option leasetime '72h'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option dhcpv6 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd66:2b14:dc6a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

lleachii · September 26, 2023, 2:36pm

Add:

Change (in case your ISP doesn't issue a Prefix Deelgation large enough for issuing a /60):

option ip6assign '64' #<---change to /64

sppmaster · September 26, 2023, 2:40pm

When working (with default OpenWrt config) I get this PD from ISP.
Prefix Delegated: xxxx:xxx:30f:495e::/64

I see this in syslog

~# logread | grep odhcp6c
Tue Sep 26 17:35:20 2023 daemon.err odhcp6c[2446]: Failed to send RS (Address not available)
Tue Sep 26 17:35:20 2023 daemon.err odhcp6c[2446]: Failed to send SOLICIT message to ff02::1:2 (Address not available)

Probably the last messages are not related to the issue because I have them on the working config too.
Maybe the commands used previously deranged any other settings.

mk24 · September 26, 2023, 3:53pm

As you only get a /64 delegated from the ISP that means you must dedicate that /64 to lan. lan ip6assign needs to be 64 and no other LAN-like interfaces can be delegated.

Run ip -6 addr show and confirm that both br-lan and eth0.2 have both a link-local and a GUA IPv6. ifstatus lan and ifstatus wan6 would also be useful to see address assignments and delegation.

Check the /etc/sysctl.conf and /etc/sysctl.d to confirm that IPv6 is enabled.

Your best bet may be to re-flash to defaults then reinstall your configuration. Again this is a special case as the default configuration assumes a /56 or larger will be available from the ISP.

_bernd · September 26, 2023, 4:35pm

If you had IPv6 disabled before and did not restarted your router in the mean time, then check if you have link local addresses on the lan and wan interfaces. Otherwise nothing IPv6 related will work.

mk24 · September 26, 2023, 5:04pm

There is UCI option ipv6 0 which should prevent assignment of V6 link-local to an interface in a V4 only use case. That would be preferable to mucking around in sysctl. Disabling v6 in the kernel tends to break applications that expect or require dual stack.

_bernd · September 26, 2023, 5:35pm

I assume that more or less the same effect is in place and in the end it does not matter. Even if you just remove link local v6 addresses from a otherwise properly configured systems, stuff breaks. And most sysctls can be changed during uptime just fine. But a reboot ensures at least that the systems comes up with defined defaults.

So back to topic: @sppmaster should check if link local addresses are present on the interfaces. If not: Ensure that all previous "disable v6 stuff" gets removed, and then do a reboot. (You are able to perform this without a reboot... maybe... but chances are high that you will missing out something. AFAIK there is no way to bring back a missing LLA, other then changing the state of the interface, so you will loose network anyway, so a reboot should be the preferred way to ensure a clean start...)

sppmaster · September 27, 2023, 5:46am

root@R7800-IS:~# ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::b27f:b9ff:fe3e:4fae/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::b27f:b9ff:fe3e:4fad/64 scope link
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd66:2b14:dc6a::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::b27f:b9ff:fe3e:4fad/64 scope link
       valid_lft forever preferred_lft forever
14: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::b27f:b9ff:fe3e:4fae/64 scope link
       valid_lft forever preferred_lft forever
15: ztmjfc3ygy: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 state UNKNOWN qlen 1000
    inet6 fe80::a47b:c7ff:fef9:b18/64 scope link
       valid_lft forever preferred_lft forever
16: phy0-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::b27f:b9ff:fe3e:4faf/64 scope link
       valid_lft forever preferred_lft forever
17: phy1-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::b27f:b9ff:fe3e:4fb0/64 scope link
       valid_lft forever preferred_lft forever
root@R7800-IS:~# ifstatus lan
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 59163,
        "l3_device": "br-lan",
        "proto": "static",
        "device": "br-lan",
        "updated": [
                "addresses"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "192.168.1.1",
                        "mask": 24
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [
                {
                        "address": "fd66:2b14:dc6a::",
                        "mask": 60,
                        "local-address": {
                                "address": "fd66:2b14:dc6a::1",
                                "mask": 60
                        }
                }
        ],
        "route": [

        ],
        "dns-server": [

        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {

        }
}
root@R7800-IS:~# ifstatus wan6
{
        "up": false,
        "pending": true,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "proto": "dhcpv6",
        "device": "eth0.2",
        "data": {

        }
}
root@R7800-IS:~#

_bernd · September 27, 2023, 9:25am

ifup wan6 ?
Did you performed a reboot or are you trying to do without rebooting? Looks like that wan6 is not up (but available)

sppmaster · September 27, 2023, 10:05am

Yes I've tried to reboot several times. Restarted the interface several times too. No success for now.
I've checked /etc/sysctl.d and there are the following lines in 10-default.cfg file.
I've changed option ip6assign '64' #<---change to /64

net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

trendy · September 27, 2023, 11:00am

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru

sppmaster · September 27, 2023, 12:00pm

Config for non working IPv6

~# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru
{
        "kernel": "5.15.120",
        "hostname": "R7800",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Netgear Nighthawk X4S R7800",
        "board_name": "netgear,r7800",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r23580+21-b993a00b82",
                "target": "ipq806x/generic",
                "description": "OpenWrt SNAPSHOT r23580+21-b993a00b82"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd66:2b14:dc6a::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

config interface 'zerotier'
        option proto 'none'
        option device 'ztxxxxxxxx'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        option sequential_ip '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option dhcpv4 'server'
        option leasetime '72h'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dhcpv6 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'DROP'
        option forward 'DROP'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule
        option name 'ssh-wan'
        list proto 'tcp'
        option src 'wan'
        option dest_port '60222'
        option target 'ACCEPT'

config include 'qcanssecm'
        option type 'script'
        option path '/etc/firewall.d/qca-nss-ecm'
        option family 'any'
        option reload '1'

config include 'bcp38'
        option type 'script'
        option path '/usr/lib/bcp38/run.sh'
        option family 'IPv4'
        option reload '1'

config include 'nss_ecm'
        option type 'script'
        option path '/etc/firewall.d/qca-nss-ecm'
        option family 'any'
        option reload '1'

config rule
        option name 'Allow-ZeroTier-Inbound'
        option src '*'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '9993'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'zerotier'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'vpn'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vpn'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::b27f:b9ff:fe3e:4fae/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::b27f:b9ff:fe3e:4fad/64 scope link
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd66:2b14:dc6a::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::b27f:b9ff:fe3e:4fad/64 scope link
       valid_lft forever preferred_lft forever
14: ztxxxxxxxx: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 state UNKNOWN qlen 1000
    inet6 fe80::b401:56ff:fef8:3326/64 scope link
       valid_lft forever preferred_lft forever
15: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::b27f:b9ff:fe3e:4fae/64 scope link
       valid_lft forever preferred_lft forever
16: phy1-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::b27f:b9ff:fe3e:4fb0/64 scope link
       valid_lft forever preferred_lft forever
17: phy0-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::b27f:b9ff:fe3e:4faf/64 scope link
       valid_lft forever preferred_lft forever
fd66:2b14:dc6a::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd66:2b14:dc6a::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev ztxxxxx proto kernel metric 256 pref medium
fe80::/64 dev phy1-ap0 proto kernel metric 256 pref medium
fe80::/64 dev phy0-ap0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd66:2b14:dc6a:: dev br-lan table local proto kernel metric 0 pref medium
local fd66:2b14:dc6a::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev ztxxxxxx table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.2 table local proto kernel metric 0 pref medium
anycast fe80:: dev phy1-ap0 table local proto kernel metric 0 pref medium
anycast fe80:: dev phy0-ap0 table local proto kernel metric 0 pref medium
local fe80::b27f:b9ff:fe3e:4fad dev eth1 table local proto kernel metric 0 pref medium
local fe80::b27f:b9ff:fe3e:4fad dev br-lan table local proto kernel metric 0 pref medium
local fe80::b27f:b9ff:fe3e:4fae dev eth0 table local proto kernel metric 0 pref medium
local fe80::b27f:b9ff:fe3e:4fae dev eth0.2 table local proto kernel metric 0 pref medium
local fe80::b27f:b9ff:fe3e:4faf dev phy0-ap0 table local proto kernel metric 0 pref medium
local fe80::b27f:b9ff:fe3e:4fb0 dev phy1-ap0 table local proto kernel metric 0 pref medium
local fe80::b401:56ff:fef8:3326 dev ztxxxxxx table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0.2 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev ztxxxxxxx table local proto kernel metric 256 pref medium
multicast ff00::/8 dev phy1-ap0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev phy0-ap0 table local proto kernel metric 256 pref medium
0:      from all lookup local
32766:  from all lookup main

mk24 · September 27, 2023, 12:02pm

There is no GUA address or prefix being assigned from the ISP, so IPv6 cannot be routed to the Internet. GUA addresses start with a 2 or 3.

Remove the ULA prefix from your configuration to avoid confusion. This use case does not call for ULAs.

Make sure that your custom firewall stuff is not blocking RA and/or DHCPv6 on wan.

sppmaster · September 27, 2023, 1:26pm

This is a working IPv6 when run with default settings.

~# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru
{
        "kernel": "5.15.130",
        "hostname": "R7800",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Netgear Nighthawk X4S R7800",
        "board_name": "netgear,r7800",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05-SNAPSHOT",
                "revision": "r23430+31-6c60bbbc94",
                "target": "ipq806x/generic",
                "description": "OpenWrt 23.05-SNAPSHOT r23430+31-6c60bbbc94"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd68:ed9d:8db6::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        option sequential_ip '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'nss_ecm'
        option type 'script'
        option path '/etc/firewall.d/qca-nss-ecm'
        option family 'any'
        option reload '1'

config rule
        option name 'ssh-wan'
        list proto 'tcp'
        option src 'wan'
        option dest_port '22'
        option target 'ACCEPT'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::b239:56ff:fe93:3793/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::b239:56ff:fe93:3792/64 scope link
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a01:xx:30f:5372::1/64 scope global dynamic noprefixroute
       valid_lft 86257sec preferred_lft 3457sec
    inet6 fd68:ed9d:8db6::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::b239:56ff:fe93:3792/64 scope link
       valid_lft forever preferred_lft forever
15: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 xxxx:xx:30f:5371::1/128 scope global dynamic noprefixroute
       valid_lft 86257sec preferred_lft 3457sec
    inet6 fe80::b239:56ff:fe93:3793/64 scope link
       valid_lft forever preferred_lft forever
20: phy0-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::b239:56ff:fe93:3794/64 scope link
       valid_lft forever preferred_lft forever
22: phy1-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::b239:56ff:fe93:3795/64 scope link
       valid_lft forever preferred_lft forever
default from xxxx:xx:30f:5371::1 via fe80::a2f3:e4ff:fe81:fe30 dev eth0.2 proto static metric 512 pref medium
default from xxxx:xx:30f:5372::/64 via fe80::a2f3:e4ff:fe81:fe30 dev eth0.2 proto static metric 512 pref medium
xxxx:xx:30f:5372::/64 dev br-lan proto static metric 1024 pref medium
unreachable xxxx:xx:30f:5372::/64 dev lo proto static metric 2147483647 pref medium
fd68:ed9d:8db6::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd68:ed9d:8db6::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev phy0-ap0 proto kernel metric 256 pref medium
fe80::/64 dev phy1-ap0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local xxxx:xx:30f:5371::1 dev eth0.2 table local proto kernel metric 0 pref medium
anycast xxxx:xx:30f:5372:: dev br-lan table local proto kernel metric 0 pref medium
local xxxx:xx:30f:5372::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fd68:ed9d:8db6:: dev br-lan table local proto kernel metric 0 pref medium
local fd68:ed9d:8db6::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.2 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev phy0-ap0 table local proto kernel metric 0 pref medium
anycast fe80:: dev phy1-ap0 table local proto kernel metric 0 pref medium
local fe80::b239:56ff:fe93:3792 dev eth1 table local proto kernel metric 0 pref medium
local fe80::b239:56ff:fe93:3792 dev br-lan table local proto kernel metric 0 pref medium
local fe80::b239:56ff:fe93:3793 dev eth0 table local proto kernel metric 0 pref medium
local fe80::b239:56ff:fe93:3793 dev eth0.2 table local proto kernel metric 0 pref medium
local fe80::b239:56ff:fe93:3794 dev phy0-ap0 table local proto kernel metric 0 pref medium
local fe80::b239:56ff:fe93:3795 dev phy1-ap0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0.2 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev phy0-ap0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev phy1-ap0 table local proto kernel metric 256 pref medium
0:      from all lookup local
32766:  from all lookup main
4200000000:     from xxxx:xx:30f:5372::1/64 iif br-lan unreachable
root@R7800-RG2:~#

dave14305 · September 27, 2023, 1:43pm

sppmaster:

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

Current default rule no longer restricts by source or destination IP. Try removing those.