IPv6 relay, client devices route not added

Hey all,

New to IPv6 on OpenWRT on 19.07.5 with a TP-Link AC1750.

Background

• ISP is a subscription based WiFi hotspot
• Using OpenWRT wlan0 interface to join hotspot and create my own internal network (wlan1 and wired)
• IPv4 WAN address is NAT, so double NATing inside my network for IPv4
• IPv6 is /64 prefix provided on WAN interface, no prefix delegation provided at all

IPv6 Relay

• Goal: Use OpenWRT relay mode so all my clients on my LAN can use a public IPv6 address from the /64 prefix
• WAN interface can ping out and somehow my MacBook Pro can as well (using this to Wireshark), but my other devices cannot, e.g. iPhone or Win10 laptop (they are assigned an address from the /64 though)
  ** iPhone has two public addresses (temp/privacy is the second I think)

Thoughts

• Not a firewall issue, tcpdump is showing icmp6 replies coming back on the WAN interface but not seeing it return on the LAN side
• I think i've narrowed it down to the IPv6 routing table not adding my additional clients in...

root@openwrt:/etc# ip -6 route
default from 2xxx:xxxx:xxxx:xxxx::/64 via fe80::f63e:9dff:fe03:63bc dev wlan0  metric 512 
2xxx:xxxx:xxxx:xxxx:7624:9fff:fe00:2f19 dev br-lan  metric 1024 <---- another downstream router, can ping from its WAN interface
2xxx:xxxx:xxxx:xxxx:fdf9:dd60:8942:b534 dev br-lan  metric 1024 <---- MacBook Pro
rest is non global stuff

Should I be seeing all my clients added to the IPv6 routing table? Not sure if relay mode made this tricker than it is.

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra 'relay'
	option dhcpv6 'relay'
	option ndp 'relay'

config dhcp 'wan'
	option interface 'wan'
#       option master '1'
        option ignore '1'  
        option dhcpv6 'relay' 
        option ra 'relay'     
        option ndp 'relay' 

config dhcp wan6
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'
        option master '1'
        option interface 'wan6'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Kinda of stumped. Thanks!

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

ubus call system board

{
	"kernel": "4.14.209",
	"hostname": "openwrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link Archer A7 v5",
	"board_name": "tplink,archer-a7-v5",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.5",
		"revision": "r11257-5090152ae3",
		"target": "ath79/generic",
		"description": "OpenWrt 19.07.5 r11257-5090152ae3"
	}
}

UCI Export Network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd0b:32c3:1cc3::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.0.1'
	option ip6assign '64'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'd8:07:b6:f8:ab:c5'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix '56'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'wwan'
	option proto 'dhcp'

config interface 'WAN'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'WAN6wired'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix '56'

UCI Export Wireless (using 5 GHz radio facing hotspot ISP as WAN)

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'VHT80'
	option channel 'auto'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/ahb/18100000.wmac'
	option htmode 'HT20'
	option channel 'auto'

config wifi-iface 'wifinet1'
	option ssid 'HOT-SPOT-ISP'
	option device 'radio0'
	option mode 'sta'
	option password 'hotspot_isp_802.1x_password'
	option encryption 'wpa2'
	option eap_type 'ttls'
	option anonymous_identity 'xanonymous-ttls@hotspotisp.com'
	option identity 'hospotlogin@domain.com'
	option auth 'PAP'
	option network 'wwan wan6'

config wifi-iface 'wifinet2'
	option encryption 'psk2'
	option device 'radio1'
	option mode 'ap'
	option network 'lan'
	option key 'local_LAN_password'
	option ssid 'home_SSID'

UCI Export DHCP

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra 'relay'   // followed OpenWRT IPv6 Relay Guide
	option dhcpv6 'relay'
	option ndp 'relay'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option dhcpv6 'relay'
	option ra 'relay'
	option ndp 'relay'

config dhcp 'wan6'
	option dhcpv6 'relay'
	option ra 'relay'
	option ndp 'relay'
	option master '1'
	option interface 'wan6'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

UCI Export Firewall (Note, I ended up removing all IPv6 rules as well manually via ip6tables)

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan6 wwan WAN WAN6wired'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'neighbour-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'packet-too-big'
	list icmp_type 'router-advertisement'
	list icmp_type 'router-solicitation'
	list icmp_type 'time-exceeded'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
    option path '/etc/firewall.user'
    
/etc/firewall.user   //this is empty

IPv6 Addresses (Relay Mode)

root@openwrt:~# ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::da07:b6ff:fef8:abc4/64 scope link 
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd0b:32c3:1cc3::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::da07:b6ff:fef8:abc4/64 scope link 
       valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::da07:b6ff:fef8:abc5/64 scope link 
       valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2xxxx:xxxx:xxxx:5e7:da07:b6ff:fef8:abc3/64 scope global dynamic 
       valid_lft 1303sec preferred_lft 1303sec
    inet6 fe80::da07:b6ff:fef8:abc3/64 scope link 
       valid_lft forever preferred_lft forever
11: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::da07:b6ff:fef8:abc4/64 scope link 
       valid_lft forever preferred_lft forever

_

IPv6 Route Info (Relay Mode)

root@openwrt:~# ip -6 ro li tab all
default from 2xxxx:xxxx:xxxx:5e7::/64 via fe80::f63e:9dff:fe03:63bc dev wlan0  metric 512 
2xxxx:xxxx:xxxx:5e7:6d53:3ca8:38ca:afcc dev br-lan  metric 1024 
2xxxx:xxxx:xxxx:5e7:d21f:7eec:15bf:5c02 dev br-lan  metric 1024 
2xxxx:xxxx:xxxx:ea7c:825:991c:4bce:c559 dev br-lan  metric 1024 // this is a different /64 prefix, not sure where it came from
2xxxx:xxxx:xxxx:ea7c:5006:51de:647:52ab dev br-lan  metric 1024 
2xxxx:xxxx:xxxx:ea7c:64bb:47c2:a155:dddb dev br-lan  metric 1024 
2xxxx:xxxx:xxxx:ea7c:690c:1ccf:287b:e12e dev br-lan  metric 1024 
2xxxx:xxxx:xxxx:ea7c:7624:9fff:fe00:2f19 dev br-lan  metric 1024 
2xxxx:xxxx:xxxx:ea7c:fd51:5715:961a:e681 dev br-lan  metric 1024 
2xxxx:xxxx:xxxx:ea7c:fdf9:dd60:8942:b534 dev br-lan  metric 1024 
fd0b:32c3:1cc3:0:eeb5:faff:fe0e:1a97 dev br-lan  metric 1024 
fd0b:32c3:1cc3::/64 dev br-lan  metric 1024 
unreachable fd0b:32c3:1cc3::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev eth0  metric 256 
fe80::/64 dev eth0.2  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan0  metric 256 
fe80::/64 dev wlan1  metric 256 
local ::1 dev lo table local  metric 0 
anycast 2xxxx:xxxx:xxxx:5e7:: dev wlan0 table local  metric 0 
local 2xxxx:xxxx:xxxx:5e7:da07:b6ff:fef8:abc3 dev wlan0 table local  metric 0 
anycast fd0b:32c3:1cc3:: dev br-lan table local  metric 0 
local fd0b:32c3:1cc3::1 dev br-lan table local  metric 0 
anycast fe80:: dev eth0 table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
anycast fe80:: dev eth0.2 table local  metric 0 
anycast fe80:: dev wlan0 table local  metric 0 
anycast fe80:: dev wlan1 table local  metric 0 
local fe80::da07:b6ff:fef8:abc3 dev wlan0 table local  metric 0 
local fe80::da07:b6ff:fef8:abc4 dev eth0 table local  metric 0 
local fe80::da07:b6ff:fef8:abc4 dev br-lan table local  metric 0 
local fe80::da07:b6ff:fef8:abc4 dev wlan1 table local  metric 0 
local fe80::da07:b6ff:fef8:abc5 dev eth0.2 table local  metric 0 
ff00::/8 dev br-lan table local  metric 256 
ff00::/8 dev eth0 table local  metric 256 
ff00::/8 dev eth0.2 table local  metric 256 
ff00::/8 dev wlan0 table local  metric 256 
ff00::/8 dev wlan1 table local  metric 256 
root@openwrt:~# ip -6 ru
0:	from all lookup local 
32766:	from all lookup main 
4200000001:	from all iif lo lookup unspec 12
4200000006:	from all iif br-lan lookup unspec 12
4200000009:	from all iif wlan0 lookup unspec 12
4200000009:	from all iif wlan0 lookup unspec 12

Resolv Stuff

root@openwrt:~# ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx    1 root     root            16 Dec  6 07:31 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Feb  9 22:26 /tmp/resolv.conf
-rw-r--r--    1 root     root           136 Feb 16 10:44 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan6
nameserver 2001:4860:4860::8888 
nameserver 2001:4860:4860::8844
# Interface wwan
nameserver 8.8.8.8
head: /tmp/resolv.*/*: No such file or directory
root@openwrt:~# 

You could change these to forced for the reqaddress and automatic for the reqprefix.
One more thing to try is to delete wan6 from

And in wan6 interface add option ifname '@wwan'

remove the relays from wan.

Sounds right, because the /64 is assigned on the wan6, so there should be some static route to point to the lan.