IPv6 return packets get dropped at all but one interface for no apparent reason

norman6 · July 25, 2023, 10:24am

Hi all, I'm stuck in an IPv6 debugging problem for multiple days now an hope to find some help here.

The situation is as follows:

I'm running a GliNet AXT1800 (OpenWRT Version: OpenWrt 21.02-SNAPSHOT r16399+159-c67509efd7) as router behind my main router
My GliNet has several wifi interfaces and Lan interfaces (realized via VLANs)
Uplink (connection to main router) is eth0
VLAN Trunk is eth1
Proxmox server is connected to eth1
There are two main Interfaces for the router: LAN (vlan 10) and Server (vlan 50)
My WAN6 Interface gets a /57 prefix delegated from my main router (which has a /48 prefix from my ISP)
WAN6 delegates a /64 prefix to Servers and one to LAN, from which the devices get addresses via dhcp6 and SLAAC + optional dhcpv6 respectively

Problem statement:

IPv6 transmission works flawlessly for LAN interfaces (for WLAN, too, btw)
IPv6 doesn't work for the Server Interface. Devices get an IPv6 address assigned and can ping the router, but they cannot reach my main router. Tcpdump shows, that packets in fact go out (tested with ICMPv6 and HTTPS) and response packets are received (echo-reply, ACK) on my Glinet router but don't seem to be forwarded to the client. Conclusion: Routing is working, including routing to the internet and back, as ping google.com for example actually receives echo-reply packages on the glinet router - they just aren't forwarded to the requesting client.
There is no configuration difference between LAN and Servers interface except for SLAAC (and this is ruled out, because I enabled SLAAC on servers, too, tested it, no difference)

Overall, it looks as if the firewall would be missing a state rule. However, I checked it, the firewall looks perfectly OK. There are also no logs of rejected packets on these interfaces (I configured them to reject instead of drop for diagnostic purposes and also enabled logging).

I also tried re-creating the Servers interface with a completely new vlan (60) and hooked up Kali Linux to that for better diagnosis. Still, there is no difference, even with a new interface which is configured exactly like the LAN interface, where everything is working.

Below you find my configuration and status info:

root@glinet:~# ifstatus wan6
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 2249,
        "l3_device": "eth0",
        "proto": "dhcpv6",
        "device": "eth0",
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "2aXX:XXXX:26a:0:9683:c4ff:fe29:cd15",
                        "mask": 64,
                        "preferred": 3304,
                        "valid": 6904
                },
                {
                        "address": "fd01:78::9683:c4ff:fe29:cd15",
                        "mask": 64,
                        "preferred": 3304,
                        "valid": 6904
                }
        ],
        "ipv6-prefix": [
                {
                        "address": "2aXX:XXXX:26a:80::",
                        "mask": 57,
                        "preferred": 3151,
                        "valid": 6751,
                        "class": "wan6",
                        "assigned": {
                                "lan": {
                                        "address": "2aXX:XXXX:26a:90::",
                                        "mask": 64
                                },
                                "servers": {
                                        "address": "2aXX:XXXX:26a:d0::",
                                        "mask": 64
                                },
                                "svr": {
                                        "address": "2aXX:XXXX:26a:e0::",
                                        "mask": 64
                                }
                        }
                }
        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "2aXX:XXXX:26a::",
                        "mask": 64,
                        "nexthop": "::",
                        "metric": 256,
                        "valid": 6904,
                        "source": "::/0"
                },
                {
                        "target": "fd01:78::",
                        "mask": 64,
                        "nexthop": "::",
                        "metric": 256,
                        "valid": 6904,
                        "source": "::/0"
                },
                {
                        "target": "fd01:78::",
                        "mask": 64,
                        "nexthop": "fe80::e72:74ff:fecd:e46d",
                        "metric": 512,
                        "valid": 1504,
                        "source": "::/0"
                },
                {
                        "target": "2aXX:XXXX:26a::",
                        "mask": 48,
                        "nexthop": "fe80::e72:74ff:fecd:e46d",
                        "metric": 512,
                        "valid": 1504,
                        "source": "2aXX:XXXX:26a:80::/57"
                },
                {
                        "target": "2aXX:XXXX:26a::",
                        "mask": 48,
                        "nexthop": "fe80::e72:74ff:fecd:e46d",
                        "metric": 512,
                        "valid": 1504,
                        "source": "2aXX:XXXX:26a:0:9683:c4ff:fe29:cd15/64"
                },
                {
                        "target": "2aXX:XXXX:26a::",
                        "mask": 48,
                        "nexthop": "fe80::e72:74ff:fecd:e46d",
                        "metric": 512,
                        "valid": 1504,
                        "source": "fd01:78::9683:c4ff:fe29:cd15/64"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::e72:74ff:fecd:e46d",
                        "metric": 512,
                        "valid": 1504,
                        "source": "2aXX:XXXX:26a:80::/57"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::e72:74ff:fecd:e46d",
                        "metric": 512,
                        "valid": 1504,
                        "source": "2aXX:XXXX:26a:0:9683:c4ff:fe29:cd15/64"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::e72:74ff:fecd:e46d",
                        "metric": 512,
                        "valid": 1504,
                        "source": "fd01:78::9683:c4ff:fe29:cd15/64"
                }
        ],
        "dns-server": [
                "fd01:78::e72:74ff:fecd:e46d",
                "2aXX:XXXX:26a:0:e72:74ff:fecd:e46d"
        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {
                "passthru": "xxx"
        }
}

root@glinet:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option input 'DROP'
        option forward 'DROP'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        list proto 'icmp'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option src '*'
        option name 'Allpw-Ping-Input'

config rule
        option name 'Allow-ICMPv6-Input'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'
        option src '*'

config rule
        option name 'Allow-ICMPv6-Forward'
        option dest '*'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'
        option src '*'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        list dest_ip 'fc00::/6'
        list src_ip 'fc00::/6'
        option src 'wan'
        option name 'Allow-DHCPv6-Input'

config rule
        option dest_port '53'
        option src 'servers'
        option name 'Allow-DNS-Server'
        option target 'ACCEPT'

config rule
        option dest_port '67-68'
        option src 'servers'
        option name 'Allow-DHCP-Server'
        option target 'ACCEPT'
        list proto 'udp'
        option family 'ipv4'

config rule
        option dest_port '546-547'
        option src 'servers'
        option name 'Allow-DHCPv6-Server'
        option family 'ipv6'
        option target 'ACCEPT'
        list proto 'udp'

config include
        option path '/etc/firewall.user'

config include 'nat6'
        option path '/etc/firewall.nat6'
        option reload '1'

config include 'vpn_server_policy'
        option type 'script'
        option path '/etc/firewall.vpn_server_policy.sh'
        option reload '1'
        option enabled '1'

config zone
        option name 'servers'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option log '1'
        option input 'REJECT'
        list network 'servers'

config forwarding
        option dest 'wan'
        option src 'servers'

config forwarding
        option dest 'servers'
        option src 'lan'

config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'

config include 'glblock'
        option type 'script'
        option path '/usr/bin/gl_block.sh'
        option reload '1'

root@glinet:~# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             /* !fw3 */
input_rule  all      anywhere             anywhere             /* !fw3: Custom input rule chain */
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood  tcp      anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-request /* !fw3: Allpw-Ping-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp bad-header limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp destination-unreachable limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-reply limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-request limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp neighbour-advertisement limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp neighbour-solicitation limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp packet-too-big limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp router-advertisement limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp router-solicitation limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp time-exceeded limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp unknown-header-type limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
zone_lan_input  all      anywhere             anywhere             /* !fw3 */
zone_wan_input  all      anywhere             anywhere             /* !fw3 */
zone_servers_input  all      anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP)
target     prot opt source               destination
forwarding_rule  all      anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp bad-header limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp destination-unreachable limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-reply limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-request limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp packet-too-big limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp time-exceeded limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp unknown-header-type limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
zone_lan_forward  all      anywhere             anywhere             /* !fw3 */
zone_wan_forward  all      anywhere             anywhere             /* !fw3 */
zone_servers_forward  all      anywhere             anywhere             /* !fw3 */
reject     all      anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             /* !fw3 */
output_rule  all      anywhere             anywhere             /* !fw3: Custom output rule chain */
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output  all      anywhere             anywhere             /* !fw3 */
zone_wan_output  all      anywhere             anywhere             /* !fw3 */
zone_servers_output  all      anywhere             anywhere             /* !fw3 */

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_servers_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination

Chain input_lan_rule (1 references)
target     prot opt source               destination

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_servers_rule (1 references)
target     prot opt source               destination

Chain input_wan_rule (1 references)
target     prot opt source               destination

Chain output_lan_rule (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination

Chain output_servers_rule (1 references)
target     prot opt source               destination

Chain output_wan_rule (1 references)
target     prot opt source               destination

Chain reject (6 references)
target     prot opt source               destination
REJECT     tcp      anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
REJECT     all      anywhere             anywhere             /* !fw3 */ reject-with icmp6-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination
RETURN     tcp      anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
DROP       all      anywhere             anywhere             /* !fw3 */

Chain zone_lan_dest_ACCEPT (2 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
target     prot opt source               destination
forwarding_lan_rule  all      anywhere             anywhere             /* !fw3: Custom lan forwarding rule chain */
zone_servers_dest_ACCEPT  tcp      anywhere             fd10:16:0:50::4      tcp dpt:domain /* !fw3: Allow-DNS-Adguard-LAN */
zone_servers_dest_ACCEPT  udp      anywhere             fd10:16:0:50::4      udp dpt:domain /* !fw3: Allow-DNS-Adguard-LAN */
zone_wan_dest_ACCEPT  all      anywhere             anywhere             /* !fw3: Zone lan to wan forwarding policy */
zone_servers_dest_ACCEPT  all      anywhere             anywhere             /* !fw3: Zone lan to servers forwarding policy */
zone_lan_dest_ACCEPT  all      anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
target     prot opt source               destination
input_lan_rule  all      anywhere             anywhere             /* !fw3: Custom lan input rule chain */
zone_lan_src_ACCEPT  all      anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
target     prot opt source               destination
output_lan_rule  all      anywhere             anywhere             /* !fw3: Custom lan output rule chain */
zone_lan_dest_ACCEPT  all      anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_servers_dest_ACCEPT (10 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             /* !fw3 */

Chain zone_servers_forward (1 references)
target     prot opt source               destination
forwarding_servers_rule  all      anywhere             anywhere             /* !fw3: Custom servers forwarding rule chain */
zone_wan_dest_ACCEPT  all      anywhere             anywhere             /* !fw3: Zone servers to wan forwarding policy */
zone_servers_dest_ACCEPT  all      anywhere             anywhere             /* !fw3 */

Chain zone_servers_input (1 references)
target     prot opt source               destination
input_servers_rule  all      anywhere             anywhere             /* !fw3: Custom servers input rule chain */
ACCEPT     tcp      anywhere             anywhere             tcp dpt:domain /* !fw3: Allow-DNS-Server */
ACCEPT     udp      anywhere             anywhere             udp dpt:domain /* !fw3: Allow-DNS-Server */
ACCEPT     udp      anywhere             anywhere             udp dpts:dhcpv6-client:dhcpv6-server /* !fw3: Allow-DHCPv6-Server */
zone_servers_src_REJECT  all      anywhere             anywhere             /* !fw3 */

Chain zone_servers_output (1 references)
target     prot opt source               destination
output_servers_rule  all      anywhere             anywhere             /* !fw3: Custom servers output rule chain */
zone_servers_dest_ACCEPT  all      anywhere             anywhere             /* !fw3 */

Chain zone_servers_src_REJECT (1 references)
target     prot opt source               destination
LOG        all      anywhere             anywhere             limit: avg 10/sec burst 5 /* !fw3 */ LOG level warning prefix "REJECT servers in: "
reject     all      anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_ACCEPT (6 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_DROP (1 references)
target     prot opt source               destination
DROP       all      anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (1 references)
target     prot opt source               destination
forwarding_wan_rule  all      anywhere             anywhere             /* !fw3: Custom wan forwarding rule chain */
zone_wan_dest_DROP  all      anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (1 references)
target     prot opt source               destination
input_wan_rule  all      anywhere             anywhere             /* !fw3: Custom wan input rule chain */
ACCEPT     ipv6-icmp    fe80::/10            anywhere             ipv6-icmptype 130 code 0 /* !fw3: Allow-MLD */
ACCEPT     ipv6-icmp    fe80::/10            anywhere             ipv6-icmptype 131 code 0 /* !fw3: Allow-MLD */
ACCEPT     ipv6-icmp    fe80::/10            anywhere             ipv6-icmptype 132 code 0 /* !fw3: Allow-MLD */
ACCEPT     ipv6-icmp    fe80::/10            anywhere             ipv6-icmptype 143 code 0 /* !fw3: Allow-MLD */
ACCEPT     udp      fc00::/6             fc00::/6             udp dpt:dhcpv6-client /* !fw3: Allow-DHCPv6-Input */
zone_wan_src_DROP  all      anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (1 references)
target     prot opt source               destination
output_wan_rule  all      anywhere             anywhere             /* !fw3: Custom wan output rule chain */
zone_wan_dest_ACCEPT  all      anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_DROP (1 references)
target     prot opt source               destination
DROP       all      anywhere             anywhere             /* !fw3 */

One (possibly unrelated) observation: My WAN interface is dropping packages for unknown reasons (about one per second). I couldn't figure out the reason for this, the number however seems to be smaller than the packets actually dropped when awaiting echo-replies for a ping via the servers interface.

I also swapped the switch for a completely new one to rule that out and tested with different hardware (proxmox server) as well without change.

Any hint for further diagnosing this would be much appreciated.

slh · July 25, 2023, 11:38am

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

As neither the device, nor the whole ipq60xx target are supported by OpenWrt at this point, there's nothing we could help you with at this point. The semi-proprietary QCA kernel 4.4.60 is both ancient and heavily patched (e.g. with NSS offloading) and poses a high risk of being the culprit.

norman6 · July 27, 2023, 3:05pm

Thanks a lot, I bought a new device, installed latest OpenWRT and it simply worked as it was configured

system · August 6, 2023, 3:06pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.