Thanks. I set wan6 to request a /60 and enabled prefix delegation, then enabled /64 assignment to lan and guest. I changed RA and DHCPv6 on both VLANs back from relay to server mode, and disabled them on wan6. I did leave NDP enabled in relay mode on VLANs as well as wan6, although I'm not fully sure the implications of that.
This seems to work.
I would be happy to contribute some content to the wiki explaining how to troubleshoot IPv6 configuration, based on the findings of this thread. Would that be helpful?
It says this:
(This is not the place to add new documentation - please edit documentation on the main web site directly.) but the link leads right back to Talk about Documentation.
Let me write up a quick summary of the findings to mark as solution, so that future visitors do not have to read as much:
If IPv6 routing does not work on LAN, but does work from the router, you can troubleshoot by checking the routing table on OpenWrt at https://192.168.1.1/cgi-bin/luci/admin/status/routes (or equivalent for your router) or by running ip -6 route via ssh. In my case I was able to see that the route had a source filter on the default route such that it was only routing outbound packets originating from the router, and not from other devices on LAN.
It may be useful to open Wireshark on a network interface and watch what happens when you toggle it on. You should see an RS/RA handshake if you filter for IPv6 traffic, and inspecting those packets can tell you something about what routes/addresses OpenWrt is handing out to your devices. You can also check ip -6 addr, ip -6 route on your device.
There are (at least) two types of IPv6 address, ULA and GUA. Subnets can be addressed by either or both of the address types. If using only ULA, you need to set up address translation, otherwise things won't work because ULA addresses are not routable outside your own network. If using GUA, you need to make sure address blocks are being properly assigned/delegated to your subnets, otherwise your devices won't get their IPs. You can check what address blocks are assigned to your interfaces at https://192.168.1.1/cgi-bin/luci/admin/network/network (or equivalent for your router).
You can't subdivide an IPv6 network into smaller subnets than /64. So if you want subnets, you either need to get a /60 or /56 from your ISP, or you need to use RA/DHCPv6 proxying to setup multiple interfaces without being able to assign individual CIDR ranges to each one.
All the OpenWrt interfaces have IPv6 related settings and you need to check all of them. For a setup where you get /60 from the ISP and then subdivide it into /64 blocks for your VLANs, you want wan6 to "request IPv6-prefix of length 60" and "delegate IPv6 prefixes", "IPv6 assignment length disabled", and RA/DHCPv6 service disabled (or DHCP server turned off entirely) - then for your individual networks, you want "IPv6 assignment length 64" and "delegate IPv6 prefixes disabled" and a unique integer "IPv6 assignment hint" for each network, and RA/DHCPv6 services in "server mode".
On the other hand, for a setup where you cannot get a large enough address block from the ISP, you would want to configure RA/DHCPv6 in "relay mode" for wan6 as well as all LAN interfaces, then disable prefix delegation and assignment everywhere. This configures individual devices on the network to communicate directly upstream to get their DHCPv6 leases.
OpenWrt is buggy with its ULA support. Unless you are using address translation it's recommended to disable ULA assignment entirely and use only GUAs, as this works around reported routing errors with certain devices. You do this by clearing the automatically generated "IPv6 ULA-Prefix" at https://192.168.1.1/cgi-bin/luci/admin/network/network (or equivalent for your router) under Global network options.
