Ipv6 RS permission denied - Broke my ipv6 somehow

I somehow broke my ipv6 wan config...this was working well from first install (for roughly 1 year)..but now when the wan6 interface comes up it's full of (permission denied) on the RS and DHCPV6 stuff. Any pointers would be appreciated. ipv4 is fine so I have connectivity to ISP.

logs:

 daemon.notice netifd: Interface 'wan6' is enabled
 daemon.notice netifd: Interface 'wan6' is setting up now
 daemon.err odhcp6c[5279]: Failed to send RS (Permission denied)
 daemon.err odhcp6c[5279]: Failed to send DHCPV6 message to ff02::1:2 (Permission denied)
 daemon.err odhcp6c[5279]: Failed to send DHCPV6 message to ff02::1:2 (Permission denied)
 daemon.err odhcp6c[5279]: Failed to send RS (Permission denied)
 daemon.err odhcp6c[5279]: Failed to send DHCPV6 message to ff02::1:2 (Permission denied)

network config

config interface 'wan'
        option proto 'pppoe'
        option username '*****'
        option password '*****'
        option ipv6 'auto'
        option ifname 'eth0.10'
        option peerdns '0'
        list dns '1.1.1.2'
        list dns '1.0.0.2'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

uci show firewall

uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].flow_offloading='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='guest'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='guest'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].input='REJECT'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='guest'
firewall.@rule[9]=rule
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].proto='tcp udp'
firewall.@rule[9].dest_port='53'
firewall.@rule[9].name='GuestNetDNS'
firewall.@rule[9].src='guest'
firewall.@rule[10]=rule
firewall.@rule[10].enabled='1'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].proto='udp'
firewall.@rule[10].dest_port='67-68'
firewall.@rule[10].name='GuestNetDHCP'
firewall.@rule[10].src='guest'

Try to change auto to 1.

I have changed to 1 and restarted both wan and wan6. Same error.

I also added as per this document: https://openwrt.org/docs/guide-user/network/ipv6/start
No change. I've looked over my config with this document too and everything seems to look okay.

EDIT: I think the statement above makes it sound fixed. No I still experience the same error and have no ipv6 wan.

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '547'
	option name 'Allow DHCPv6 (546-to-547)'
	option family 'ipv6'
	option src_port '546'
 
config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option name 'Allow DHCPv6 (547-to-546)'
        option family 'ipv6'
        option src_port '547'

What did you try to configure before the issue appeared? Setup MWAN? Chaning VLAN setup?

What is the output of:

uci show network
and
ip a

I was having connection drops, PPPoE was not staying up for more than a few minutes at a time...I restarted both interfaces. After this point the ipv6 connectivity did not return. Have not configured MWAN or changed VLAN setup.
I have in the last 24 hours also installed adblock and wget.

I have read elsewhere in the forum that my WAN interface should be getting a ipv6 link local address, which is needed for dhpc6 to work?

uci show network

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd88:49d2:c672::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.20.1'
network.wan=interface
network.wan.proto='pppoe'
network.wan.username=
network.wan.password= 
network.wan.ipv6='1'
network.wan.ifname='eth0.10'
network.wan.peerdns='0'
network.wan.dns='1.1.1.2' '1.0.0.2'
network.wan6=interface
network.wan6.ifname='@wan'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 5t'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6t'
network.@switch_vlan[1].vid='2'
network.@switch_vlan[2]=switch_vlan
network.@switch_vlan[2].device='switch0'
network.@switch_vlan[2].vlan='3'
network.@switch_vlan[2].ports='4t 5t 6t'
network.@switch_vlan[2].vid='10'
network.guest=interface
network.guest.proto='static'
network.guest.ipaddr='172.16.10.1'
network.guest.netmask='255.255.255.0'
network.guest.type='bridge'

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 532
    link/ether 94:10:3e:1a:40:e6 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::9610:3eff:fe1a:40e6/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN qlen 532
    link/ether 94:10:3e:1a:40:e6 brd ff:ff:ff:ff:ff:ff
175: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 94:10:3e:1a:40:e6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.20.1/24 brd 192.168.20.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd88:49d2:c672::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::9610:3eff:fe1a:40e6/64 scope link
       valid_lft forever preferred_lft forever
176: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 94:10:3e:1a:40:e6 brd ff:ff:ff:ff:ff:ff
178: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 00:25:9c:13:67:b2 brd ff:ff:ff:ff:ff:ff
    inet 172.16.10.1/24 brd 172.16.10.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::225:9cff:fe13:67b2/64 scope link
       valid_lft forever preferred_lft forever
180: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 94:10:3e:1a:40:e7 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::9610:3eff:fe1a:40e7/64 scope link
       valid_lft forever preferred_lft forever
181: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-guest state UP qlen 1000
    link/ether 00:25:9c:13:67:b2 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::225:9cff:fe13:67b2/64 scope link
       valid_lft forever preferred_lft forever
182: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 94:10:3e:1a:40:e8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::9610:3eff:fe1a:40e8/64 scope link
       valid_lft forever preferred_lft forever
191: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 94:10:3e:1a:40:e6 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::9610:3eff:fe1a:40e6/64 scope link
       valid_lft forever preferred_lft forever
192: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
    link/ppp
    inet redacted peer redacted.255/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever

Yes, that's why I was asking for "ip a". It looks like the address is there:

inet6 fd88:49d2:c672::1/60 scope global

As you installed Adblock it could be a DNS issue only? Are you able to ping google dns e. g.:

ping6 2001:4860:4860::8888

Try this from both sides (client and the router console).

There is no link local address for IPv6 in pppoe-wan interface.
Also in switch configuration I notice that you are tagging vlan10 which goes to the ISP. Is there any switch between the OpenWrt router and the ISP modem?

This is ULA address and is used privately in the lan only.

I thought with pppoe an address will be mapped in some way like on nat6 for ipv6.

If successful, the parent interface will be assigned a link-local address (prefix fe80::/10).

So for:

option ipv6 1

I thought everything is in place because he/she redacted public IP on wan interface.

Sorry for this missinterpreting/confusion.

Just another question about pppoe then. Is it not using eth1/vlan2? The reason I guess is the routers' switch. So like here eth0.10 for wan and eth0.1 for lan.

That is the IPv4 redacted. Normally there should be one link local and one global if all works fine:

15: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp 
    inet X.X.X.117 peer Y.Y.Y.252/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
    inet6 2001:X:X:X:X:X/64 scope global dynamic noprefixroute 
       valid_lft 2591934sec preferred_lft 604734sec
    inet6 fe80::5dc7:d31b:3868:d73f/10 scope link 
       valid_lft forever preferred_lft forever

The link local must be there regardless of the dhcpv6 negotiations.

It seems not. I suppose there is specific need for vlan10 tagged there.
However I would remove the 5t from vlan10 switch configuration.

Thx for clarification.

My service is a fiber to the home service that terminates on ethernet. It does not require a modem. WAN packets for the service must be tagged with VLAN ID 10 and use PPPoE.

I do not understand why the WAN interface is not configuring a link local address .Even without the presence of other ipv6 devices on the other end of the link shouldn't link local address be configured? Given it's just the prefix + mac address....nothing is going to work until that address is configured right?

Yes you need the address as trendy has indicated with must, you've read by yourself and I was asking for it because the wiki is telling us that it has to be there.

I cannot imagine that adblock or wget causing this issue. You must have either changed more than that or the error is on ISP site. Did you upgrade any package(s) (you should not do that)? As last resort try to do a factory reset/reset to defaults.

On the other hand it looks to me that the dhcp client is trying to request sth. what is not there/allowed. So it could be worth to ask the provider or search the provider webpage for issues.

Just as a precaution I disabled adblock and wget anyway...of course this didn't fix anything :D.

The question really is why does the pppoe-wan interface not have an ipv6 link local address? That seems to be by DHCP6 cannot run...

We don't know the answer and we know what the question is. We were checking your firewall and network settings. They are looking good.
As I said already: If you didn't change anything else and didn't upgrade other packages through software upgrade function inside LuCI it is highly likely that the issue is not your OpenWrt box (as it was working before).

So either do a reset to verify that really everything is on defaults or try to use another router to verify that the issue is on your side and not on ISP side.

I don't have pppoe. For me it looks like:

daemon.err odhcp6c[5279]: Failed to send RS (Permission denied) <- client is trying to send sth. upstream and not getting any expected response

Where do you find the explanation "client is trying to send sth. upstream and not getting any expected response"...?

Because if i tcpdump for ip6 on either eth0.10 or pppoe-wan I do see any RA or ipv6 packet at all. The error message to seems to indicate a failure rather than no up-stream response.
I cannot see how any RS would be sent without a link local.

I didn't know that it is not getting any answer at all (you could have provided such information in first place also). I was just guessing it is either no answer or not the right answer. "not getting any expected response" is for me including the possibility that there is no answer.

I think it will be faster to take a backup of the configuration, reset to defaults, and configure from scratch (not restore the backup). First of all create the vlan10, delete the wan interface, create a new, name it wan, pppoe protocol, physical interface eth0.10, and make sure it is under wan firewall zone.
If ipv6 option is 1 or manual, a wan6 interface needs to be defined.
If ipv6 option is auto, then the wan_6 interface will be automatically created (just verify it belongs to wan firewall zone).
In any case pppoe-wan must have a link local (fe80) address to negotiate.

I'm not complaining here I thought you may have had a source that says..Permissions Denied means X or Y...