IPv6 trouble with L2TP tunnel

Hello, first post so please tell me if I missed any detail

My WAN (Zen UK) connection supports IPv6 and is configured and working correctly. I also have an L2TP tunnel (from AAISP) which I route some of my traffic through. This should also support IPv6, but it only rarely gets an IPv6 address.

On starting OpenWRT I get IPv4&6 addresses from Zen and just an IPv4 address from AAISP. At this point if I ping google ping6 -O 2001:4860:4860::8888 from a machine in my network I get replies.

If I run /etc/init.d/network restart and wait for eveything to reconnect, I still get IPv4&6 from Zen and IPv4 from AAISP, but I also sometimes get an IPv6 from them too. Regardless of whether I get IPv6 from AAISP, my ping to google stops working, until I reboot OpenWRT.

I use PBR to direct traffic to particular interfaces. I also have 2 VPN connections configured, which again PBR routes traffic from specific subnets to these VPNs.

I guess I've configured something wrong here, but I can't work out what! I'd like to get IPv6 working with AAISP. I'll past configs below - any help will be appreciated

OpenWrt 23.05.3 r23809-234f1a2efa / LuCI openwrt-23.05 branch git-24.073.29889-cd7e519 running in LXC on Debian x86/64 machine

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7a:45d1:edc3::/48'

config device
	option name 'br0'
	option type 'bridge'
	option igmp_snooping '1'
	list ports 'eth0'

config interface 'infra'
	option device 'br0.1'
	option proto 'static'
	option ipaddr '10.1.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ip6hint '100'

config interface 'wan'
	option device 'br0.500'
	option proto 'pppoe'
	option username 'SECRET'
	option password 'SECRET'
	option ipv6 'auto'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list dns '2001:4860:4860::8888'
	list dns '2001:4860:4860::8844'

config bridge-vlan
	option device 'br0'
	option vlan '1'
	list ports 'eth0:u*'

config bridge-vlan
	option device 'br0'
	option vlan '500'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br0'
	option vlan '10'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br0'
	option vlan '11'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br0'
	option vlan '12'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br0'
	option vlan '14'
	list ports 'eth0:t'

config interface 'trusted'
	option proto 'static'
	option device 'br0.11'
	option ipaddr '10.1.11.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '11'

config interface 'services'
	option proto 'static'
	option device 'br0.10'
	option ipaddr '10.1.10.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '10'

config interface 'guest'
	option proto 'static'
	option device 'br0.12'
	option ipaddr '10.1.12.1'
	option netmask '255.255.254.0'

config interface 'hidden'
	option proto 'static'
	option device 'br0.14'
	option ipaddr '10.1.14.1'
	option netmask '255.255.255.0'

config interface 'vpnpia'
	option proto 'none'
	option device 'tunPIA'
	option metric '100'

config interface 'vpnpp'
	option proto 'none'
	option device 'tapPP'
	option metric '150'

config interface 'pp'
	option proto 'static'
	option ipaddr '10.1.66.1'
	option netmask '255.255.255.0'
	option device 'br0.66'
	list dns_search 'SECRET'

config bridge-vlan
	option device 'br0'
	option vlan '66'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br0'
	option vlan '501'
	list ports 'eth0:t'

config interface 'aaisp'
	option proto 'l2tp'
	option server 'l2tp.aa.net.uk'
	option username 'SECRET'
	option password 'SECRET'
	option ipv6 '1'
	option peerdns '0'
	option metric '50'

config interface 'aaisp6'
	option proto 'dhcpv6'
	option device '@aaisp'
	option reqaddress 'force'
	option metric '50'
	option reqprefix '64'

/etc/config/pbr

config pbr 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '1'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option enabled '1'

config policy
	option name 'hidden'
	option src_addr '10.1.14.0/24'
	option interface 'vpnpia'

config policy
	option name 'guest'
	option src_addr '10.1.12.0/23'
	option interface 'vpnpia'

config policy
	option name 'AAISP email and web services'
	option src_addr 'SECRET'
	option interface 'aaisp'
	option src_port '25 80 443 465 993'
	option proto 'tcp'

config policy
	option name 'AAISP Wireguard VPN'
	option src_addr 'SECRET'
	option src_port '51820'
	option interface 'aaisp'
	option proto 'udp'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option name 'infra'
	list network 'infra'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'ETHWAN6'
	list network 'ethWAN'
	list network 'wan'
	list network 'wwan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest 'infra'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'infra'

config rule
	option family 'ipv6'
	option src 'hidden'
	option dest '*'
	option target 'REJECT'
	option name 'Block IPv6 from hidden'
	list proto 'all'

config rule
	option name 'Block IPv6 to hidden'
	option family 'ipv6'
	list proto 'all'
	option src '*'
	option dest 'hidden'
	option target 'DROP'

config rule
	option dest_port '22'
	option src 'trusted'
	option name 'Infra SSH from trusted'
	option dest 'infra'
	option target 'ACCEPT'
	list proto 'tcp'

config include
	option path '/etc/firewall.user'

config zone
	option input 'ACCEPT'
	option forward 'REJECT'
	option name 'services'
	option output 'ACCEPT'
	list network 'services'

config rule
	option dest_port '80'
	option src 'trusted'
	option name 'Infra HTTP from trusted'
	option dest 'infra'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option dest_port '22'
	option dest 'services'
	list dest_ip 'SECRET'
	option target 'ACCEPT'
	list proto 'tcp'
	option src 'trusted'
	option name 'Chuck SSH from trusted'

config rule
	option dest_port '51820'
	option dest 'services'
	list dest_ip 'SECRET'
	option target 'ACCEPT'
	list proto 'udp'
	option src 'trusted'
	option name 'Chuck Wireguard from trusted'

config rule
	option src 'trusted'
	option dest 'services'
	list dest_ip 'SECRET'
	option target 'ACCEPT'
	list proto 'tcp'
	option dest_port '51821'
	option name 'Chuck Wireguard GUI from trusted'

config zone
	option name 'hidden'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'hidden'

config zone
	option input 'ACCEPT'
	option forward 'REJECT'
	option name 'guest'
	option output 'ACCEPT'
	list network 'guest'

config zone
	option input 'ACCEPT'
	option forward 'REJECT'
	option name 'trusted'
	option output 'ACCEPT'
	list network 'trusted'

config forwarding
	option dest 'wan'
	option src 'trusted'

config rule
	option dest_port '445'
	option src 'trusted'
	option name 'Chuck SMB from trusted'
	option dest 'services'
	option target 'ACCEPT'
	list proto 'tcp'
	list dest_ip 'SECRET'

config rule
	option dest 'services'
	list dest_ip 'SECRET'
	option target 'ACCEPT'
	list proto 'tcp'
	option dest_port '8090'
	option src 'trusted'
	option name 'Chuck podgrab from trusted'

config rule
	option dest 'wan'
	option target 'ACCEPT'
	option src 'services'
	option name 'WAN from services (not all hosts)'
	list src_ip 'SECRET'
	list src_ip 'SECRET'
	list src_ip 'SECRET'
	list src_ip 'SECRET'
	list src_ip 'SECRET'
	list src_ip 'SECRET'
	list src_ip 'SECRET'
	list src_ip 'SECRET'
	list src_ip 'SECRET'
	list proto 'all'

config rule
	option name 'WAN from infra (not all hosts)'
	option target 'ACCEPT'
	option src 'infra'
	list src_ip 'SECRET'
	option dest 'wan'
	list proto 'all'

config rule
	option src 'trusted'
	option name 'ALL trusted to services (TEMP - for musiccast - find out what the exact rules are)'
	option dest 'services'
	option target 'ACCEPT'
	list proto 'all'

config rule
	option src 'services'
	option name 'ALL services to trusted (TEMP - for musiccast - find out what the exact rules are)'
	option dest 'trusted'
	option target 'ACCEPT'
	list proto 'all'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option name 'vpnpia'
	option masq '1'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	list device 'tun0'
	list network 'vpnpia'

config forwarding
	option src 'guest'
	option dest 'vpnpia'

config forwarding
	option src 'hidden'
	option dest 'vpnpia'

config rule
	option name 'NTP in infra'
	option src 'infra'
	option dest 'wan'
	option dest_port '123'
	option target 'ACCEPT'

config zone
	option name 'vpnpp'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'vpnpp'

config zone
	option name 'pp'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'pp'

config forwarding
	option src 'pp'
	option dest 'vpnpp'

config forwarding
	option src 'pp'
	option dest 'wan'

config zone
	option name 'aaisp'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'aaisp'
	list network 'aaisp6'

config redirect
	option dest 'services'
	option target 'DNAT'
	option name 'AAISP HTTPS'
	list proto 'tcp'
	option src 'aaisp'
	option src_dport '443'
	option dest_ip 'SECRET'
	option dest_port '443'
	list reflection_zone 'pp'
	list reflection_zone 'services'
	list reflection_zone 'trusted'

config redirect
	option dest 'services'
	option target 'DNAT'
	option name 'AAISP HTTP'
	list proto 'tcp'
	option src 'aaisp'
	option src_dport '80'
	option dest_ip 'SECRET'
	option dest_port '80'

config redirect
	option dest 'services'
	option target 'DNAT'
	option name 'AAISP SMTP'
	list proto 'tcp'
	option src 'aaisp'
	option src_dport '25'
	option dest_ip 'SECRET'
	option dest_port '25'
	list reflection_zone 'trusted'

config redirect
	option dest 'services'
	option target 'DNAT'
	option name 'AAISP ESMTP Implicit TLS'
	list proto 'tcp'
	option src 'aaisp'
	option src_dport '465'
	option dest_ip 'SECRET'
	option dest_port '465'
	list reflection_zone 'trusted'

config redirect
	option dest 'services'
	option target 'DNAT'
	option name 'AAISP IMAP Implicit TLS'
	list proto 'tcp'
	option src 'aaisp'
	option src_dport '993'
	option dest_ip 'SECRET'
	option dest_port '993'
	list reflection_zone 'trusted'

config redirect
	option dest 'services'
	option target 'DNAT'
	option name 'AAISP WireguardVPN'
	option src 'aaisp'
	option src_dport '51820'
	option dest_ip 'SECRET'
	option dest_port '51820'
	list proto 'udp'
	list reflection_zone 'trusted'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

I have resolved this - turns out I wasn't allowing the ICMP6 router advertisement response to my router solicitation request through the firewall!

I had a rule for this in the WAN zone, but this is another connection in a different zone. I copied some of the default rules around IPv6 to this zone and now it's all working fine

1 Like