IPv6, Vlan firewall rules, dns config help

Installing and Using OpenWrt
1

Raspberry PI 4 running openwrt 23.05 with a usb Ethernet adapter (eth0 onboard (lan) eth1 usb (wan)

Edgerouter X running openwrt 23.05 as a vlan aware switch

Full set of config files for both devices below.

I would like to change the firewall so vlan 10 has access to everything, but 20,30,40 can only go to the internet and back (unable to see other vlan traffic)

I would also like the whole setup to be ipv6 and have cloudflare ipv6 dns configured

Pi4

(NETWORK)

root@openwrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc4:5204:2fcd::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'vlan10'
        option device 'eth0.10'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config interface 'vlan20'
        option device 'eth0.20'
        option proto 'static'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'

config interface 'vlan30'
        option device 'eth0.30'
        option proto 'static'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'

config interface 'vlan40'
        option device 'eth0.40'
        option proto 'static'
        option ipaddr '192.168.40.1'
        option netmask '255.255.255.0'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'

(DHCP)

root@openwrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'vlan10'
        option interface 'vlan10'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'vlan20'
        option interface 'vlan20'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'vlan30'
        option interface 'vlan30'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'vlan40'
        option interface 'vlan40'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'


(FIREWALL)

root@openwrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
	list network 'vlan10'
	list network 'vlan20'
	list network 'vlan30'
	list network 'vlan40'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

ER-X

(NETWORK)

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd3c:d00b:4819::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
	list ports 'eth0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
	list ports 'eth4'

config interface 'vlan10'
        option device 'br-lan.10'
        option proto 'static'
	option ipaddr '192.168.10.2'
        option netmask '255.255.255.0'

config interface 'vlan20'
        option device 'br-lan.20'
        option proto 'none'

config interface 'vlan30'
        option device 'br-lan.30'
        option proto 'none'

config interface 'vlan40'
        option device 'br-lan.40'
        option proto 'none'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth0:t'
        list ports 'eth1:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'eth0:t'
        list ports 'eth2:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'eth0:t'
        list ports 'eth3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '40'
        list ports 'eth0:t'
        list ports 'eth4:u*'


(DHCP)

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
	option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'


(FIREWALL)

root@OpenWrt:~# cat /etc/config/firewall
config defaults
        option syn_flood        1
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
	list   network		'vlan10'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
2

thank you psherman for fixing my formatting error sorry about that, i was trying to fix as you did

3

This is pretty easy... especially since VLANs 20, 30, and 40 have a common set of allowances/restrictions.

We'll start by removing VLANs 20, 30, and 40 from the lan firewall zone (as we had previously discussed -- having them all in the same zone together was to reduce variables in the initial setup), and we'll put them into a new zone.

config zone
    option name 'lan'
    list network 'vlan10'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'vlans'
    list network 'vlan20'
    list network 'vlan30'
    list network 'vlan40'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

Note that we have set forward to REJECT in the new zone because the networks are not supposed to be able to reach each other.

Now we'll add forward rules to allow the main lan (VLAN10) to reach the others, and to allow the other VLANs to reach the internet:

config forwarding
    option src 'vlans'
    option dest 'wan'

config forwarding
    option src 'lan'
    option dest 'vlans'

That's all that is required here.
Optionally, you can prevent the other VLANs from reaching the router itself except for DHCP and DNS services.

If you want to do this, you'll set the input rule for the vlans firewall zone to REJECT and then add the following rule:

config rule
	option name 'vlans-dhcp-dns'
	option src 'vlans'
	option dest_port '53 67 68 '
	option target 'ACCEPT'

IPv6 is not my area of expertise. For this, others may chime in and/or you could start a dedicated thread for the IPv6 related parts.

EDIT: to clarify, this all happens on the main router (the Pi). No changes necessary on the ER-X.

4

so i moved vlan20 into lan, (2 trusted networks and 2 untrusted networks) renamed my zone to iso, created reject accept reject and port accept rules. added dhcpv6

i believe i have everything located in the right spots i was missing config steps in network and dhcp for ipv6, i figured this out because i could see the ipv6 address in status, i have this under ipv6 but was missing the config interface

I think this should do it, 2 isolated networks, 2 personal networks 1 management network, IPv6 support, cloudflare dns setup per vlan sqm and Adblock available


**Protocol:** DHCPv6 client
**Prefix Delegated:** 2600:xxxx:xxxx:1f00::/56
**Address:** 2600:6c44:7002:100:754b:xxxx:xxxx:ecf2/128
**Gateway:** fe80::201:xxxx:xxxx:7246
**DNS 1:** 2607:f428:ffff:ffff::1
**DNS 2:** 2607:f428:ffff:ffff::2
**Connected:** 12h 40m 58s


(NETWORK)

root@openwrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc4:5204:2fcd::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'vlan10'
        option device 'eth0.10'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'

config interface 'vlan20'
        option device 'eth0.20'
        option proto 'static'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'

config interface 'vlan30'
        option device 'eth0.30'
        option proto 'static'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'

config interface 'vlan40'
        option device 'eth0.40'
        option proto 'static'
        option ipaddr '192.168.40.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

(DHCP)

root@openwrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'vlan10'
        option interface 'vlan10'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'vlan20'
        option interface 'vlan20'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'vlan30'
        option interface 'vlan30'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'vlan40'
        option interface 'vlan40'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'


(FIREWALL)

root@openwrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
	  list network 'vlan10'
        list network 'vlan20'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
    option name 'iso'
    list network 'vlan30'
    list network 'vlan40'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
    option src 'iso'
    option dest 'wan'

config forwarding
    option src 'lan'
    option dest 'iso'

config rule
	option name 'iso-dhcp-dns'
	option src 'iso'
	option dest_port '53 67 68 '
	option target 'ACCEPT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
5

It's only necessary to assign /64 to each LAN unless you have additional routers downstream which would need to further delegate. All conventional user endpoints on a LAN will be within the first or only /64.

6

So change ipassign 60 to ipassign 64? This is the pi config and the Edgerouter is acting as a switch for the vlan subnets 1 port per, so the pi is doing all of my serving

7

Correct. The Pi is controlling the networks. An L2 switch does not care about IP addresses at all.

8

Do I need to config the dns and assign 64 on each vlan interface? I think get a /56 from my isp so I want all 4 networks fully ipv4 and IPv6

9

Actually, if I leave as /60 I have room to add downstream routers if I want?

10

Yes but there isn't a lot of further division possible from a /60. One more router could be done.

11

So with a /56 am I ok to run 4 networks like I am division wise?

Current provided IPv6 in top message

12

Yes a /56 would break down into sixteen /60 or 128 /64. Then the /60s can become four /62 and each /62 four /64. Though I never could figure out exactly how OpenWrt does delegation and it seems to be sub-optimal i.e. not optimally allocating out of small prefixes.

14

do i add iso to these rules in firewall

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
15

Those are standard in the default firewall config on the router, so sure... it's not required unless you've got IPSec VPNs to which you are connecting... but it won't hurt anything, either.

16

Ok, I have everything hooked up. On my pc I get full IPv6 my phone though is not passing the tests, I’m fairly sure the ap is as dumb as it gets so everything would come from the pi, unless I’m missing some rule in the er-x but I’m fairly sure the only change we needed in the erx was to add vlan10 to the lan zone in firewall and setup the vlan port assignments

17

The ER-X doesn't need any firewall rules since you're not routing through it. The only thing needed was to ensure that the network that will be used to administer the device (VLAN10) is allowed to connect (input = accept) which we did by putting it in the lan firewall zone.

If everything is working to your satisfaction, you can also mark this one as solved!

18

final question (i hope), in the er-x under network/interfaces/vlan10/20/30/40, do i need to set the gateways to the pi? or will leaving blank default to the pi?

19

No gateways required except if the ER-X needs to be able to access the internet itself. If it is being used purely as a managed switch, there is no need for this. But, if you want to do that, it would be for VLAN 10 only (since that's the only one that has an address on the device).

Devices connecting to the network via the ER-X will get their gateway information from the DHCP server (on the Pi), so the ER-X is really just a transparent device from the perspective of the hosts on your network.

20

Try allowing ICMPv6 to router from all local VLANs (otherwise e.g. router sollicitation does not work)

21

I think that’s covered here right?

I actually rebooted all equipment and I now have IPv6 everywhere except the guest wifi in my ap, which doesn’t matter and it’s probs meant to be that way