IPv6 working from WiFi, but not wired LAN

Hello,

I am using OpenWrt 21.02.1 r16325-88151b8303 / LuCI openwrt-21.02 branch git-21.295.67054-13df80d on a BT Home Hub 5A. (I purchased this device through eBay with OpenWrt pre-installled).

I used this to replace a Zyxel DSL Router.

Previously, IPv6 was working fine, but with the switch to OpenWrt, ipv6 DNS resolution works, but packets from other devices in my LAN just time out:

> ping -6 www.google.com
PING www.google.com(lhr48s28-in-x04.1e100.net (2a00:1450:4009:821::2004)) 56 data bytes
^C
--- www.google.com ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 9221ms

Interestingly enough, if I ping from the OpenWRT device itself (https://192.168.1.1/cgi-bin/luci/admin/network/diagnostics, "IPv6 Ping"), everything works.

I am not sure where to start looking for the problem. Could anyone provide some recommendations how I could further debug the issue?

What type of connection? Try changing MTU to 1500?

Ethernet. MTU is already at 1500 on the client devices:

$ ip link show eth1
7: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 80:3f:5d:07:1b:a8 brd ff:ff:ff:ff:ff:ff

...or do you mean setting this somewhere in OpenWrt?

I mean via dhcp or pppoe?

Sorry, I do not understand the question. Could you be more specific?

IPv6 ok on router, not routed for LAN - #13 by Teuxe seems to be about a similar problem, but I do not have a Freedom box in my setup, and I couldn't quite follow all the technical details...

When you are using the ethernet, in interface you see wan as dhcp or pppoe or static address?

@Nikratio

Does your ISP delegate you a sufficiently large prefix, or are they giving you just a single /64 like all those other bastards who 20 years after its invention still haven't figured out ipv6? It's a really common problem that the ISP gives you /64 and then that's on your WAN side and there are no prefixes for your LAN. A functional ISP should give you /56 and you have 256 subnets to work with.

I'm not sure which device do I need to look at on the router, but I guess it's 64 since this is what most of them seem to have:

root@OpenWrt:~# ip addr | grep inet6
    inet6 ::1/128 scope host 
    inet6 fe80::e830:f1ff:fea2:45a9/64 scope link 
    inet6 2001:8b0:7bab:b677::1/64 scope global dynamic noprefixroute 
    inet6 fdbb:473b:26a6::1/60 scope global noprefixroute 
    inet6 fe80::86a4:23ff:fe06:4ffa/64 scope link 
    inet6 fe80::86a4:23ff:fe04:4e/64 scope link 
    inet6 fe80::86a4:23ff:fe04:4f/64 scope link 
    inet6 fe80::86a4:23ff:fe06:4ffb/64 scope link 
    inet6 fe80::86a4:23ff:fe06:4ffb/64 scope link 
    inet6 2001:8b0:1111:1111:0:ffff:51bb:180f/128 scope global dynamic noprefixroute 
    inet6 fe80::8914:3b3f:72f:982b/128 scope link 

Or, in long form:

root@OpenWrt:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether ea:30:f1:a2:45:a9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::e830:f1ff:fea2:45a9/64 scope link 
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 84:a4:23:06:4f:fa brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 2001:8b0:7bab:b677::1/64 scope global dynamic noprefixroute 
       valid_lft 6628sec preferred_lft 6628sec
    inet6 fdbb:473b:26a6::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::86a4:23ff:fe06:4ffa/64 scope link 
       valid_lft forever preferred_lft forever
6: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 84:a4:23:06:4f:fa brd ff:ff:ff:ff:ff:ff
7: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 84:a4:23:04:00:4e brd ff:ff:ff:ff:ff:ff
    inet6 fe80::86a4:23ff:fe04:4e/64 scope link 
       valid_lft forever preferred_lft forever
8: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 84:a4:23:04:00:4f brd ff:ff:ff:ff:ff:ff
    inet6 fe80::86a4:23ff:fe04:4f/64 scope link 
       valid_lft forever preferred_lft forever
9: dsl0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 84:a4:23:06:4f:fb brd ff:ff:ff:ff:ff:ff
    inet6 fe80::86a4:23ff:fe06:4ffb/64 scope link 
       valid_lft forever preferred_lft forever
14: dsl0.101@dsl0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 84:a4:23:06:4f:fb brd ff:ff:ff:ff:ff:ff
    inet6 fe80::86a4:23ff:fe06:4ffb/64 scope link 
       valid_lft forever preferred_lft forever
15: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
    link/ppp 
    inet 81.187.24.15 peer 81.187.81.187/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
    inet6 2001:8b0:1111:1111:0:ffff:51bb:180f/128 scope global dynamic noprefixroute 
       valid_lft 6628sec preferred_lft 3028sec
    inet6 fe80::8914:3b3f:72f:982b/128 scope link 
       valid_lft forever preferred_lft forever

I'll check with my ISP if I can get a smaller prefix. But in the meantime, is there a way to make OpenWRT work with a /64 prefix? As I said, the same connection works fine when using a Zyxel DSL router...

this indicates that your br-lan does have a /64 on it, and so it should be working to ping from the LAN. If it doesn't work it might be that your ISP is not properly routing the /64 they gave you to your box. you may need to contact them about it.

and this indicates that your WAN has just a single address, which is in a different subnet, so that's probably why you can ping from the router itself.

Hmm. Sorry, I do not quite follow. I'm not sure what to ask my ISP for, given that using a different router seems to solve the problem. Doesn't this mean that the problem must be on my end?

For reference, here is what a device on the LAN looks like:

ip -6 route 
::1 dev lo proto kernel metric 256 pref medium
2001:8b0:7bab:b677::/64 dev eth1 proto ra metric 100 pref medium
fdbb:473b:26a6::/64 dev eth1 proto ra metric 100 pref medium
fdbb:473b:26a6::/48 via fe80::86a4:23ff:fe06:4ffa dev eth1 proto ra metric 100 pref medium
fe80::/64 dev eth1 proto kernel metric 100 pref medium
default via fe80::86a4:23ff:fe06:4ffa dev eth1 proto ra metric 100 pref medium

> ip addr show eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 80:3f:5d:07:1b:a8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.184/24 brd 192.168.1.255 scope global dynamic noprefixroute eth1
       valid_lft 42037sec preferred_lft 42037sec
    inet6 fdbb:473b:26a6:0:d0ad:f7ae:ec3:f208/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 2001:8b0:7bab:b677:4eed:a8b1:eda0:ba2/64 scope global dynamic noprefixroute 
       valid_lft 5755sec preferred_lft 5755sec
    inet6 fe80::1486:c933:4b71:62aa/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

The way this usually works is that your router requests a prefix from the ISP. Ideally the ISP should give you a /56 or a /48 but often only gives a /64. Nevertheless, a /64 is enough to get you addresses on your LAN, which is what is happening. So things should work. However, when the ISP assigns this prefix, it needs to update its routing tables to say "when a packet comes in for this prefix, send it through this pppoe connection" and if they don't do that properly, then you will have addresses, but you will never receive replies to your packets, so it will look like nothing works.

I suspect that's the situation you're in. So you should ask your ISP to look into why you aren't receiving replies to your outbound IPv6 packets. If they can also give you a /56 prefix that would be good too, but is a separate problem that only will manifest itself when you want to have a guest network, or a DMZ with a home cloud server on it, or a separate network for IoT devices or etc.

Even more puzzled now. I just discovered that my Android phone, when connecting through WiFi through the same router, has full IPv6 (according to ipv6-test.com).

Is that still consistent with a routing problem on my ISP's side?

Nope. It sounds more like the device you were originally pinging from has a problem. Like maybe a firewall issue or a configuration problem

Some more investigation results (after refreshing my IPv6 know-how):

First, the problem is not with the specific LAN device, but with WiFi vs LAN. If I connect the same device through WiFi, IPv6 is working. If I connect through wired LAN, IPv6 is not working.

Specifically, when connecting through LAN I can ping the router using the link local address:

root@OpenWrt:~# ip addr show br-lan
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 84:a4:23:06:4f:fa brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 2001:8b0:7bab:b677::1/64 scope global dynamic noprefixroute 
       valid_lft 4883sec preferred_lft 4883sec
    inet6 fdbb:473b:26a6::1/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::86a4:23ff:fe06:4ffa/64 scope link 
       valid_lft forever preferred_lft forever

# Elsewhere
root@vostro ~ [1]# ping -6 -c 1 fe80::86a4:23ff:fe06:4ffa
PING fe80::86a4:23ff:fe06:4ffa(fe80::86a4:23ff:fe06:4ffa) 56 data bytes
64 bytes from fe80::86a4:23ff:fe06:4ffa%eth1: icmp_seq=1 ttl=64 time=2.40 ms

--- fe80::86a4:23ff:fe06:4ffa ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.402/2.402/2.402/0.000 ms

but I cannot ping using the global unicast address:

root@vostro ~# ping -6 -c 1 2001:8b0:7bab:b677::1
PING 2001:8b0:7bab:b677::1(2001:8b0:7bab:b677::1) 56 data bytes
From 2001:8b0:7bab:b677:4eed:a8b1:eda0:ba2 icmp_seq=1 Destination unreachable: Address unreachable

--- 2001:8b0:7bab:b677::1 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

The routing table on the LAN device seems correct though:

root@vostro ~# ip -6 route
::1 dev lo proto kernel metric 256 pref medium
2001:8b0:7bab:b677::/64 dev eth1 proto ra metric 100 pref medium # <--- this should be used, I think
fdbb:473b:26a6::/64 dev eth1 proto ra metric 100 pref medium
fdbb:473b:26a6::/48 via fe80::86a4:23ff:fe06:4ffa dev eth1 proto ra metric 100 pref medium
fe80::/64 dev eth1 proto kernel metric 100 pref medium
fe80::/64 dev rath proto kernel metric 256 pref medium
default via fe80::86a4:23ff:fe06:4ffa dev eth1 proto ra metric 100 pref medium

I do not think it's a firewall issue either, I have no IPv6 rules on the LAN device:

root@vostro ~# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Similarly, the router can ping the LAN device on the link-local address, but not the global unicast address:

root@OpenWrt:~# ping -6 -c 1 fe80::1486:c933:4b71:62aa%br-lan
PING fe80::1486:c933:4b71:62aa%br-lan (fe80::1486:c933:4b71:62aa%5): 56 data bytes
64 bytes from fe80::1486:c933:4b71:62aa: seq=0 ttl=64 time=2.011 ms

--- fe80::1486:c933:4b71:62aa%br-lan ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 2.011/2.011/2.011 ms

root@OpenWrt:~# ping -6 -c 1 2001:8b0:7bab:b677:4eed:a8b1:eda0:ba2
PING 2001:8b0:7bab:b677:4eed:a8b1:eda0:ba2 (2001:8b0:7bab:b677:4eed:a8b1:eda0:ba2): 56 data bytes

--- 2001:8b0:7bab:b677:4eed:a8b1:eda0:ba2 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

Anyone an idea why communication between router and LAN only works with link local addresses?

So I just flashed the newest OpenWRT release (keeping previous settings), and the problem disappeared. The version reported by the web interface is still exactly the same as before though (OpenWrt 21.02.1 r16325-88151b8303 / LuCI openwrt-21.02 branch git-21.295.67054-13df80d).

I am still not able to ping the router on the unicast IPv6 address from wired LAN, but pings to other, external IPv6 hosts (like 2a00:1450:4009:821::2004) suddenly work.

Diffing the config backup before and after flashing, I found one difference:

diff -u --color -ur broken/etc/config/network working/etc/config/network
--- broken/etc/config/network	2021-12-27 19:14:58.000000000 +0000
+++ working/etc/config/network	2021-12-27 20:02:18.000000000 +0000
@@ -33,10 +33,10 @@
 
 config interface 'wan'
 	option proto 'pppoe'
-	option ipv6 'auto'
 	option device 'dsl0.101'
 	option username 'foo'
 	option password 'bar'
+	option ipv6 '0'
 
 config device 'wan_dsl0_dev'
 	option name 'dsl0'

I am pretty sure that I did not change this myself (is it possible that this was changed during the reflash, despite otherwise keeping the current config), and sure that the 0 setting is the one that makes IPv6 work from LAN.

Happy that it works now, but no idea what's going on here.

I would still appreciate if someone could tell me why this needs to be set to zero (assuming this is the reason), and if not being able to ping the router on its 2001: address is expected or not.

....and now it stopped working again, without me doing anything either. sigh. What the hell?