IPv6 Zone Input Has To Be "Accept" To Pass Traffic

papasan · May 20, 2026, 8:46pm

fairly new to IPv6, my carrier started offering it recently so trying to understand how to set it up properly. I had removed the IPv6 config stuff awhile back so starting without the default config.

getting a /56 from the carrier, delegating a /64 to "br-lan" which has RA and DHCPv6 set to "service", NDP set to "relay". the "lan" firewall zone is allowed to talk everywhere, "wan" set to drop,accept,drop, separate "wan6" zone set to accept,accept,drop. my clients see the ipv6 net, "ping -6 google.com" and other ipv6 traffic works as expected.

if I set the "wan6" zone to the same as "wan" (ie set "input" to "drop") then ipv6 stops after a short delay (needs a new syn?). I'm worried about the public internet having full access to my gateway and everything on "lan" so want to lock this down as much as possible. thinking that unsolicited incoming connections should be dropped as they are on ipv4, what am I missing? perhaps some routing protocol that has to be allowed to the gateway with a firewall rule?

_bernd · May 20, 2026, 8:48pm

Remove that.
Or better start from scratch .

You may need to review the wiki the review all defaults and or other options you may want to set.

But as a starter. If you have a proper delegated prefix for your downstream you do not want neighbor discover on relay mode....

Edit ps. And if you removed default firewall rules then get yourself a current default and add them back. Or start from scratch and add only your necessary modifications.

papasan · May 20, 2026, 8:56pm

thanks for the help.

I didn't start with NDP set to relay but the wiki suggested it so I turned it on. doesn't seem to make a difference on or off.

don't really want to blow away my entire config to get back to default, hoping someone could tell me what default settings I'm missing. guessing a firewall rule or two.

_bernd · May 20, 2026, 9:09pm

Then we do the usual.
Please post the network, firewall and DHCP config in text form in a code block. So I and others can review it and make suggestions.

Edit ps. Do you still have the wiki page on hand which recommended to set ndp to relay in your case?

papasan · May 20, 2026, 9:13pm

my firewall

firewall: edit: lan->wan6 forwarding is not needed so I removed it, guessing because delegated and not NATted

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        option family 'ipv4'

config zone
        option name 'wan6'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'DROP'
        list network 'wan6'
        option family 'ipv6'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'iot'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg0'

config forwarding
        option src 'iot'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'iot'

config forwarding
        option src 'vpn'
        option dest 'iot'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'iot'
        option dest 'vpn'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'lan'
        option dest 'wan6'

dhcp:

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/<domain>/<reverse>.in-addr.arpa/'
        option domain '<domain>.'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option nonegcache '1'
        list server '<ns1>'
        list server '<ns2>'
        list notinterface 'wan'
        list notinterface 'wan6'
        option addmac '1'
        option address_as_local '1'


config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '4h'
        option dhcpv4 'server'
        list dhcp_option '6,<ns1>,<ns2>'
        list dhcp_option '15,<domain>.'
        list dhcp_option '42,<gateway>'
        list dhcp_option '1,<netmask>'
        list dhcp_option '3,<gateway>'
        list dhcp_option '119,<domain>.'
        option ra 'server'
        option ra_preference 'medium'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dhcpv6 'server'
        option dhcpv6_pd '1'
        list dns '::<ns1>'
        list dns '::<ns2>'
        list domain '<domain>.'
        list ntp '::<gateway>'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option leasefile '/tmp/odhcpd.leases'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piodir '/tmp/odhcpd-piodir'
        option hostsdir '/tmp/hosts'

config dhcp 'iot'
        option interface 'iot'
        option start '50'
        option limit '200'
        option leasetime '24h'
        list dhcp_option '15,<domain>.'
        list dhcp_option '42,<gateway>'
        list dhcp_option '1,<netmask>'
        list dhcp_option '3,<gateway>'
        list dhcp_option '119,<domain>.'
        list dhcp_option '6,<ns1>,<ns2>'
        option dhcpv4 'server'

dave14305 · May 20, 2026, 11:19pm

Here’s the default config for reference. All the IPv6 rules are documented:

github.com/openwrt/firewall4

root/etc/config/firewall

master

config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT

This file has been truncated. show original

papasan · May 21, 2026, 12:51am

thanks for that. some magic in the "Allow-ICMPv6-Input" rule is keeping the ipv6 traffic up, will have to experiment a little to whittle it down to just the necessary.

edit for me it was just the "neighbor-advertisement" icmp type that needs to be enabled, will leave "router-advertisement" on also just in case.