My clients can't access IPv6 hosts

I would like to set up the following scenario (FB4040 only), but I have problems accessing IPv6 hosts. And of course I'm not very familiar with IPv6 :frowning:

internet - Freifunk WiFi - FB4040 - LAN

WAN side:
Additional network card acts as Freifunk Wifi client (radio2). IPv6 should preferably always be used, since Freifunk provides a public ipv6 /64 address to me.

LAN side:
Both IPv4 and IPv6 should be supported.

For this I have made the following configurations on a FRITZ!BOX 4040

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fcc6::/16'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.6.1'
	option delegate '0'
        option ip6assign '64'
        option ip6ifaceid '::1'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config interface 'wwan'
	option proto 'dhcp'
	option device 'wlan2'

config interface 'wwan6'
	option proto 'dhcpv6'
	option device '@wwan'
	option reqaddress 'try'
	option reqprefix 'auto'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option local '/gp.lan/'
	option domain 'gp.lan'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv4 'server'
	option start '151'
	option limit '199'
	option ra 'relay'
	option dhcpv6 'relay'
	option ndp 'relay'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'wwan6'
	option interface 'wwan6'
	option ignore '1'
	option master '1'
	option ra 'hybrid'
	option dhcpv6 'hybrid'
	option ndp 'hybrid'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	list network 'wwan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

I am currently testing the connection via the WiFi client. I noticed that I can reach both IPv4 and IPv6 addresses from the 4040 on CLI via ping. But not from a connected client. And it doesn't matter whether the client is connected via LAN or WiFi to my 4040.

When you only have one /64 prefix from upstream, the default configuration which tries to delegate an additional prefix to the lan port will not work.

Instead use a relay configuration. The clients on the LAN will get an address in the same /64 as upstream. The LAN interface itself will not hold a GUA address, as it does not need to. The router's GUA is on wan.
/etc/config/network:

config interface 'lan'
    ...
    option proto 'static'
    option ipaddr 'USUAL IPv4 ADDRESS'
# There is no assignment of a global ipv6 address, or an `option ip6assign` line.

config interface 'wan6'
    option device '@wan'
    option proto 'dhcpv6'
    option reqaddress 'no'
    option reqprefix 'none'
# This will acquire a SLAAC address. 

/etc/config/dhcp

config dhcp 'lan'
# ... the usual ipv4 options...
    option dhcpv6 'server'
    option ra 'relay'
    option ndp 'relay'

config dhcp 'wan6'
    option interface 'wan6'
    option ra 'relay'
    option ndp 'relay'
    option master '1'

Additional routers can be chained after this first one-- use the same configuration since it is relaying dhcp down the line.

Hm,
let's try step by step.

I did not see any difference when changing wwan6 config
from

config interface 'wwan6'
        option proto 'dhcpv6'
        option device '@wwan'
        option reqaddress 'try'
        option reqprefix 'auto

to

config interface 'wwan6'
        option proto 'dhcpv6'
        option device '@wwan'
        option reqaddress 'none'
        option reqprefix 'no'

root@R2GP:~# ip address gives me the same result @ wlan2. Is this as expected?

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 38:10:d5:aa:cb:d2 brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 38:10:d5:aa:cb:d3 brd ff:ff:ff:ff:ff:ff
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 38:10:d5:aa:cb:d2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.6.1/24 brd 192.168.6.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fe80::3a10:d5ff:feaa:cbd2/64 scope link 
       valid_lft forever preferred_lft forever
9: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 38:10:d5:aa:cb:d5 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::3a10:d5ff:feaa:cbd5/64 scope link 
       valid_lft forever preferred_lft forever
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 38:10:d5:aa:cb:d4 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::3a10:d5ff:feaa:cbd4/64 scope link 
       valid_lft forever preferred_lft forever
12: wlan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 24:05:0f:5d:ed:69 brd ff:ff:ff:ff:ff:ff
    inet 10.9.82.174/22 brd 10.9.83.255 scope global wlan2
       valid_lft forever preferred_lft forever
    inet6 2001:bf7:381:254:2605:fff:fe5d:ed69/64 scope global dynamic noprefixroute 
       valid_lft 155sec preferred_lft 95sec
    inet6 fe80::2605:fff:fe5d:ed69/64 scope link 
       valid_lft forever preferred_lft forever

By the way. The client gets an IPv6 address

[me@client ~]$ ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: wlo1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether ae:6a:4a:ed:fc:f2 brd ff:ff:ff:ff:ff:ff permaddr 60:67:20:c1:4b:70
    altname wlp37s0
3: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 38:ea:a7:fa:63:f1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.6.225/24 brd 192.168.6.255 scope global dynamic noprefixroute enp0s25
       valid_lft 43197sec preferred_lft 43197sec
    inet6 2001:bf7:381:254:ec8b:fd6a:c574:c9e4/64 scope global dynamic noprefixroute 
       valid_lft 180sec preferred_lft 120sec
    inet6 fe80::29c3:247b:595f:b76e/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
4: wwp0s26u1u5i6: <BROADCAST,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether b2:01:ed:9e:64:a5 brd ff:ff:ff:ff:ff:ff

And when I try to ping an ipv6 host I get this:

[me@client ~]$ ping heise.de
PING heise.de(redirector.heise.de (2a02:2e0:3fe:1001:302::)) 56 Datenbytes

Does nobody have an idea, why the clients can't access hosts via IPv6?