No ipv6 on LAN devices, general uncertainty

Hello. I can ping6 to like, www.google.com for example from my router when logged in via SSH. But I can't seem to get any of my LAN devices to work. Furthermore, I'm pretty not-confident in my general setup as a whole, so I'd appreciate any input.

device: netgear R6120 running OpenWrt 19.07.7, r11306-c4a6851c72. Using LTE hotspot connected via rndis as WAN

here's my cat /etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd99:0d36:7cef::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr '(removed)'

config interface 'wan'
        option ifname 'usb0'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'usb0'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr '(removed)'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

here's my firewall:

# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

Do you get any prefix when you connect?
ifstatus wan6

root@OpenWrt:~# ifstatus WAN6

        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 42,
        "l3_device": "usb0",
        "proto": "dhcpv6",
        "device": "usb0",
        "updated": [
                "addresses",
                "routes",
                "data"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "(removed, not sure if sensitive)",
                        "mask": 64
                }
        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "(**not sure if sensitive**)::",
                        "mask": 64,
                        "nexthop": "::",
                        "metric": 256,
                        "source": "::/0"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "(**not sure if sensitive**)",
                        "metric": 512,
                        "valid": 65489,
                        "source": "(**not sure if sensitive**)/64"
                }
        ],
        "dns-server": [
                "**(not sure if sensitive)**"
        ],
        "dns-search": [
                "hotspot"
        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {
                "passthru": "(not sure if sensitive)"
        }
}

The ipv6-prefix is empty, so the ISP is not delegating any prefix to you, as they should. Better call them and sort it out if that is indeed the case.

1 Like

I'm not sure if this makes a difference that I'm using a mobile hotspot over USB rndis for my WAN? I can still connect to ipv6 addresses with the openwrt router itself. Does this mean that the router can at least be accessed from the outside world?

edit: I've done some more research, it appears that mobile broadband uplink has nothing to do with this? It's the fact that T-mobile apparently doesn't offer IPv6 prefix delegation? I didn't know about this. Does this mean I can't access any of my LAN machines from afar? My goal was to install a VPN server on here to be able to access resources. (T-mobile apparently also filters ipv4 incoming connections from what research I've done, although this is an area of networking I really don't know much about, the actually ISP side of things)

T-Mobile doesn't seem to do PD... This should really be illegal. All providers should be forced by law to give out something equal to or bigger than /56 with a min lifetime of 365 days.

2 Likes

It does.

You can try the relay workaround.

1 Like