Hey there, I have Ubiquiti-ER-4 router which resides in IPv4/IPv6 network and is working fine. Devices in LAN get their IPv6 addresses properly, and the routing works. There is also ocserv
config, which is also working fine in the case of IPv4. However, when I connect to ocserv
from home, I get IPv6 address from DHCP, but I can ping only the router itself, nothing outside.
What should I do to enable full IPv6 integration when connecting remotely with ocserv
? Is it a firewall or routing issue? Thanks in advance. Here is my config:
root@Ubiquiti-ER-4:~# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; uci export ocserv; \
> head -n -0 /etc/firewall.user; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
> ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; \
> ifstatus WAN6; ifstatus lan
{
"kernel": "5.4.188",
"hostname": "Ubiquiti-ER-4",
"system": "UBNT_E300 (CN7030p1.2-1000-AAP)",
"model": "Ubiquiti EdgeRouter 4",
"board_name": "ubnt,edgerouter-4",
"release": {
"distribution": "OpenWrt",
"version": "21.02.3",
"revision": "r16554-1d4dea6d4f",
"target": "octeon/generic",
"description": "OpenWrt 21.02.3 r16554-1d4dea6d4f"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdfb:4aa7:1e1c::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
option ip6assign '64'
option ip6ifaceid '::10'
config interface 'wan'
option device 'lan0'
option proto 'static'
option ipaddr '*********'
option netmask '255.255.255.0'
option gateway '*********'
option broadcast '*********'
config interface 'WAN6'
option proto 'static'
option device 'lan0'
option ip6gw '5001:5170:8020:1::1'
option ip6prefix '5001:5170:8020:1::/64'
list ip6addr '5001:5170:8020:1::9/64'
package dhcp
config dnsmasq
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option ednspacket_max '1232'
list server '*********'
list server '*********'
option domainneeded '1'
option localservice '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ra 'server'
option dhcpv6 'server'
option ndp 'relay'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'mmilos'
option ip '192.168.1.148'
option mac '50:65:F3:1E:AB:86'
config dhcp 'WAN6'
option interface 'WAN6'
option start '100'
option limit '150'
option leasetime '12h'
option ignore '1'
option master '1'
option ndp 'relay'
option ra 'relay'
option dhcpv6 'relay'
list ra_flags 'none'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'vpns+'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
list network 'WAN6'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SSH mmilos'
list proto 'tcp'
option src 'wan'
option src_dport '22'
option dest_ip '192.168.1.148'
option dest_port '22'
config rule
option name 'Allow-SSH'
list proto 'tcp'
option src 'wan'
option dest_port '22'
option target 'ACCEPT'
config rule
list proto 'tcp'
option src 'wan'
option dest_port '80'
option target 'ACCEPT'
option name 'Allow-Luci-public'
config rule
option name 'Allow-OpenConnect'
option src 'wan'
option dest_port '4443'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTP forward'
list proto 'tcp'
option src 'wan'
option src_dport '8080'
option dest_ip '192.168.1.148'
option dest_port '8080'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTP forward'
list proto 'tcp'
option src 'wan'
option src_dport '5000'
option dest_ip '192.168.1.148'
option dest_port '5000'
config forwarding
option src 'wan'
option dest 'lan'
package ocserv
config ocserv 'config'
option port '4443'
option dpd '180'
option ipaddr '192.168.7.0'
option netmask '255.255.255.0'
option enable '1'
option auth 'plain'
option _ca '-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
'
option proxy_arp '1'
option max_same '5'
option max_clients '20'
option ip6addr '5001:5170:8020:5::1/64'
config ocservusers 'client'
option name 'milos'
option password '*********'
config dns
option ip '192.168.7.1'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 5001:5170:8020:1::9/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::6ad7:9aff:fe49:fe16/64 scope link
valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 5001:5170:8020:1::10/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fdfb:4aa7:1e1c::10/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::6ad7:9aff:fe49:fe17/64 scope link
valid_lft forever preferred_lft forever
26: vpns0: <POINTOPOINT,UP,LOWER_UP> mtu 1434 state UNKNOWN qlen 500
inet6 5001:5170:8020:5::1/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::8494:680d:a3a4:a2a7/64 scope link flags 800
valid_lft forever preferred_lft forever
5001:5170:8020:1::1 dev lan0 metric 1024
5001:5170:8020:1:7dc0:b69:7313:4a4e dev br-lan metric 1024
5001:5170:8020:1::/64 dev lan0 metric 256
5001:5170:8020:1::/64 dev br-lan metric 1024
unreachable 5001:5170:8020:1::/64 dev lo metric 2147483647
5001:5170:8020:5::1 dev vpns0 metric 256
5001:5170:8020:5:5f75:aaa4:1386:21e7 dev vpns0 metric 1
fdfb:4aa7:1e1c:0:3bbd:9293:dadb:df16 dev br-lan metric 1024
fdfb:4aa7:1e1c::/64 dev br-lan metric 1024
unreachable fdfb:4aa7:1e1c::/48 dev lo metric 2147483647
fe80::/64 dev lan0 metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev vpns0 metric 256
default via 5001:5170:8020:1::1 dev lan0 metric 1024
local ::1 dev lo table local metric 0
anycast 5001:5170:8020:1:: dev lan0 table local metric 0
anycast 5001:5170:8020:1:: dev br-lan table local metric 0
local 5001:5170:8020:1::9 dev lan0 table local metric 0
local 5001:5170:8020:1::10 dev br-lan table local metric 0
local 5001:5170:8020:5::1 dev vpns0 table local metric 0
anycast fdfb:4aa7:1e1c:: dev br-lan table local metric 0
local fdfb:4aa7:1e1c::10 dev br-lan table local metric 0
anycast fe80:: dev lan0 table local metric 0
anycast fe80:: dev br-lan table local metric 0
anycast fe80:: dev vpns0 table local metric 0
local fe80::6ad7:9aff:fe49:fe16 dev lan0 table local metric 0
local fe80::6ad7:9aff:fe49:fe17 dev br-lan table local metric 0
local fe80::8494:680d:a3a4:a2a7 dev vpns0 table local metric 0
multicast ff00::/8 dev br-lan table local metric 256
multicast ff00::/8 dev lan0 table local metric 256
multicast ff00::/8 dev vpns0 table local metric 256
0: from all lookup local
32766: from all lookup main
4200000000: from 5001:5170:8020:1::10/64 iif br-lan lookup unspec unreachable
4200000001: from all iif lo lookup unspec 12
4200000003: from all iif lan0 lookup unspec 12
4200000003: from all iif lan0 lookup unspec 12
4200000010: from all iif br-lan lookup unspec 12
lrwxrwxrwx 1 root root 16 Apr 16 12:59 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 47 May 20 11:59 /tmp/resolv.conf
-rw-r--r-- 1 root root 0 May 4 13:30 /tmp/resolv.conf.d/resolv.conf.auto
/tmp/resolv.conf.d:
-rw-r--r-- 1 root root 0 May 4 13:30 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
==> /tmp/resolv.conf.d/resolv.conf.auto <==
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 1190051,
"l3_device": "lan0",
"proto": "static",
"device": "lan0",
"updated": [
"addresses",
"routes",
"prefixes"
],
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
],
"ipv6-address": [
{
"address": "5001:5170:8020:1::9",
"mask": 64
}
],
"ipv6-prefix": [
{
"address": "5001:5170:8020:1::",
"mask": 64,
"class": "WAN6",
"assigned": {
"lan": {
"address": "5001:5170:8020:1::",
"mask": 64
}
}
}
],
"ipv6-prefix-assignment": [
],
"route": [
{
"target": "::",
"mask": 0,
"nexthop": "5001:5170:8020:1::1",
"source": "::/0"
}
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
}
}
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 1190051,
"l3_device": "br-lan",
"proto": "static",
"device": "br-lan",
"updated": [
"addresses"
],
"metric": 0,
"dns_metric": 0,
"delegation": false,
"ipv4-address": [
{
"address": "192.168.1.1",
"mask": 24
}
],
"ipv6-address": [
],
"ipv6-prefix": [
],
"ipv6-prefix-assignment": [
{
"address": "5001:5170:8020:1::",
"mask": 64,
"local-address": {
"address": "5001:5170:8020:1::10",
"mask": 64
}
},
{
"address": "fdfb:4aa7:1e1c::",
"mask": 64,
"local-address": {
"address": "fdfb:4aa7:1e1c::10",
"mask": 64
}
}
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
}
}