Opened port is reachable only while pinging IPv6 address

Hello all. I cannot access my Synology DSM using my dynamic public ipv6 (i'm using ddns) from an external adress ip. It is working only for about 5 seconds after pinging it. I'm trying connection from my mobile phone with ipv6.

My configuration:

  • Raspberry Pi 3 Model B Rev 1.2
  • OpenWrt 19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-20.167.61968-87da00a

/etc/config/network

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='ddeb:3726:a64d::/48'
network.lan=interface
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.dns='2606:4700:4700::1111' '2001:4860:4860::6464' '2620:119:35::35'
network.lan.ipaddr='192.168.1.1'
network.wan=interface
network.wan.proto='ncm'
network.wan.username='internet'
network.wan.ipv6='auto'
network.wan.password='internet'
network.wan.service='preferlte'
network.wan.delay='5'
network.wan.device='/dev/cdc-wdm0'
network.wan.pdptype='IPV6'
network.wan.apn='internetipv6'
network.clat=interface
network.clat.proto='464xlat'
network.clat.ip6prefix='64:ff9b::/96'

/etc/config/firewall

firewall.@defaults[0]=defaults
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].custom_chains='1'
firewall.@defaults[0].synflood_burst='50'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].tcp_ecn='1'
firewall.@defaults[0].tcp_syncookies='1'
firewall.@defaults[0].tcp_window_scaling='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].drop_invalid='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].masq6='0'
firewall.@zone[1].masq6_privacy='0'
firewall.@zone[1].input='DROP'
firewall.@zone[1].forward='DROP'
firewall.@zone[1].network='wan wwan0 clat'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[6].icmp_type='destination-unreachable' 'echo-reply' 'echo-request' 'time-exceeded'
firewall.@rule[6].limit='1000/s'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.nat6=include
firewall.nat6.path='/etc/firewall.nat6'
firewall.nat6.reload='1'
firewall.@rule[9]=rule
firewall.@rule[9].dest_port='5000-5001'
firewall.@rule[9].name='Allow-DSM-Forward'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].proto='tcp'
firewall.@rule[9].family='ipv6'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest='*'
firewall.@rule[10]=rule
firewall.@rule[10].dest_port='80'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].proto='tcp'
firewall.@rule[10].family='ipv6'
firewall.@rule[10].name='Allow-DS-HTTP-Forward'
firewall.@rule[10].src='wan'
firewall.@rule[10].dest='*'
firewall.@rule[11]=rule
firewall.@rule[11].dest_port='443'
firewall.@rule[11].name='Allow-DS-HTTPS-Forward'
firewall.@rule[11].family='ipv6'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].proto='tcp'
firewall.@rule[11].src='wan'
firewall.@rule[11].dest='*'

I can't find any solution in the web, so I believe, that someone from this forum could help me.
I will also add, that ICMP is also not working all the time. Sometimes it gives unreachable result. I can create temporary ddns for this host, which i will remove later for tests.

Are you trying to use IPv4 or IPv6 for ddns? I used to use a script to open firewall ports and update IPv6 DDNS.

At the moment it is not fully clear to me what your setup is. Apart from Synology and Raspi you probably have some modem / router which probably does not run OpenWrt? I am just asking because I am about to propose debugging by using tcpdump at as many points as possible. If you say ping works even for just one packet and the ping is going through your devices as expected you must be able to capture it.

Assuming your Synologie is routing wise "behind" hour raspi what I would do is on the Raspi tcpdump -n -i any host <ipv6 of synologie> (or ip pinging device or no host but icmp6) and then ping it. If you can do it on any more devices just do it and start understanding whats happening :slight_smile:

Hi. I'm using IPv6 DDNS

I have reinstalled OpenWrt on my Raspi to be sure, that my weird problem is not connected with some mistake in configuration.
Now I have following network configuration:

  1. Raspi OpenWrt:
    WAN - Huawei 3327h dongle - NCM - IPv6 + 464xlat tunneling
    LAN - static ip 192.168.0.1 with DHCP for 1 user limit

  2. Asus RT-AC68U with newest AsusWRT:
    WAN - ethernet with Raspi (NAT)
    LAN & WiFi - all connected devices in home - DHCP in subnet 192.168.1.0

For connection and pinging i'm using IPv6 and More App for Android
I have installed tcpdump and run your proposed command with following result:

Trying to connect with tcp 5001 port from 'mobile:phone:ipv6' to 'synology:ipv6'

12:37:09.078141 IP6 'mobile:phone:ipv6'.40604 > 'synology:ipv6'.5001: Flags [S], seq 6498874, win 65535, options [mss 1220,sackOK,TS val 703869156 ecr 0,nop,wscale 8], length 0
12:37:09.078320 IP6 'mobile:phone:ipv6'.40604 > 'synology:ipv6'.5001: Flags [S], seq 6498874, win 65535, options [mss 1220,sackOK,TS val 703869156 ecr 0,nop,wscale 8], length 0
12:37:09.078337 IP6 'mobile:phone:ipv6'.40604 > 'synology:ipv6'.5001: Flags [S], seq 6498874, win 65535, options [mss 1220,sackOK,TS val 703869156 ecr 0,nop,wscale 8], length 0
12:37:09.079231 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40604: Flags [S.], seq 26227674, ack 6498875, win 28560, options [mss 1440,sackOK,TS val 4326038 ecr 703869156,nop,wscale 7], length 0
12:37:09.079231 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40604: Flags [S.], seq 26227674, ack 6498875, win 28560, options [mss 1440,sackOK,TS val 4326038 ecr 703869156,nop,wscale 7], length 0
12:37:09.079334 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40604: Flags [S.], seq 26227674, ack 6498875, win 28560, options [mss 1440,sackOK,TS val 4326038 ecr 703869156,nop,wscale 7], length 0
12:37:10.078396 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40604: Flags [S.], seq 26227674, ack 6498875, win 28560, options [mss 1440,sackOK,TS val 4327038 ecr 703869156,nop,wscale 7], length 0
12:37:10.078396 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40604: Flags [S.], seq 26227674, ack 6498875, win 28560, options [mss 1440,sackOK,TS val 4327038 ecr 703869156,nop,wscale 7], length 0
12:37:10.078467 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40604: Flags [S.], seq 26227674, ack 6498875, win 28560, options [mss 1440,sackOK,TS val 4327038 ecr 703869156,nop,wscale 7], length 0
12:37:10.308369 IP6 'mobile:phone:ipv6'.40604 > 'synology:ipv6'.5001: Flags [S], seq 6498874, win 65535, options [mss 1220,sackOK,TS val 703870183 ecr 0,nop,wscale 8], length 0
12:37:10.308425 IP6 'mobile:phone:ipv6'.40604 > 'synology:ipv6'.5001: Flags [S], seq 6498874, win 65535, options [mss 1220,sackOK,TS val 703870183 ecr 0,nop,wscale 8], length 0
12:37:10.308434 IP6 'mobile:phone:ipv6'.40604 > 'synology:ipv6'.5001: Flags [S], seq 6498874, win 65535, options [mss 1220,sackOK,TS val 703870183 ecr 0,nop,wscale 8], length 0
12:37:10.309282 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40604: Flags [S.], seq 26227674, ack 6498875, win 28560, options [mss 1440,sackOK,TS val 4327268 ecr 703869156,nop,wscale 7], length 0
12:37:10.309282 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40604: Flags [S.], seq 26227674, ack 6498875, win 28560, options [mss 1440,sackOK,TS val 4327268 ecr 703869156,nop,wscale 7], length 0
12:37:10.309351 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40604: Flags [S.], seq 26227674, ack 6498875, win 28560, options [mss 1440,sackOK,TS val 4327268 ecr 703869156,nop,wscale 7], length 0
12:37:11.748430 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40602: Flags [S.], seq 2271310086, ack 1846436215, win 28560, options [mss 1440,sackOK,TS val 4328708 ecr 703856748,nop,wscale 7], length 0
12:37:11.748430 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40602: Flags [S.], seq 2271310086, ack 1846436215, win 28560, options [mss 1440,sackOK,TS val 4328708 ecr 703856748,nop,wscale 7], length 0
12:37:11.748506 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40602: Flags [S.], seq 2271310086, ack 1846436215, win 28560, options [mss 1440,sackOK,TS val 4328708 ecr 703856748,nop,wscale 7], length 0
12:37:12.140111 IP6 'mobile:phone:ipv6'.40604 > 'synology:ipv6'.5001: Flags [S], seq 6498874, win 65535, options [mss 1220,sackOK,TS val 703872199 ecr 0,nop,wscale 8], length 0
12:37:12.140189 IP6 'mobile:phone:ipv6'.40604 > 'synology:ipv6'.5001: Flags [S], seq 6498874, win 65535, options [mss 1220,sackOK,TS val 703872199 ecr 0,nop,wscale 8], length 0
12:37:12.140198 IP6 'mobile:phone:ipv6'.40604 > 'synology:ipv6'.5001: Flags [S], seq 6498874, win 65535, options [mss 1220,sackOK,TS val 703872199 ecr 0,nop,wscale 8], length 0
12:37:12.140913 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40604: Flags [S.], seq 26227674, ack 6498875, win 28560, options [mss 1440,sackOK,TS val 4329100 ecr 703869156,nop,wscale 7], length 0
12:37:12.140913 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40604: Flags [S.], seq 26227674, ack 6498875, win 28560, options [mss 1440,sackOK,TS val 4329100 ecr 703869156,nop,wscale 7], length 0
12:37:12.140987 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40604: Flags [S.], seq 26227674, ack 6498875, win 28560, options [mss 1440,sackOK,TS val 4329100 ecr 703869156,nop,wscale 7], length 0
12:37:14.140519 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40604: Flags [S.], seq 26227674, ack 6498875, win 28560, options [mss 1440,sackOK,TS val 4331100 ecr 703869156,nop,wscale 7], length 0
12:37:14.140519 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40604: Flags [S.], seq 26227674, ack 6498875, win 28560, options [mss 1440,sackOK,TS val 4331100 ecr 703869156,nop,wscale 7], length 0
12:37:14.140704 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40604: Flags [S.], seq 26227674, ack 6498875, win 28560, options [mss 1440,sackOK,TS val 4331100 ecr 703869156,nop,wscale 7], length 0
^C
27 packets captured
40 packets received by filter
5 packets dropped by kernel

Result: Port unreachable

Pinging 'synology:ipv6' from 'mobile:phone:ipv6'

12:39:32.038546 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 0, length 8
12:39:32.038659 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 0, length 8
12:39:32.038677 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 0, length 8
12:39:33.048546 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 1, length 8
12:39:33.048615 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 1, length 8
12:39:33.048625 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 1, length 8
12:39:34.173649 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 2, length 8
12:39:34.173781 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 2, length 8
12:39:34.173794 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 2, length 8
12:39:35.089596 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 3, length 8
12:39:35.089754 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 3, length 8
12:39:35.089773 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 3, length 8
12:39:36.118584 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 4, length 8
12:39:36.118658 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 4, length 8
12:39:36.118668 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 4, length 8
12:39:37.125812 IP6 'openwrt:ipv6:gateway' > 'synology:ipv6': ICMP6, neighbor solicitation, who has 'synology:ipv6', length 32
12:39:37.125835 IP6 'openwrt:ipv6:gateway' > 'synology:ipv6': ICMP6, neighbor solicitation, who has 'synology:ipv6', length 32
12:39:37.142573 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 5, length 8
12:39:37.142652 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 5, length 8
12:39:37.142662 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 5, length 8
12:39:37.143344 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 5, length 8
12:39:37.143344 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 5, length 8
12:39:37.143402 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 5, length 8
12:39:37.249571 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 1, length 64
12:39:37.249658 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 1, length 64
12:39:37.249668 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 1, length 64
12:39:37.250325 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 1, length 64
12:39:37.250325 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 1, length 64
12:39:37.250384 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 1, length 64
12:39:38.155832 IP6 'openwrt:ipv6:gateway' > 'synology:ipv6': ICMP6, neighbor solicitation, who has 'synology:ipv6', length 32
12:39:38.155860 IP6 'openwrt:ipv6:gateway' > 'synology:ipv6': ICMP6, neighbor solicitation, who has 'synology:ipv6', length 32
12:39:38.242556 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 2, length 64
12:39:38.242609 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 2, length 64
12:39:38.242616 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 2, length 64
12:39:38.243297 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 2, length 64
12:39:38.243297 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 2, length 64
12:39:38.243355 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 2, length 64
12:39:39.248579 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 3, length 64
12:39:39.248638 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 3, length 64
12:39:39.248647 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 3, length 64
12:39:39.249278 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 3, length 64
12:39:39.249278 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 3, length 64
12:39:39.249336 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 3, length 64
12:39:40.258614 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 4, length 64
12:39:40.258673 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 4, length 64
12:39:40.258681 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 4, length 64
12:39:40.260059 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 4, length 64
12:39:40.260059 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 4, length 64
12:39:40.260119 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 4, length 64
12:39:41.268566 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 5, length 64
12:39:41.268628 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 5, length 64
12:39:41.268637 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 5, length 64
12:39:41.269270 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 5, length 64
12:39:41.269270 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 5, length 64
12:39:41.269330 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 5, length 64
^C
55 packets captured
67 packets received by filter
4 packets dropped by kernel

Result: Ping works good

Trying to connect while Pinging

12:40:55.180016 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 0, length 8
12:40:55.180112 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 0, length 8
12:40:55.180122 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 0, length 8
12:40:55.180831 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 0, length 8
12:40:55.180831 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 0, length 8
12:40:55.180896 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 0, length 8
12:40:55.268934 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 1, length 64
12:40:55.269003 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 1, length 64
12:40:55.269012 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 1, length 64
12:40:55.269690 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 1, length 64
12:40:55.269690 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 1, length 64
12:40:55.269741 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 1, length 64
12:40:56.283962 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 2, length 64
12:40:56.284014 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 2, length 64
12:40:56.284024 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 2, length 64
12:40:56.284728 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 2, length 64
12:40:56.284728 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 2, length 64
12:40:56.284786 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 2, length 64
12:40:57.281920 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 3, length 64
12:40:57.281984 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 3, length 64
12:40:57.281993 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 3, length 64
12:40:57.282617 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 3, length 64
12:40:57.282617 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 3, length 64
12:40:57.282678 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 3, length 64
12:40:58.296965 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 4, length 64
12:40:58.297034 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 4, length 64
12:40:58.297043 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 4, length 64
12:40:58.297723 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 4, length 64
12:40:58.297723 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 4, length 64
12:40:58.297777 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 4, length 64
12:40:59.290935 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 5, length 64
12:40:59.291003 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 5, length 64
12:40:59.291012 IP6 'mobile:phone:ipv6' > 'synology:ipv6': ICMP6, echo request, seq 5, length 64
12:40:59.291709 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 5, length 64
12:40:59.291709 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 5, length 64
12:40:59.291771 IP6 'synology:ipv6' > 'mobile:phone:ipv6': ICMP6, echo reply, seq 5, length 64
12:40:59.343940 IP6 'mobile:phone:ipv6'.40628 > 'synology:ipv6'.5001: Flags [S], seq 3586667046, win 65535, options [mss 1220,sackOK,TS val 704099431 ecr 0,nop,wscale 8], length 0
12:40:59.344026 IP6 'mobile:phone:ipv6'.40628 > 'synology:ipv6'.5001: Flags [S], seq 3586667046, win 65535, options [mss 1220,sackOK,TS val 704099431 ecr 0,nop,wscale 8], length 0
12:40:59.344035 IP6 'mobile:phone:ipv6'.40628 > 'synology:ipv6'.5001: Flags [S], seq 3586667046, win 65535, options [mss 1220,sackOK,TS val 704099431 ecr 0,nop,wscale 8], length 0
12:40:59.344719 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40628: Flags [S.], seq 3738545072, ack 3586667047, win 28560, options [mss 1440,sackOK,TS val 4556307 ecr 704099431,nop,wscale 7], length 0
12:40:59.344719 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40628: Flags [S.], seq 3738545072, ack 3586667047, win 28560, options [mss 1440,sackOK,TS val 4556307 ecr 704099431,nop,wscale 7], length 0
12:40:59.344812 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40628: Flags [S.], seq 3738545072, ack 3586667047, win 28560, options [mss 1440,sackOK,TS val 4556307 ecr 704099431,nop,wscale 7], length 0
12:40:59.384929 IP6 'mobile:phone:ipv6'.40628 > 'synology:ipv6'.5001: Flags [.], ack 1, win 338, options [nop,nop,TS val 704099470 ecr 4556307], length 0
12:40:59.384977 IP6 'mobile:phone:ipv6'.40628 > 'synology:ipv6'.5001: Flags [.], ack 1, win 338, options [nop,nop,TS val 704099470 ecr 4556307], length 0
12:40:59.384985 IP6 'mobile:phone:ipv6'.40628 > 'synology:ipv6'.5001: Flags [.], ack 1, win 338, options [nop,nop,TS val 704099470 ecr 4556307], length 0
12:40:59.389923 IP6 'mobile:phone:ipv6'.40628 > 'synology:ipv6'.5001: Flags [F.], seq 1, ack 1, win 338, options [nop,nop,TS val 704099471 ecr 4556307], length 0
12:40:59.389972 IP6 'mobile:phone:ipv6'.40628 > 'synology:ipv6'.5001: Flags [F.], seq 1, ack 1, win 338, options [nop,nop,TS val 704099471 ecr 4556307], length 0
12:40:59.389981 IP6 'mobile:phone:ipv6'.40628 > 'synology:ipv6'.5001: Flags [F.], seq 1, ack 1, win 338, options [nop,nop,TS val 704099471 ecr 4556307], length 0
12:40:59.390579 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40628: Flags [F.], seq 1, ack 2, win 224, options [nop,nop,TS val 4556353 ecr 704099471], length 0
12:40:59.390579 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40628: Flags [F.], seq 1, ack 2, win 224, options [nop,nop,TS val 4556353 ecr 704099471], length 0
12:40:59.390631 IP6 'synology:ipv6'.5001 > 'mobile:phone:ipv6'.40628: Flags [F.], seq 1, ack 2, win 224, options [nop,nop,TS val 4556353 ecr 704099471], length 0
12:40:59.429961 IP6 'mobile:phone:ipv6'.40628 > 'synology:ipv6'.5001: Flags [.], ack 2, win 338, options [nop,nop,TS val 704099517 ecr 4556353], length 0
12:40:59.430010 IP6 'mobile:phone:ipv6'.40628 > 'synology:ipv6'.5001: Flags [.], ack 2, win 338, options [nop,nop,TS val 704099517 ecr 4556353], length 0
12:40:59.430019 IP6 'mobile:phone:ipv6'.40628 > 'synology:ipv6'.5001: Flags [.], ack 2, win 338, options [nop,nop,TS val 704099517 ecr 4556353], length 0
^C
54 packets captured
66 packets received by filter
4 packets dropped by kernel

Result: Port is open

Okay. The behavior you are describing confuses me a bit but lets dig into it.

Your fist ping shows these two lines which clearly indicates that your phone uses port 40604 to send ipv6 request to synology on port 5001. And the synology response as expected from port 5001 to your phone at port 40604. So actually at your raspi the traffic behaves as expected I would say. Please note I am only deducing from what I am seeing and no expert on this.

At the second approach you strangely only get responses from the synology after a neighbor solicitation of you raspi. Which might makes sense if they did not know each other before but I find it strange. (still no expert). You can check neighbor state with ip -6 neigh

The third one then shows running pings and working 5001 connection as you say. Well... if there has not been a route from raspi to synology before because the raspi was not aware of its existence then that would be plausible. But actually I find my theory itself absurd...

Could you test restarting both devices. Then pinging synology. Waiting for about 10 minutes and then try to connect on port 5001 without pinging it again?

But to be honest. Your first tcpdump snippet shows response from the synology so the actual question is "why are they not reaching your phone". Does your phone instantly reply with "port not reachable". The question targets at: is there some package rejection in between which tells the requesting device "I do not forward your packet" or if it is just a timeout. (edit: after writing this part I noticed it does not make much sense since the described behavior should only be applicable if the phone is not reaching the synalogy but tcpdump shows incoming pings so at least this way works)

At this point there is of cause the possibility of wan uplink router introducing some firewall issues which we can not definitively prove easily but you maybe try some quick google searches? Apart from this I really can only suggestion further try and error debugging. put your synology directly behind main router. Try connecting to it via link local and local ipv6 addresses and what else you can imagine...

I've checked neighbor, and i found something interesting:

...
'synology:ipv6' dev br-lan lladdr 'asus:router:mac' router DELAY
...

After trying to connect 10 minutes after pinging I have the same result: 'Destination down OR stealth OR not route OR port firewalled/filtered. Cannot determine TCP port status reliably'

If you want I'll send you ipv6 ddns to tests in priv.

I appreciate your trust (really do!). Sadly we are drifting more and more apart from my area of (not even) expertise.
The neighbor status DELAY on itself is not necessarily a bad thing. But sure is an indication of whats going on. Praises to ipv6 for making us able to get those hints. To me it seams like your primary router is doing something like dynamic port forwarding only on ipv6. Like opening a route on icmp6 requests and closing it after a while. At this point I can only suggest more try and error steps...

  • first an foremost: can your use a different router or even try it at a friends place?
  • do you may have some options in your primary router you can try?
  • maybe just confirm with different devices from different wan uplinks (maybe your phone is the culprit)

I'm pretty sure, that ASUS router is not a problem. I was also trying to connect with 'openwrt:lan'ipv6:80' with the same result. Maybe it is problem with my phone. I'll try to do some more research.

Is it even possible that routing is created by OpenWRT only for some time while icmpv6 connection?

Well... we are talking about open source software where you can get down to the internal routing table and implement all kinds of crazy stuff. Possible yes. But unlikely. If you say you have a similar behavior pinging your raspi then I would even more suspect something in between the pinging and the responding devices...

If you feel like not getting anywhere here. Take your gathered knowledge and open another discussion with a more specific partial issue to solve. Ideally someone with more knowledge in that particular field notices it.
But please make sure first that not your wan router and ideally not even your ISP are the root cause of this.

I'm lost...if you setup your DDNS for IPv6, what's the problem?

Just setup your service for IPv4, correct?

That topic is not about DDNS problems with IPv6. IPv6 DDNS works good. I have problem with filtering port 5001 while TCP connection. It works only while I'm pinging destination host.
I cannot use IPv4, because my ISP gives me private ipv4 address.

And besides, IPv6 rocks, so I just want to use it :slight_smile:

Thank you for your answers. I called my ISP, and they said, that they are not blocking any ports, and I need to look more deep in my router configuration. I'll try to use other device than raspi with OpenWRT configuration.

I understood that.

???

So far as your IPv4 forwarding is concerned, this means they're blocking all ports.

???

You do understand the limitation of not having a Public IPv4 address, correct (e.g. you can't open ports)?

EDIT: Or maybe the source of my confusion is that you're using the term "Forwarded Ports" - when such doesn't commonly occur with IPv6.

1 Like

You're right. :smile: I should change topic name to "Opened ports ..."

I don't have to forward any ports, because I have public IPv6 with 464xlat tunelling. I'm using ipv4 just in my local network. Please read tcpdump logs and my firewall configuration. I have described there that I can connect to opened ports only couple seconds after pinging it. After about 10 seconds Synology or even my router is unreachable.

1 Like

Hi again. I tried other solution. I have run TCP server on my wife's mobile phone with LTE and public IPv6 and then I've tried to connect to it from my phone (also with LTE and public IPv6).
I have the same results - port is reachable (and opened) just after pinging one ip from other. It is reachable for about 15s, and then it is again unreachable.
So now I think that it probably could be ISP's fault.
In addition, I would like to thank someone for changing the title :smile:.

So at least we figured that out :slight_smile:
Might be as well your router.