Tupsi
February 27, 2020, 2:24pm
1
(just so I do not have to type "ipv6" everytime, please keep in mind I am only talking about v6 in this post. v4 works fine and does not need any attention).
I just tried getting openwrt behind my fritzbox working. IPv4 is working as intended, actually that worked out of the box.
Now I also want to use ipv6 as well (which btw worked fine with just the fritzbox already for a few years).
So the new setup is WAN <-> FB <-> OpenWRT <-> LAN
The openwrt router (19.07.01 btw) gets a global address from the fb and if I allow ping6 from outside I can even ping openwrt with its own ipv6 address. BUT sshing to my OpenWrt and pinging to that some server outside gets me nothing. All I can reach from the OpenWRT is the every PC on the LAN through the global address and even the PC still connected directly to the FB via its global address.
the routing shows two ::/0 to the global ip adress of the wan interface and the global prefix it got from the FB.
So I am a bit clueless what the problem is here, so any pointers would be great.
trendy
February 27, 2020, 2:40pm
2
Let's see the configs:
ip -6 address show; ip -6 route show; ip -6 rule show; ip6tables-save -c; \
uci show network; uci show firewall
Tupsi
February 27, 2020, 2:45pm
3
root@OpenWrt:~# ip -6 address show; ip -6 route show; ip -6 rule show; ip6tables-save -c; \
> uci show network; uci show firewall
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::1ad6:c7ff:fe51:50fa/64 scope link
valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2003:e8:d724:23fc:1ad6:c7ff:fe51:50fa/62 scope global dynamic
valid_lft 6911sec preferred_lft 3311sec
inet6 2003:e8:d724:23f0:1ad6:c7ff:fe51:50fa/60 scope global deprecated dynamic
valid_lft 1893sec preferred_lft 0sec
inet6 fe80::1ad6:c7ff:fe51:50fa/64 scope link
valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2003:e8:d724:2300:1ad6:c7ff:fe51:50fb/128 scope global dynamic
valid_lft 6911sec preferred_lft 3311sec
inet6 fe80::1ad6:c7ff:fe51:50fb/64 scope link
valid_lft forever preferred_lft forever
8: eth0.101@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::1ad6:c7ff:fe51:50fa/64 scope link
valid_lft forever preferred_lft forever
default from 2003:e8:d724:2300:1ad6:c7ff:fe51:50fb via fe80::3681:c4ff:febf:ef00 dev eth0.2 metric 384
default from 2003:e8:d724:23fc::/62 via fe80::3681:c4ff:febf:ef00 dev eth0.2 metric 384
2003:e8:d724:2300::/56 from 2003:e8:d724:2300:1ad6:c7ff:fe51:50fb via fe80::3681:c4ff:febf:ef00 dev eth0.2 metric 384
2003:e8:d724:2300::/56 from 2003:e8:d724:23fc::/62 via fe80::3681:c4ff:febf:ef00 dev eth0.2 metric 384
2003:e8:d724:2300::/64 dev eth0.2 metric 256
2003:e8:d724:23f0:c7:fc84:b4fa:306e dev br-lan metric 1024
2003:e8:d724:23f0:1ad6:c7ff:0:be6 dev br-lan metric 1024
2003:e8:d724:23f0:ddbb:20f9:f845:c0ce dev br-lan metric 1024
2003:e8:d724:23fc::/64 dev br-lan metric 1024
unreachable 2003:e8:d724:23fc::/62 dev lo metric 2147483647 error -148
fe80::/64 dev eth0 metric 256
fe80::/64 dev eth0.2 metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev eth0.101 metric 256
anycast 2003:e8:d724:23f0:: dev br-lan metric 0
anycast 2003:e8:d724:23fc:: dev br-lan metric 0
anycast fe80:: dev br-lan metric 0
anycast fe80:: dev eth0.2 metric 0
anycast fe80:: dev eth0 metric 0
anycast fe80:: dev eth0.101 metric 0
ff00::/8 dev eth0 metric 256
ff00::/8 dev eth0.2 metric 256
ff00::/8 dev br-lan metric 256
ff00::/8 dev eth0.101 metric 256
0: from all lookup local
32766: from all lookup main
4200000000: from 2003:e8:d724:23fc:1ad6:c7ff:fe51:50fa/64 iif br-lan lookup unspec unreachable
4200000001: from all iif lo lookup unspec 12
4200000005: from all iif br-lan lookup unspec 12
4200000007: from all iif eth0.2 lookup unspec 12
4200000007: from all iif eth0.2 lookup unspec 12
4200000008: from all iif eth0.101 lookup unspec 12
# Generated by ip6tables-save v1.8.3 on Thu Feb 27 14:44:05 2020
*mangle
:PREROUTING ACCEPT [3592:520298]
:INPUT ACCEPT [1686:150796]
:FORWARD ACCEPT [12:1032]
:OUTPUT ACCEPT [3315:357680]
:POSTROUTING ACCEPT [3315:356888]
[6:432] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Feb 27 14:44:05 2020
# Generated by ip6tables-save v1.8.3 on Thu Feb 27 14:44:05 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [13:1176]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[3:456] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1683:150340] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[412:45361] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[21:1600] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[1056:85895] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[215:19084] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[12:1032] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[4:416] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[7:512] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[1:104] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[3:456] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[3312:357224] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1116:143431] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[306:22416] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[1877:190201] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[11:880] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[79:8216] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[21:1600] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[306:22416] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[7:512] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[7:512] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1056:85895] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[1056:85895] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[306:22416] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[306:22416] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1056:85895] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[12:1824] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1872:188889] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[1:104] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[1:104] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[215:19084] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[2:476] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[16:1664] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[3:216] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[11:1672] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[93:5960] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[90:9096] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[1877:190201] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[1877:190201] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[90:9096] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Feb 27 14:44:05 2020
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.gateway='172.16.1.1'
network.lan.ipaddr='192.168.42.1'
network.lan.force_link='0'
network.lan.ip6ifaceid='eui64'
network.lan.ip6assign='64'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan.dns='172.16.1.99' '8.8.8.8'
network.wan.peerdns='0'
network.wan_eth0_2_dev=device
network.wan_eth0_2_dev.name='eth0.2'
network.wan_eth0_2_dev.macaddr='18:d6:c7:51:50:fb'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0t 4 3 2 1'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='0t 5'
network.@switch_vlan[1].vid='2'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.dmz=interface
network.dmz.ifname='eth0.101'
network.dmz.proto='static'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].log='1'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
root@OpenWrt:~#
trendy
February 27, 2020, 3:18pm
4
Remove this
This is already allowed with
firewall.@rule[5]
Outside is the internet or the network between FB and OpenWrt?
Is the FB reachable from the OpenWrt?
Try these three and paste here the output:
ping -6 -c 4 -I br-lan ipv6.google.com
ping -6 -c 4 -I eth0.2 ipv6.google.com
traceroute6 ipv6.google.com
Tupsi
February 27, 2020, 5:20pm
5
that was misleading sorry, I ment doing a ping on the console of the OpenWRT is not working.
yes and so is the PC still remaining directly attached to the FB.
ok, now it gets really weird:
I removed the v4 gateway as you requested and suddenly I was able to ping6 from the OpenWRT console to a server outside (like the v6 google). *joy!
Then I thought, lets reboot OpenWRT just to be sure and the wonder went away (no more ping6 OpenWRT -> WAN).
Then I went back into the settings and deleted the v4 gateway address again and the pinging kept working.
So I really don't get whats wrong here.
And I really do not understand why a v4 gateway address changes anything in my v6 setup, but that wonder can wait explaining until everything works in general
Tupsi
February 27, 2020, 5:26pm
6
-----------1st set ---------------------------
root@OpenWrt:~# ping -6 -c 4 -I br-lan ipv6.google.com
PING ipv6.google.com (2a00:1450:4001:81e::200e): 56 data bytes
ping: sendto: Permission denied
root@OpenWrt:~# ping -6 -c 4 -I eth0.2 ipv6.google.com
PING ipv6.google.com (2a00:1450:4001:81e::200e): 56 data bytes
--- ipv6.google.com ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~# traceroute6 ipv6.google.com
traceroute to ipv6.google.com (2a00:1450:4001:80b::200e), 30 hops max, 64 byte packets
1 p200300E8D72423003681C4FFFEBFEF00.dip0.t-ipconnect.de (2003:e8:d724:2300:3681:c4ff:febf:ef00) 0.911 ms 0.422 ms 0.374 ms
2 * * *
3 * * *
4 * * *
5 * *^C
-------------2nd set-----------------------------
root@OpenWrt:~# ping -6 -c 4 -I br-lan ipv6.google.com
PING ipv6.google.com (2a00:1450:4001:818::200e): 56 data bytes
ping: sendto: Permission denied
root@OpenWrt:~# ping -6 -c 4 -I eth0.2 ipv6.google.com
PING ipv6.google.com (2a00:1450:4001:818::200e): 56 data bytes
64 bytes from 2a00:1450:4001:818::200e: seq=0 ttl=57 time=18.107 ms
64 bytes from 2a00:1450:4001:818::200e: seq=1 ttl=57 time=16.883 ms
64 bytes from 2a00:1450:4001:818::200e: seq=2 ttl=57 time=17.182 ms
64 bytes from 2a00:1450:4001:818::200e: seq=3 ttl=57 time=17.030 ms
--- ipv6.google.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 16.883/17.300/18.107 ms
root@OpenWrt:~# traceroute6 ipv6.google.com
traceroute to ipv6.google.com (2a00:1450:4001:818::200e), 30 hops max, 64 byte packets
1 p200300E8D72423003681C4FFFEBFEF00.dip0.t-ipconnect.de (2003:e8:d724:2300:3681:c4ff:febf:ef00) 1.645 ms 0.469 ms 0.421 ms
2 2003:0:8305:f800::1 (2003:0:8305:f800::1) 16.652 ms 16.287 ms 16.430 ms
3 2003:0:1304:8002::1 (2003:0:1304:8002::1) 18.871 ms 18.111 ms 18.065 ms
4 2003:0:1304:8002::2 (2003:0:1304:8002::2) 17.467 ms 17.691 ms 17.062 ms
5 2a00:1450:80f7::1 (2a00:1450:80f7::1) 17.614 ms 2a00:1450:809e::1 (2a00:1450:809e::1) 17.527 ms *
6 * 2001:4860:0:1::26d6 (2001:4860:0:1::26d6) 19.132 ms 2001:4860:0:1::2046 (2001:4860:0:1::2046) 17.563 ms
7 2001:4860:0:1::1955 (2001:4860:0:1::1955) 17.867 ms 2001:4860:0:11e1::e (2001:4860:0:11e1::e) 18.093 ms 2001:4860:0:1::1955 (2001:4860:0:1::1955) 17.749 ms
8 2001:4860::c:4000:f874 (2001:4860::c:4000:f874) 18.286 ms fra16s12-in-x0e.1e100.net (2a00:1450:4001:818::200e) 17.598 ms 2001:4860::c:4000:f873 (2001:4860::c:4000:f873) 18.119 ms
root@OpenWrt:~#
---------------------------------
1st set is after a reboot, 2nd set is after I changed something in the LAN interface (either removing the gateway or writing it back in).
Tupsi
February 27, 2020, 5:38pm
7
ok some more testing and maybe this makes it easier to understand:
I reboot OpenWRT
login to ssh
ping6 to ipv6.google.com doesn NOT work
I go into luci and Restart the LAN interface with the button there
ping6 starts working
reboot OpenWRT
goto 2
so to me, there seems a bug in the whole routing thing which fixes itself whenever you fiddle with the lan interface setting?
Tupsi
February 27, 2020, 6:14pm
8
there is also a 2nd problem to this, the computers in my LAN segment are not able to reach the internet via v6, even though the DHCPv6 setup seems to work, meaning they get an ipv6 address and can reach via v6:
a) the OpenWRT box
all via the global v6 addresses, but trying to reach anything outside like ipv6.google.com fails from the LAN.
Frankly I do not understand the problem at all. If my LAN PC already reaches the FB, that means it can not be the routing nor the firewall settings in the OpenWRT, right?
But maybe I should put up another post to not mess with the first issue, but then they are related? I have no clue, really.
trendy
February 28, 2020, 8:39am
9
Does the PC directly connected to FB work fine?
Seems so.
Let's try a reset to defaults first.
Tupsi
February 28, 2020, 9:44am
10
yes that works fine (thought I already said that a few times sorry). My old setup was just the FB and everything v6 wise worked fine there, as in every connected box got both their v4 and v6 address and both v4 and v6 routing to the internet worked without any hitches. Well there are some and thats why I want something else handle it in the end, but not the plain routing stuff, that worked basicaly out of the box the moment I activated DHCPv6 on the FB.
Anyway, I will reset the whole thing, haven't done much else anyway and report back to you.
1 Like
Tupsi
February 28, 2020, 9:56am
11
lol, that was blunt and easy. At least I know now that I haven't done anything stupidly fault, I can just blame the software, what a fresh change in perspective.
Here is what I did:
Logged into Luci and performed a reset.
Logged back in to Luci, now on the std IP 192.168.1.1 and setup ssh so I can get into the console
ssh into the box and tried ping google.com -> works
ping6 ipv6.google.com does NOT work
go back to Luci into Interface and hit RESTART on LAN
go back to ssh and redo ping6 ipv6.google.com now WORKS
so whatever it is that restart is doing, it seems to fix something which even seems broken in a plain fresh install, so I'll let the devs fix that first before trying anything with it.
Thanks for trying to help though trendy, much appreciated!!!
trendy
February 28, 2020, 10:03am
12
Let's see what can be the difference in these cases. Run the following commands when it works and when it doesn't.ip -6 addr; ip -6 ru; ip -6 ro; ip6tables-save; ifstatus wan6
Also post for reference the uci export network; uci export dhcp; uci export firewall once.
I had an epiphany... Check the routing table of FB to verify that it has routes for the prefixes it delegates to the OpenWrt.
