Thanks once again for your quick reply. I corrected issues (1) and (4) that you've noticed. The second case is my case - I am connecting to the main router in my house, which is 9001:5170:3020:1::1
, with /64 prefix (unfortunatelly). The network outside OpenWRT is static IPv6 (no DHCPv6), so I set RA/DHCPv6 on WAN6 and relay mode on LAN, if that is what you meant.
However, still, no luck. Devices on LAN and VPN (I use ocserv) are regularly getting their IPv6 addresses and are visible from the OpenWRT router. However, they cannot ping the main router 9001:5170:3020:1::1
. Must be something with routes. I'm attaching the current config.
root@Ubiquiti-ER-4:~# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
> ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.*
/tmp/resolv.*/* ; \
> ifstatus wan6; ifstatus lan
{
"kernel": "5.4.154",
"hostname": "Ubiquiti-ER-4",
"system": "UBNT_E300 (CN7030p1.2-1000-AAP)",
"model": "Ubiquiti EdgeRouter 4",
"board_name": "ubnt,edgerouter-4",
"release": {
"distribution": "OpenWrt",
"version": "21.02.1",
"revision": "r16325-88151b8303",
"target": "octeon/generic",
"description": "OpenWrt 21.02.1 r16325-88151b8303"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdfb:4aa7:1e1c::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
option ip6ifaceid 'eui64'
option ip6assign '64'
config interface 'wan'
option device 'lan0'
option proto 'static'
option ipaddr '$PUBLIC_IPv4'
option netmask '255.255.255.0'
option gateway '$GATEWAY'
option broadcast '$BCAST'
config interface 'WAN6'
option proto 'static'
option device 'lan0'
option ip6ifaceid 'eui64'
list ip6addr '9001:51703020:1::8/64'
option ip6gw '9001:51703020:1::1'
option ip6prefix '9001:51703020:1::8/64'
package dhcp
config dnsmasq
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option ednspacket_max '1232'
list server '$DNS1'
list server '$DNS2'
option domainneeded '1'
option localservice '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ra 'relay'
option dhcpv6 'relay'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'mmilos'
option ip '192.168.1.148'
option mac '50:65:F3:1E:AB:86'
config dhcp 'WAN6'
option interface 'WAN6'
option start '100'
option limit '150'
option leasetime '12h'
option ignore '1'
option ra 'server'
list ra_flags 'none'
option dhcpv6 'server'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'vpns+'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
list network 'WAN6'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SSH mmilos'
list proto 'tcp'
option src 'wan'
option src_dport '22'
option dest_ip '192.168.1.148'
option dest_port '22'
config rule
option name 'Allow-SSH'
list proto 'tcp'
option src 'wan'
option dest_port '22'
option target 'ACCEPT'
config rule
list proto 'tcp'
option src 'wan'
option dest_port '80'
option target 'ACCEPT'
option name 'Allow-Luci-public'
config rule
option name 'Allow-OpenConnect'
option src 'wan'
option dest_port '4443'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTP forward'
list proto 'tcp'
option src 'wan'
option src_dport '8080'
option dest_ip '192.168.1.148'
option dest_port '8080'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTP forward'
list proto 'tcp'
option src 'wan'
option src_dport '5000'
option dest_ip '192.168.1.148'
option dest_port '5000'
config forwarding
option src 'wan'
option dest 'lan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 9001:51703020:1::8/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::6ad7:9aff:fe49:fe16/64 scope link
valid_lft forever preferred_lft forever
40: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fdfb:4aa7:1e1c:0:6ad7:9aff:fe49:fe17/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 9001:51703020:1:6ad7:9aff:fe49:fe17/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::6ad7:9aff:fe49:fe17/64 scope link
valid_lft forever preferred_lft forever
43: vpns0: <POINTOPOINT,UP,LOWER_UP> mtu 1434 state UNKNOWN qlen 500
inet6 9001:51703020:1:6ad7:9aff:0:1/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::f08a:641d:1745:e70d/64 scope link flags 800
valid_lft forever preferred_lft forever
9001:51703020:1:6ad7:9aff:0:1 dev vpns0 metric 256
9001:51703020:1:6ad7:9aff:1386:21e7 dev vpns0 metric 1
9001:51703020:1::/64 dev lan0 metric 256
9001:51703020:1::/64 dev br-lan metric 1024
unreachable 9001:51703020:1::/64 dev lo metric 2147483647
fdfb:4aa7:1e1c::/64 dev br-lan metric 1024
unreachable fdfb:4aa7:1e1c::/48 dev lo metric 2147483647
fe80::/64 dev lan0 metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev vpns0 metric 256
default via 9001:51703020:1::1 dev lan0 metric 1024
local ::1 dev lo table local metric 0
anycast 9001:51703020:1:: dev lan0 table local metric 0
anycast 9001:51703020:1:: dev br-lan table local metric 0
local 9001:51703020:1::8 dev lan0 table local metric 0
local 9001:51703020:1:6ad7:9aff:0:1 dev vpns0 table local metric 0
local 9001:51703020:1:6ad7:9aff:fe49:fe17 dev br-lan table local metric 0
anycast fdfb:4aa7:1e1c:: dev br-lan table local metric 0
local fdfb:4aa7:1e1c:0:6ad7:9aff:fe49:fe17 dev br-lan table local metric 0
anycast fe80:: dev lan0 table local metric 0
anycast fe80:: dev br-lan table local metric 0
anycast fe80:: dev vpns0 table local metric 0
local fe80::6ad7:9aff:fe49:fe16 dev lan0 table local metric 0
local fe80::6ad7:9aff:fe49:fe17 dev br-lan table local metric 0
local fe80::f08a:641d:1745:e70d dev vpns0 table local metric 0
multicast ff00::/8 dev lan0 table local metric 256
multicast ff00::/8 dev br-lan table local metric 256
multicast ff00::/8 dev vpns0 table local metric 256
0: from all lookup local
32766: from all lookup main
4200000000: from 9001:51703020:1:6ad7:9aff:fe49:fe17/64 iif br-lan lookup unspec unreachable
4200000001: from all iif lo lookup unspec 12
4200000003: from all iif lan0 lookup unspec 12
4200000003: from all iif lan0 lookup unspec 12
4200000040: from all iif br-lan lookup unspec 12
lrwxrwxrwx 1 root root 16 Oct 24 09:01 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 47 Mar 21 17:13 /tmp/resolv.conf
-rw-r--r-- 1 root root 0 Mar 18 08:57 /tmp/resolv.conf.d/resolv.conf.auto
/tmp/resolv.conf.d:
-rw-r--r-- 1 root root 0 Mar 18 08:57 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
==> /tmp/resolv.conf.d/resolv.conf.auto <==
Interface wan6 not found
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 9741,
"l3_device": "br-lan",
"proto": "static",
"device": "br-lan",
"updated": [
"addresses",
"routes",
"prefixes"
],
"metric": 0,
"dns_metric": 0,
"delegation": false,
"ipv4-address": [
{
"address": "192.168.1.1",
"mask": 24
}
],
"ipv6-address": [
],
"ipv6-prefix": [
],
"ipv6-prefix-assignment": [
{
"address": "9001:51703020:1::",
"mask": 64,
"local-address": {
"address": "9001:51703020:1:6ad7:9aff:fe49:fe17",
"mask": 64
}
},
{
"address": "fdfb:4aa7:1e1c::",
"mask": 64,
"local-address": {
"address": "fdfb:4aa7:1e1c:0:6ad7:9aff:fe49:fe17",
"mask": 64
}
}
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
}
}